Virus Top Twenty for October 2005

Position	Change in position	Name	Percentage
1.	+1	Net-Worm.Win32.Mytob.c	14.56
2.	New	Email-Worm.Win32.Doombot.b	10.27
3.	-2	Email-Worm.Win32.Zafi.d	7.92
4.	+15	Net-Worm.Win32.Mytob.bi	6.80
5.	-1	Email-Worm.Win32.LovGate.w	5.27
6.	+2	Email-Worm.Win32.NetSky.q	3.66
7.	New	Email-Worm.Win32.Doombot.d	3.27
8.	-3	Email-Worm.Win32.NetSky.b	3.08
9.	-2	Net-Worm.Win32.Mytob.bk	3.03
10.	-1	Net-Worm.Win32.Mytob.t	2.51
11.	+4	Net-Worm.Win32.Mytob.y	2.35
12.	+5	Net-Worm.Win32.Mytob.be	2.22
13.	-7	Net-Worm.Win32.Mytob.q	2.10
14.	-4	Net-Worm.Win32.Mytob.u	2.08
15.	-12	Email-Worm.Win32.Zafi.b	1.59
16.	New	Email-Worm.Win32.Fanbot.f	1.46
17.	New	Email-Worm.Win32.Bagle.dx	1.24
18.	New	Trojan-Spy.HTML.Bayfraud.hn	1.22
19.	-8	Net-Worm.Win32.Mytob.r	1.20
20.	-8	Email-Worm.Win32.NetSky.aa	1.16
Other malicious programs			23.01

As regular readers probably remember, at the end of August two young men were arrested in Morocco and Turkey on suspicion of being involved in the creation of the family of Mytob worms. It remains to be seen whether or not they will be found guilty. But there was a clear reduction in the number of new Mytob variants in September, a fact which seems to speak for itself.

However, it’s well known that nature abhors a vacuum, and the world of computer viruses is no different to any other natural environment. Cybercriminals haven’t let this opportunity pass them by, and released a number of new families of dangerous worms into the wild.

October 2005 was rich in new malicious programs. In the space of a single week, Kaspersky Lab virus analysts broke their own record, adding more than 1400 new records to the antivirus databases.

The leader of the Top Twenty has changed yet again, with Mytob.c putting in yet another appearance. It’s highly likely that this worm will turn out to be the most widespread malicious program of 2005.

In second place we have a newcomer to our rankings. This worm is Doombot.b, one of the ‘new generation’ worms released into the vacuum left by Mytob. Doombot is very similar to Mytob in its functionality. It combines email worm and IRC bot functionality, as does Mytob, and is based on the source code of Mydoom. However, some of Doombot’s main components are significantly different, and this is why we classify it as belonging to a different family. It’s worth stressing that variant .b was detected on 16th October, meaning that it was able to rise to second place within a mere two weeks or so. We may well see Doombot heading the Top Twenty in November.

Mytob.bi has also demonstrated a rapid rise – in September it occupied 19th place, and was effectively disappearing over the horizon. However, in October, it managed to climb 15 places, and is now in 4th place. The percentage of Mytob.bi is also extremely high.

Another interesting worm in the Top Ten is another Doombot, Doombot.d. This worm was originally classified as Mytob.dc. However, it contains the trademark string “H-E-L-L-B-O-T-P-O-L-Y-M-O-R-P-H” which is only found in Doombots. This led to us reclassifying the worm. Such borderline cases, where similar functionality and basic program structure is present in a range of worm bots, cause classification headaches. This is not surprising as the majority of worms of this type are clones of Mydoom, which will soon be celebrating its second birthday.

This is an excellent illustration of how the distribution of source code can sometimes cause even more damage than a single worm created around the same code. After all, once source code is openly availably, any script kiddie can rapidly create his/ her own variant by modifying the code, even with minimal programming skills.

In the remainder of the Top Twenty, there are another three new malicious programs which are worth taking a closer look at. These programs, in 16th – 18th place, are very different from each other, and all the more interesting for that.

Another new generation worm, Fanbot.f, is in 16th place. This worm was also created using the source code of Mydoom and the SdBot backdoor. Fanbot appears to be attempting to spark the latest cyberwar, this time with the author of Doombot. One piece of evidence for this is the text string which the worm’s body contains: “HellBot3 have BackDoor in ‘HellMsn.h’. The HellBot3 author is an idiot!!!
[Phantom] 2005 Made By Evil[xiaou]. Greetz to good friend x140d4n. Based On sdbot&&mydoom.”

The author of Fanbot also vents spleen on the antivirus companies which did not classify the worm as the author intended:
“MSG to Kaspersky&Norton: can u make it difficulty next time!!! stupid. dont call me Fanbot,i am [Phantom]!!! SHIT!!!
Play with The best, Die like the rest.”

The Fanbot family currently contains 11 variants, and it’s likely that both Fanbot and Doombot variants will be among the most active viruses in the coming months.

Bagle’s authors have clearly decided to join the fun. We mentioned previously that more than 20 new Bagle variants were detected in September. However, in October the authors clearly decided to favour quality over quantity. Given this, Bagle.dx, detected on 20th October, is a significant event in our virus statistics. As is always the case with Bagle, the main aim of the virus writers is not to spread the worm itself, but to install Trojan proxy servers on victim machines, which can then be used for spam mailings. Programs which will harvest email messages will also be installed on victim machines. We believe that Bagle and the corresponding localized epidemics are at the root of the sharp rise in spam mailings which have taken place around the worm in the last few weeks.

Infected machines aren’t only used as spamming platforms, but also to conduct phishing attacks. One of the biggest attacks in October was the spamming of Trojan-Spy.HTML.Bayfraud.hn, which targets eBay users. The attack enabled this Trojan to take 18th place, and this once again highlights the danger and damage caused by phishers.

Other malicious programs made up 23.1% of malware intercepted in mail traffic. This indicates that a high number of other worms and Trojans are currently in circulation.

Summary: