Malware reports

Virus Top Twenty for September 2004


Position Change in position Name Percentage by occurrence
1 +3 I-Worm.Netsky.q 21.67%
2 -1 I-Worm.Netsky.aa 13.79%
3 +1 I-Worm.Zafi.b 12.70%
5 I-Worm.Mydoom.m 5.34%
6 +2 I-Worm.Bagle.z 4.86%
7 +2 I-Worm.Netsky.d 4.55%
8 new TrojanDownloader.JS.Gen 4.41%
9 -3 I-Worm.Netsky.t 2.51%
10 +1 I-Worm.Netsky.y 1.62%
11 -1 I-Worm.Lovgate.w 1.41%
12 new 1.35%
13 +2 I-Worm.Mydoom.l 1.11%
14 -2 I-Worm.Netsky.r 1.08%
15 new I-Worm.Mydoom.t 0.93%
16 +3 I-Worm.Bagle.gen 0.86%
17 re-entry I.Worm.Netsky.c 0.83%
18 -5 TrojanDropper.VBS.Zerolin 0.73%
19 new I-Worm.Bagle.ah 0.62%
20 new I-Worm.Mydoom.u 0.51%
Other malicious programs (not in the Top 20) 9.49%

This September we witnessed several outbreaks caused by new variants of our old enemies Bagle and Mydoom. Thankfully, we did not see any malware exploiting the JPEG vulnerability in MS Windows, despite dire predictions by some analysts that an outbreak was inevitable. In short, September resembled August, with only minor changes.

Just as in August, we see 5 new malicious programs in the ratings this month. And it’s more variations on the same theme: we had 3 new Mydoom variants and no Bagles in August, while in September they evened out with 2 new variants of each. TrojanDownloader.JS.Gen was the only truly new piece of malware in the ratings this month.

In the meantime, Netsky variants continue to dominate the top slots; changing places with each other, but not yielding to any other viruses. NetSky.q pushed aside NetSky.aa and took first place. Once again, the only malicious program to compete with the NetSky variants is Zafi. This Hungarian virus is maintaining a slow but steady downward pace, moving down to third place.

The Mydoom.m variant that appeared in August hung on to fifth place with the same occurrence rating.

The main newcomers this month are two Mydoom variants that appeared in the space of a single day. Bagle authors were not caught napping and brought their summer holidays to a close by releasing several new variants, which all used email and file-sharing networks to spread.

TrojanDownloader.JS.Gen is a catch all name for a huge number of Trojans written in Java Script. We group them together because they all have only one function – to download other malware from the Internet. This summer virus coders were placing such Trojans on websites, wheras in September we saw a new trend: using spammer techniques to mass mail malicious programs.
On the one hand, Bagle, LovGate and NetSky variants carry on creating a steady background of virus activity, moving insignificantly up and down in the ratings.

On the other hand, the old steadfasts Swen and Sobig.f have finally disappeared from the Top Twenty. In other words, September 2004 finally saw malware created in previous years vanish totally from the ratings: we now have only viruses created in 2004. Moreover, 16 out of 20 viruses in this month’s Top Twenty are worms from only three families. The only serious competion Bagle, NetSky and Mydoom variants face comes from Zafi and Lovgate.


New viruses TrojanDownloader.JS.Gen,, Bagle.ah, Mydoom.t, Mydoom.u
Moved up: NetSky.q, Zafi.b, Bagle.z, NetSky.d, NetSky.y, Mydoom.l, Bagle.gen
Moved down Netsky.aa, NetSky.b, NetSky.t, LovGate.w, NetSky.r, TrojanDropper.VBS.Zerolin
No change Mydoom.m

Virus Top Twenty for September 2004

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox