Malware reports

Virus Top Twenty for November 2006

Position Change in position Name Percentage
1. New!
Email-Worm.Win32.Warezov.gj 18.27
2. Up
Email-Worm.Win32.Warezov.ev 14.88
3. Return
Email-Worm.Win32.Nyxem.e 9.89
4. Return
Email-Worm.Win32.NetSky.t 7.54
5. Down
Email-Worm.Win32.Scano.gen 6.57
6. Up
Net-Worm.Win32.Mytob.c 5.68
7. Down
Email-Worm.Win32.NetSky.q 5.25
8. Return
Email-Worm.Win32.Zafi.b 4.40
9. Up
Email-Worm.Win32.NetSky.aa 2.77
10. Return
Net-Worm.Win32.Mytob.t 2.01
11. Return
Email-Worm.Win32.LovGate.w 1.48
12. Up
Email-Worm.Win32.NetSky.b 1.41
13. New!
Email-Worm.Win32.Warezov.fh 1.29
14. Up
Trojan-Spy.HTML.Bankfraud.od 1.08
15. Return
Net-Worm.Win32.Mytob.u 1.04
16. New!
New 0.97
17. Down
-6 0.87
18. Down
Email-Worm.Win32.Mydoom.l 0.77
19. Down
Email-Worm.Win32.Bagle.gen 0.76
20. Return
Net-Worm.Win32.Mytob.w 0.73
Other malicious programs 12.34

Autumn 2006 was a stormy season. For the third month in a row there’s not only a new leader in our rankings, but the entire Top Twenty is once again in a state of flux. However, worms from the Warezov family were the main troublemakers, just as they were last month.

In November, Warezov.gj, a newcomer, took first place. This worm, which was first detected on November 22nd, only took one week to become the most widespread virus in email traffic, with an impressive share of over 18%! Only a few malicious programs have shown such record propagation rates in the first month of their existence – and all of them remained at the top of the charts for significant periods of time. However, I believe this won’t be the case this time. Warezov.gj will probably fall sharply in December as the worm surrenders to the onslaught of its new “siblings”.

This month’s surprise was the triumphal return of our old acquaintance, Nyxem.e, which immediately shot to third position in the rankings. This worm will soon be celebrating an anniversary of sorts: it’s nearly a year since was first detected. And it’s become one of the most widespread viruses in all of 2006.

Nyxem’s archrival, Mytob.c, has also improved its standing, shooting up eight positions. For several months we watched these worms battle for supremacy, but in October the Warezov.a hurricane swept all away. November’s round of confrontation may yet result in both worms making it to the top five in December.

An equally notable comeback is that of the Zafi.b worm. No sooner had we bidden it farewell than it reappeared and started annoying users again with its messages in 18 languages. Eighth place in November is no mean achievement, and shows that the life cycle of this Hungarian worm is far from complete.

October’s leader – NetSky.q – is once again moving down the charts. The history of this worm is quite interesting. After it first appeared in 2004, it remained a leader for a long time and became the most widespread worm of 2004. In 2005 it battled numerous Mytob variants for supremacy, and in 2006 it has alternately shot up the charts, or fallen off the bottom of the Top Twenty. In spite of all this, NetSky.q remains one of the most widespread worms in the entire history of the Internet. Meanwhile, for Sven Jaschan, who wrote this infamous worm, 16 of the 21 months of his suspended sentence have already passed.

Several other worms besides Netsky.q are moving up and down the charts, as if plotting a sine curve. Two more historic worms, LovGate.w è Mytob.t, returned to the rankings to grace the middle of November’s Top Twenty.

All these examples demonstrate that worms can be split into two groups. Those in the first group circulate for years in traffic, sometimes increasing their share (when there are no other epidemics) and sometimes surrendering it to newcomers. Those in the second group emerge quickly, top statistics for a short period and then quickly disappear, often completing this cycle in a mere couple of weeks.

As for December forecasts, everything will depend on the authors of the Warezov worm. If they continue mass-mailing numerous variants of the worm, then next month these worms will account for at least 30% of all malicious programs in email. But if the authors of Warezov relax the pace or get themselves arrested (which is, unfortunately, less likely), the “old” worms, such as NetSky.q, Zafi,b and Mytob.c will gain ground once more.

Other malicious programs made up 12.34% of all malicious programs intercepted in mail traffic. This confirms that a large number of other worms and Trojans are still actively circulating.


New Warezov.gj, Warezov.fh,
Moved down Scano.gen, NetSky.q,, Mydoom.l, Bagle.gen
Re-entry Nyxem.e, NetSky.t , Zafi.b, Mytob.t, LovGate.w, Mytob.u, Mytob.w

Virus Top Twenty for November 2006

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox