Malware reports

Virus Top Twenty: March 2004

Position Change in position Name Percentage by occurrence
1 +1 I-Worm.Netsky.b (Moodown.b) 52.78%
2 -1 I-Worm.Mydoom.a 12.45%
3 new I-Worm.Netsky.d 8.98%
4 I-Worm.Mydoom.e 5.45%
5 new I-Worm.Netsky.q 2.90%
6 -3 I-Worm.Swen 2.37%
7 new PSW-Worm 2.31%
8 new I-Worm.Mydoom.g 2.30%
9 +6 I-Worm.Netsky.c 1.65%
10 new I-Worm.Bagle.i 0.75%
11 new I-Worm.Bagle.s 0.47%
12 new I-Worm.Bagle.j 0.45%
13 -5 I-Worm.Klez.h 0.40%
14 new I-Worm.Bagle.e 0.35%
15 new I-Worm.Bagle.g 0.35%
16 -6 I-Worm.Mimail.q 0.33%
17 new I-Worm.Lentin.v 0.32%
18 -11 I-Worm.Mimail.a 0.31%
19 -7 I-Worm.Mimail.c 0.27%
20 new I-Worm.Bagle.c 0.25%

other malicious programs*4.56%

March 2004 was an even more virus filled month than February. February’s virus Top Twenty contained six new email worms; this figure nearly doubled in March, with 11 new viruses entering the charts.

As predicted, March was the month of the Bagles. Five new versions of Bagle appeared. In seventh place is PSW-Worm, an umbrella identification which includes several Bagle versions. These differ from other worms in the Bagle family in that they spread in password protected ZIP and RAR archives, and the password is either included in the message or contained in a graphics file. Such an approach is not new, but Bagle exploited it with great success. Incidentally, tricks like this have positively influenced the development of new antivirus technology designed to detect and intercept such sneaky viruses.

Statistics for March show that Netsky.b (also known as Moodown.b) and Mydoom.a have changed places, with Netsky.b now leading the charts. Worms from the Netsky family made a significant impact in March, with four versions appearing in the first 9 positions. Netsky was also the initiator of a virtual war, deleting Mydoom, Bagle and Mimail from machines infected by these viruses: an antivirus virus. This action, together with the rapid propagation of Netsky led to three groups of virus writers writing insults directed at the other groups into the code of their viruses.

Those viruses which have appeared in the Top Twenty before also show interesting results. NaÐve or careless users managed to keep Swen, Klez.h and also three worms (a, c and the polymorphic q) from the Mimail family in the ratings. A leader in previous months, Sober.c has disappeared altogether from the charts. However, Kaspersky Labs detected 2 new versions of the worm in March, and it is entirely likely that one of them, Sober.e will make an appearance in the Top Twenty in the future.

Additionally, Sobig.f, last year’s overall leader, finally disappeared from the ratings. Sobig.f has been sliding down the charts over the last six months, but this month it finally lost the battle, yielding to the new families of malicious code.

The final new entrant is the latest modification of the Lentin worm, Lentin.v. It was first detected in December 2003, and has quietly made its way into seventeenth place. Lentin.v and Klez.h are two classic email worms, which do not use spam technology or extensive networks of infected machines to replicate. It is interesting to speculate whether this month’s chart toppers would have reached their current positions if they had used more traditional methods of propagation.

Other malicious programs made up a significant amount of virus traffic; over 1200 different malicious programes were detected last month.


New viruses: 11 in total – NetSky.D, NetSky.Q, PSW-Worm, Mydoom.G, Bagle.S, Bagle.J, Bagle.I, Bagle.E, Bagle.G, Bagle.C, Lentin.V

Moved up: Netsky.B, Netsky.C

Moved down: Mydoom.A, Swen, Klez.H, Mimail.Q, Mimail.A, Mimail.C

Virus Top Twenty: March 2004

Your email address will not be published. Required fields are marked *


Subscribe to our weekly e-mails

The hottest research right in your inbox