Malware reports

Virus Top Twenty for October 2004

Kaspersky Lab presents the most acitve 20 viruses for October 2004.

Position Change in position Malware name Percentage
1. No Change 0 I-Worm.NetSky.q 15.95
2. No Change 0 I-Worm.NetSky.aa 14.45
3. Up +1 I-Worm.NetSky.b 10.52
4. Up +8 I-Worm.Bagle.as 7.43
5. Up +1 I-Worm.Bagle.z 6.59
6. Down -1 I-Worm.Mydoom.m 5.90
7. New! new I-Worm.Bagle.at 4.01
8. Down -5 I-Worm.Zafi.b 3.03
9. No Change 0 I-Worm.NetSky.t 2.90
10. Down -3 I-Worm.NetSky.d 2.83
11. Down -1 I-Worm.NetSky.y 2.31
12. Down -1 I-Worm.LovGate.w 2.30
13. No Change 0 I-Worm.Mydoom.l 1.82
14. New! new I-Worm.Mydoom.ab 1.75
15. Down -1 I-Worm.NetSky.r 1.39
16. No Change 0 I-Worm.Bagle.gen 1.37
17. Return re-entry I-Worm.Mydoom.r 1.31
18. Down -1 I-Worm.NetSky.c 0.95
19. No Change 0 I-Worm.Bagle.ah 0.87
20. Return re-entry Backdoor.Win32.Rbot.gen 0.68
Other malicious programs (not in the Top 20) 11.64

October, like September, saw further new variants of Mydoom and Bagle. Mydoom.ab (Swash.a) and Bagle.at appeared within a few days of each other. In fact, Bagle.at was followed immediately by a clone: Bagle.au, thought the clone did not make the Top Twenty. The Bagle mass mailing, October 29, was so effective that it took Bagle.at only 3 days to reach seventh place in the Top Twenty.

On the other hand, the high ranking was achieved in the first day: the numbers have fallen in the past two days and Bagle.at may well not rank so high in November. A new version of the Hungarian I-Worm.Zafi.c was detected in the interim between Mydoom.ab and Bagle.at. This third variant has not been seen in the wild yet, though an outbreak is highly probable if we remember how long the previous variant was in the Top Twenty.

In all other respects, the October Top Twenty is almost identical to the September Top Twenty. NetSky variants are on top, with Bagle and Mydoom variants continuing their fruitless efforts to outrank them. Bagle.as has moved noticeably: 8 slots in one month. Zafi.b continues falling – 5 places and a high probability of leaving the Top Twenty by November. If this occurs, LovGate.w will be the only malicious program on the list that is no a member of the Big Three.

TrojanDownloader.JS.Gen and TrojanDropper.VBS.Zerolin have already left the rankings, despite a number of mass mailings containing these programs. However, other malicious programs proved more active and pushed these Trojans out of the Top Twenty.

However, other malicious programs continue to challenge the Big Three – Backdoor.Win32.Rbot.gen returned to the ratings this month. This backdoor, a hard-hitting bot, is controlled via IRC channels: it normally spreads by exploiting various vulnerabilities in Windows (RPC DCOM, LSASS and so forth). This month, virus writers seem to have decided that SP2 for Windows XP created too many barriers: they chose to send Rbot via email instead, and successfully as statistics demonstrated.

Sadly, we cannot look forward to life without Bagle and Mydoom yet. The source codes of both worms have been widely publicized on the Internet and spread by the worms themselves. Most of the virus activity we have witnessed recently has been caused by variants of these two worms, or, to be precise, recompiled versions of the published source code.

Other malware made up a significant proportion of Internet traffic this month: we detected over 200 different malicious programs.

Summary

New viruses Bagle.at, Mydoom.ab
Moved up NetSky.b, Bagle.as, Bagle.z
Moved down Mydoom.m, Zafi.b, NetSky.d, NetSky.y, LovGate.w, NetSky.r, NetSky.c
No change NetSky.q, NetSky.aa, NetSky.t, Mydoom.l, Bagle.gen, Bagle.ah
Re-entry Mydoom.r, Rbot.gen

Virus Top Twenty for October 2004

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox