Malware reports

Virus Top Twenty for October 2006

Position Change in position Name Percentage
1. Return
Email-Worm.Win32.NetSky.q 13.14
2. New!
Email-Worm.Win32.Warezov.dn 11
3. Return
Email-Worm.Win32.Bagle.gen 10.43
4. No Change Email-Worm.Win32.Scano.gen 7.97
5. New!
Email-Worm.Win32.Warezov.ev 6.32
6. Return
Email-Worm.Win32.Bagle.mail 4.04
7. New!
Email-Worm.Win32.Warezov.dc 3.65
8. Return
Email-Worm.Win32.Mydoom.l 2.89
9. Return
Email-Worm.Win32.Mydoom.m 2.74
10. Return
Email-Worm.Win32.Scano.e 2.46
11. New!
New 2.41
12. Return
Email-Worm.Win32.NetSky.aa 2.08
13. Down
Email-Worm.Win32.NetSky.b 2.04
14. Down
Net-Worm.Win32.Mytob.c 2.01
15. Down
Trojan-Spy.HTML.Bankfraud.od 1.84
16. New!
New 1.83
17. New!
Email-Worm.Win32.Warezov.gen 1.26
18. Return
Email-Worm.Win32.Bagle.dx 1.24
19. New!
Email-Worm.Win32.Warezov.dh 0.84
20. Down
-12 0.8
Other malicious programs 19.01
Variants from the Warezov family 27.31

For three months we’ve watched Mytob.c and Nyxem.e waging a bitter battle for first place. Both worms have stubbornly taken percentage points from the other. It’s difficult to say how long this could have continued – of course, a major epidemic would have changed the situation, but in 2006 email worms, the plague of the Internet, are almost a thing of the past. Now standard Trojan programs and network worms which use vulnerabilities in Windows to spread (such as the recently discovered MS06-040) are far more active.

However, in October everything changed in the blink of an eye. Warezov burst onto the scene, and this shook our statistics right to their foundations, with only 5 malicious programs out of September’s 20 remaining. In October, Warezov caused a headache for antivirus companies throughout the world. The worm’s burst of activity towards the end of the month, when as many as 20 new variants appeared in the space of 24 hours, was a particular challenge.

Warezov’s October madness resulted in 7 variants making it into the rankings – a debut comparable only to that of Mytob. Warezov, in all its modifications, made up more than 27% of all malicious code in mail traffic, and if we calculated overall prevalence according to family, rather than modification, then Warezov would have been October’s absolute leader. As it stands, Warezov.dn occupies second place, a mere two percent behind 2004’s leader, Netsky.q. This worm has returned to the top of the ratings, but it’s difficult for us to say why; it may be the start of a new trend, or simply an isolated burst of activity, which we’ve seen previously on a number of occasions.

Warezov is extremely similar to the notorious Bagle in a number of ways. Although Warezov is based on Mydoom.a source code, and Bagle’s code was totally original, developed by an unknown group of virus writers, we still view these worms as relatives. Firstly, the epidemics are organized in a very similar way – releasing multiple variants in a very short space of time, with different variants being released in different regions (e.g. one variant being spammed in Russia, another one in Europe.) Secondly, they have the same functionality (installing other modules from Trojanized sites, and harvesting email addresses before sending them to malicious users.) Bagle was the first worm which used virus technologies in order to get new data for spammer databases; Warezov repeats this tactic. Thirdly, Warezov appeared within a week of new Bagle variants failing to appear. It’s unlikely that Bagle’s authors decided suddenly to go out of business exactly as another group decided to take over the reins; it seems highly likely that the two worms were created by the same group. Finally, Bagle had a huge influence on the antivirus industry as a whole, forcing antivirus companies to come up with new methods of protection. Warezov has brought a new challenge: coping with code obfuscation, and also the need to respond in an ever shorter period of time to new variants.

However, Bagle has not totally disappeared. Although new versions are not appearing, old variants are still spreading actively. Our Top Twenty bears witness to this, with Bagle variants taking third, sixth and eighteenth place.

Another worm which employs code obfuscation is Scano. KL virus analysts successfully tackled its polymorphic script engine a few months ago, but Scano nevertheless remains widespread. In spite of the fact that we have modified the methods used for calculating our statistics, Scano.gen remained in fourth place in September, just as it did in October.

One unpleasant fact which has to be faced is that Warezov, Bagle, and Scano all appear to have a ‘Cyrillic’ background, and to have been created either in Russia, or in former Soviet Union states.

Bankfraud.od, the most common phishing attack in August, remains the most widespread in October. In September Bankfraud fell one place, and dropped a further two in October. However, phishing attacks are continuing to increase in mail traffic, and in the near future we will be providing separate data on the prevalence of such attacks.

Other malicious programs made up 19.1% of all malicious programs intercepted in mail traffic. This confirms that a large number of other worms and Trojans are still actively circulating.


New Warezov.dn, Warezov.ev,,, Warezov.gen, Warezov.dh
Moved down NetSky.b, Mytob.c, Bankfraud.od,
Re-entry NetSky.q, Bagle.gen, Bagle.mail, Mydoom.l, Mydoom.m, Scano.e, NetSky.aa, Bagle.dx

Virus Top Twenty for October 2006

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox