Malware reports

Virus Top Twenty for October 2004

Kaspersky Lab presents the most acitve 20 viruses for October 2004.

Position Change in position Malware name Percentage
1. No Change 0 I-Worm.NetSky.q 15.95
2. No Change 0 I-Worm.NetSky.aa 14.45
3. Up +1 I-Worm.NetSky.b 10.52
4. Up +8 I-Worm.Bagle.as 7.43
5. Up +1 I-Worm.Bagle.z 6.59
6. Down -1 I-Worm.Mydoom.m 5.90
7. New! new I-Worm.Bagle.at 4.01
8. Down -5 I-Worm.Zafi.b 3.03
9. No Change 0 I-Worm.NetSky.t 2.90
10. Down -3 I-Worm.NetSky.d 2.83
11. Down -1 I-Worm.NetSky.y 2.31
12. Down -1 I-Worm.LovGate.w 2.30
13. No Change 0 I-Worm.Mydoom.l 1.82
14. New! new I-Worm.Mydoom.ab 1.75
15. Down -1 I-Worm.NetSky.r 1.39
16. No Change 0 I-Worm.Bagle.gen 1.37
17. Return re-entry I-Worm.Mydoom.r 1.31
18. Down -1 I-Worm.NetSky.c 0.95
19. No Change 0 I-Worm.Bagle.ah 0.87
20. Return re-entry Backdoor.Win32.Rbot.gen 0.68
Other malicious programs (not in the Top 20) 11.64

October, like September, saw further new variants of Mydoom and Bagle. Mydoom.ab (Swash.a) and Bagle.at appeared within a few days of each other. In fact, Bagle.at was followed immediately by a clone: Bagle.au, thought the clone did not make the Top Twenty. The Bagle mass mailing, October 29, was so effective that it took Bagle.at only 3 days to reach seventh place in the Top Twenty.

On the other hand, the high ranking was achieved in the first day: the numbers have fallen in the past two days and Bagle.at may well not rank so high in November. A new version of the Hungarian I-Worm.Zafi.c was detected in the interim between Mydoom.ab and Bagle.at. This third variant has not been seen in the wild yet, though an outbreak is highly probable if we remember how long the previous variant was in the Top Twenty.

In all other respects, the October Top Twenty is almost identical to the September Top Twenty. NetSky variants are on top, with Bagle and Mydoom variants continuing their fruitless efforts to outrank them. Bagle.as has moved noticeably: 8 slots in one month. Zafi.b continues falling – 5 places and a high probability of leaving the Top Twenty by November. If this occurs, LovGate.w will be the only malicious program on the list that is no a member of the Big Three.

TrojanDownloader.JS.Gen and TrojanDropper.VBS.Zerolin have already left the rankings, despite a number of mass mailings containing these programs. However, other malicious programs proved more active and pushed these Trojans out of the Top Twenty.

However, other malicious programs continue to challenge the Big Three – Backdoor.Win32.Rbot.gen returned to the ratings this month. This backdoor, a hard-hitting bot, is controlled via IRC channels: it normally spreads by exploiting various vulnerabilities in Windows (RPC DCOM, LSASS and so forth). This month, virus writers seem to have decided that SP2 for Windows XP created too many barriers: they chose to send Rbot via email instead, and successfully as statistics demonstrated.

Sadly, we cannot look forward to life without Bagle and Mydoom yet. The source codes of both worms have been widely publicized on the Internet and spread by the worms themselves. Most of the virus activity we have witnessed recently has been caused by variants of these two worms, or, to be precise, recompiled versions of the published source code.

Other malware made up a significant proportion of Internet traffic this month: we detected over 200 different malicious programs.

Summary

New viruses Bagle.at, Mydoom.ab
Moved up NetSky.b, Bagle.as, Bagle.z
Moved down Mydoom.m, Zafi.b, NetSky.d, NetSky.y, LovGate.w, NetSky.r, NetSky.c
No change NetSky.q, NetSky.aa, NetSky.t, Mydoom.l, Bagle.gen, Bagle.ah
Re-entry Mydoom.r, Rbot.gen

Virus Top Twenty for October 2004

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox