Virus Top Twenty for September 2005

Position	Change in position	Name	Percentage
1.	+3	Email-Worm.Win32.Zafi.d	17.17
2.	-1	Net-Worm.Win32.Mytob.c	16.69
3.	0	Email-Worm.Win32.Zafi.b	11.35
4.	+4	Email-Worm.Win32.LovGate.w	6.64
5.	+1	Email-Worm.Win32.NetSky.b	4.32
6.	+5	Net-Worm.Win32.Mytob.q	3.86
7.	-2	Net-Worm.Win32.Mytob.bk	3.10
8.	-6	Email-Worm.Win32.NetSky.q	2.99
9.	+3	2.53
10.	+4	Net-Worm.Win32.Mytob.u	2.50
11.	+7	Net-Worm.Win32.Mytob.r	2.02
12.	-5	Email-Worm.Win32.NetSky.aa	1.59
13.	+6	Net-Worm.Win32.Mytob.a	1.56
14.	Return	Email-Worm.Win32.NetSky.x	1.46
15.	Return	Net-Worm.Win32.Mytob.y	1.35
16.	Return	Email-Worm.Win32.LovGate.ae	0.97
17.	-8	Net-Worm.Win32.Mytob.be	0.85
18.	-3	Email-Worm.Win32.NetSky.t	0.80
19.	-9	Net-Worm.Win32.Mytob.bi	0.79
20.	Return	Net-Worm.Win32.Mytob.x	0.77
Other malicious programs			16.69

One of the more interesting aspects of virus outbreaks is the way some viruses bounce back. Frequently, older viruses that emerged ages ago, and which had seemingly disappeared, re-emerge at the top of the charts, forcing antivirus experts to play a guessing game when it comes to determining the reasons for these unexpected revivals. The Virus Top 20 for this September provides the latest example of an unexpected virus comeback.

On the one hand, the all-out offensive of Mytob worms suddenly gave way to relative calm. The reasons for this are clear enough.

First of all, in August 2005 a new Microsoft Windows vulnerability, MS05-039, was discovered in the Plug’n’Play service. Virus writers immediately switched gears from email worms to network worms. This affected our Top 20, particularly in terms of email worms.

Secondly, this bias has also attracted the attention of law enforcement agencies, resulting in the arrests of two individuals in Morocco and Turkey accused of creating worms from the Mytob family. Whether they are the actual authors will only be clear when the investigation is complete. One thing, however, is clear: in September (after the arrests), new Mytob variants continued to emerge albeit in significantly fewer numbers.

On the other hand, we see a new leader in the Top 20, where, contrary to all expectations theZafi.d is now in first place. This worm was first identified in October 2004, and topped the Virus Top 20 in December and January. It then gradually fell in the charts, and in August 2005 accounted for a mere 6% of all virus traffic. In September, this Hungarian worm moved up 3 positions and accounted for 11% of all email worm traffic. Moreover, we now have Zafi.b in third place. This may be related to the emergence of Zafi.e; the first new Zafi variant in almost a year. More than likely, Zafi.e will soon become a regular on our virus reports.

We also need to revisit our old friend NetSky, the most widespread and dangerous worm of last year. This summer, NetSky waged an unremitting war on Mytob worms for a share of mail traffic. NetSky variants seem to be losing the war. Last year’s leader, NetSky.q is now in 8th place, demonstrating that the Virus Top 20 is coming to a turning point and, in spite of the 5th place achieved by another member of the NetSky family — the NetSky.b variant — it seems that this family will be pushed out of the top 10 in the near future.

LovGate.w continues to surprise. In 2004, it consistently appeared in the top 10. In 2005, it fell to 15th place in July and we expected it to disappear altogether. However, this was not to be. In August, it rose to 8th place, and in September to 4th. Surprisingly, another LovGate variant has made it to the Top 20 – LovGate.ae has unexpectedly shown up in the group of returnees.

The Mytob’s are rotating. Nearly all of the variants that made the top 20 in the past couple of months have increased their propagation rates. Additionally, nearly all variants that appeared in the top 20 at the beginning of this summer or in spring, are falling. Only the position of Mytob.c remains relatively unchanged, and Mytob.q is steadily gaining ground as it nears the top. Overall, the Mytob’s still dominate the Top 20 with 11 variants – that is, more than half of all positions on the Top 20.

Over 20 new Bagle variants were discovered in September. On some days, as many as 5 or 6 new variants appeared within the space of a couple of hours, thus keeping antivirus companies busy. It would seem that such activity and the previous success of this family of worms should be reflected on the September charts, although this did not happen. It is hard to tell why – whether it was the quick response of antivirus companies which halted the outbreak, the thoughtfulness of users who did not execute worm files sent to them or errors in the worm’s code resulting in its inability to work on some systems. In all probability, a combination of all these factors was responsible. However, diligence is still needed, as the authors of Bagle organize such outbreaks on a regular basis.

The number of other malicious programs in email traffic has dropped for the first time this year — an interesting development that we will be watching carefully in the future.

Summary: