Malware reports

Virus Top Twenty for October 2003

Kaspersky Labs presents the twenty most widespread viruses for October 2003

Position Change Virus Name Percentage by Occurrence
1 + 1 I-Worm.Swen 70.94%
2 + 4 I-Worm.Tanatos 1.13%
3 = I-Worm.Mimail 1.07%
4 + 4 Worm.Win32.Lovesan 0.89%
5 + 6 Backdoor.SdBot 0.70%
6 new I-Worm.Sober 0.63%
7 + 2 Worm.P2P.SpyBot 0.59%
8 – 7 I-Worm.Sobig 0.52%
9 new Backdoor.Ciadoor 0.47%
10 + 3 VBS.Redlof 0.39%
11 re-entry TrojanDropper.Win32.Small 0.38%
12 new Backdoor.Agobot 0.30%
13 – 3 Win95.CIH 0.29%
14 + 4 Backdoor.Optix.Pro 0.28%
15 new TrojanProxy.Win32.Hino 0.23%
16 re-entry Backdoor.IRCBot 0.23%
17 – 3 Win32.Parite 0.22%
18 new Keylogger.Win32.PerfectKeyLogger 0.21%
19 re-entry Macro.Word97.Flop 0.18%
20 re-entry Trojan.Win32.StartPage 0.18%
Other Malicious Programs* 4.52%
*not included in the Top Twenty



Malicious Program Types




The October Virus Top Twenty has brought some unexpected surprises.

Firstly, the list has dropped the the Klez and Lentin Internet worms, which have been mainstays on the Virus Top Twenty list since November 2001 and March 2002 respectively. Additionally, the Sobig Internet worm that has occupied the top spot over the past several months has dropped drastically from first to eighth position.

Currently, a newcomer – the worm Swen, appearing just one and one half months ago in mid September, occupies the top spot. In fact, Swen dominates the list by claiming over 70% of all registered incidences, while its closest rivals, the Tanatos and Mimail worms accounted for just over 1% each.

Another unexpected occurrence in October is the significant growth in the number and variety of Trojan programs appearing. An impressive total of nine malicious programs belonging to the Trojan family made the list. In aggregate, Trojan programs well over doubled the total turned in by computer viruses – 6.46% to 2.77%.


  • New malicious programs appearing in the October list are: Sober, Ciadoor, Agobot, Hino, PerfectKeyLogger
  • Moving up are: Swen, Tanatos, Lovesan, SdBot, Spybot, Redlof, Optix.Pro
  • Moving down are: Sobig, CIH, Parite
  • Returning to the list are: Small, IRCBot, Flop, StartPage
  • Holding firm at its previous position is the Mimail Internet worm in third

Virus Top Twenty for October 2003

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox