Malware reports

Virus Top Twenty for November 2006

Position Change in position Name Percentage
1. New!
Email-Worm.Win32.Warezov.gj 18.27
2. Up
Email-Worm.Win32.Warezov.ev 14.88
3. Return
Email-Worm.Win32.Nyxem.e 9.89
4. Return
Email-Worm.Win32.NetSky.t 7.54
5. Down
Email-Worm.Win32.Scano.gen 6.57
6. Up
Net-Worm.Win32.Mytob.c 5.68
7. Down
Email-Worm.Win32.NetSky.q 5.25
8. Return
Email-Worm.Win32.Zafi.b 4.40
9. Up
Email-Worm.Win32.NetSky.aa 2.77
10. Return
Net-Worm.Win32.Mytob.t 2.01
11. Return
Email-Worm.Win32.LovGate.w 1.48
12. Up
Email-Worm.Win32.NetSky.b 1.41
13. New!
Email-Worm.Win32.Warezov.fh 1.29
14. Up
Trojan-Spy.HTML.Bankfraud.od 1.08
15. Return
Net-Worm.Win32.Mytob.u 1.04
16. New!
New 0.97
17. Down
-6 0.87
18. Down
Email-Worm.Win32.Mydoom.l 0.77
19. Down
Email-Worm.Win32.Bagle.gen 0.76
20. Return
Net-Worm.Win32.Mytob.w 0.73
Other malicious programs 12.34

Autumn 2006 was a stormy season. For the third month in a row there’s not only a new leader in our rankings, but the entire Top Twenty is once again in a state of flux. However, worms from the Warezov family were the main troublemakers, just as they were last month.

In November, Warezov.gj, a newcomer, took first place. This worm, which was first detected on November 22nd, only took one week to become the most widespread virus in email traffic, with an impressive share of over 18%! Only a few malicious programs have shown such record propagation rates in the first month of their existence – and all of them remained at the top of the charts for significant periods of time. However, I believe this won’t be the case this time. Warezov.gj will probably fall sharply in December as the worm surrenders to the onslaught of its new “siblings”.

This month’s surprise was the triumphal return of our old acquaintance, Nyxem.e, which immediately shot to third position in the rankings. This worm will soon be celebrating an anniversary of sorts: it’s nearly a year since was first detected. And it’s become one of the most widespread viruses in all of 2006.

Nyxem’s archrival, Mytob.c, has also improved its standing, shooting up eight positions. For several months we watched these worms battle for supremacy, but in October the Warezov.a hurricane swept all away. November’s round of confrontation may yet result in both worms making it to the top five in December.

An equally notable comeback is that of the Zafi.b worm. No sooner had we bidden it farewell than it reappeared and started annoying users again with its messages in 18 languages. Eighth place in November is no mean achievement, and shows that the life cycle of this Hungarian worm is far from complete.

October’s leader – NetSky.q – is once again moving down the charts. The history of this worm is quite interesting. After it first appeared in 2004, it remained a leader for a long time and became the most widespread worm of 2004. In 2005 it battled numerous Mytob variants for supremacy, and in 2006 it has alternately shot up the charts, or fallen off the bottom of the Top Twenty. In spite of all this, NetSky.q remains one of the most widespread worms in the entire history of the Internet. Meanwhile, for Sven Jaschan, who wrote this infamous worm, 16 of the 21 months of his suspended sentence have already passed.

Several other worms besides Netsky.q are moving up and down the charts, as if plotting a sine curve. Two more historic worms, LovGate.w è Mytob.t, returned to the rankings to grace the middle of November’s Top Twenty.

All these examples demonstrate that worms can be split into two groups. Those in the first group circulate for years in traffic, sometimes increasing their share (when there are no other epidemics) and sometimes surrendering it to newcomers. Those in the second group emerge quickly, top statistics for a short period and then quickly disappear, often completing this cycle in a mere couple of weeks.

As for December forecasts, everything will depend on the authors of the Warezov worm. If they continue mass-mailing numerous variants of the worm, then next month these worms will account for at least 30% of all malicious programs in email. But if the authors of Warezov relax the pace or get themselves arrested (which is, unfortunately, less likely), the “old” worms, such as NetSky.q, Zafi,b and Mytob.c will gain ground once more.

Other malicious programs made up 12.34% of all malicious programs intercepted in mail traffic. This confirms that a large number of other worms and Trojans are still actively circulating.


New Warezov.gj, Warezov.fh,
Moved down Scano.gen, NetSky.q,, Mydoom.l, Bagle.gen
Re-entry Nyxem.e, NetSky.t , Zafi.b, Mytob.t, LovGate.w, Mytob.u, Mytob.w

Virus Top Twenty for November 2006

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox