Aug 01 2005   |   comment

Alexander Gostev Aleks has headed the Global Research and Analysis Team at Kaspersky Lab since 2008, and specializes in all aspects of information security, including mobile malware. His responsibilities include detecting and analyzing new malware. His research and analytical articles are published both on dedicated IT sites and in the mass media. He has been with the company since 2002, and is based in Moscow.

Position	Change in position	Name	Percentage
1.	+1	Email-Worm.Win32.NetSky.q	14.67
2.	-1	Net-Worm.Win32.Mytob.c	13.58
3.	+5	Email-Worm.Win32.Zafi.b	8.01
4.	-1	Email-Worm.Win32.Zafi.d	6.54
5.	-1	Net-Worm.Win32.Mytob.be	6.12
6.	0	Net-Worm.Win32.Mytob.bk	6.07
7.	-2	Email-Worm.Win32.NetSky.aa	4.41
8.	New	Net-Worm.Win32.Mytob.bt	2.65
9.	-1	Email-Worm.Win32.NetSky.b	2.52
10.	+8	Net-Worm.Win32.Mytob.bi	2.11
11.	+3	Net-Worm.Win32.Mytob.au	1.85
12.	Return	Email-Worm.Win32.NetSky.d	1.73
13.	-1	Net-Worm.Win32.Mytob.u	1.62
14.	-4	Net-Worm.Win32.Mytob.ar	1.59
15.	-8	Email-Worm.Win32.LovGate.w	1.59
16.	-5	Net-Worm.Win32.Mytob.q	1.37
17.	-1	Net-Worm.Win32.Mytob.t	1.30
18.	-1	Email-Worm.Win32.Mydoom.l	1.20
19.	Return	Email-Worm.Win32.Mydoom.m	1.17
20.	Return	Email-Worm.Win32.Bagle.ah	1.04
Other malicious programs			18.86

Amazing things are happening in the world of computer viruses. No sooner had a new generation of network worms made its presence felt, and some of the veterans disappeared from our ratings, than the old favourites made themselves known again, and in no uncertain terms.

And this is what happened in July. Mytob.c had been at the top of the ratings for three months, having deposed 2004's leader, NetSky.q. More and more variants of the Mytob family appeared, and the Virus Top Twenty was threatening to turn into a Mytob Top Twenty.

But suddenly everything changed. NetSky.q is once again in first place, in its own strange way marking the sentence given to its author Sven Jaschan. In spite of the fact that yet another Mytob has appeared in the Top Twenty, the overall number of Mytobs has fallen from 13 to 10. And they have been squeezed out not by new worms, but by our old friends from the Bagle, Zafi, Mydoom and of course NetSky families.

Of course, the most surprising factor here is Zafi, for the second month in a row. In June, Zafi.d rose 6 places in the ratings, bringing it to 3rd place. In July, almost exactly the same thing happened with Zafi.b! This worm rose five places, gaining the very same 3rd place. In this way, the two Hungarian polyglot worms - they send spam in more than 15 European languages - find themselves in the top five. Completely unexpected, and as yet we have no concrete explanation for why this has happened.

There is only one new entry to the Top Twenty - Mytob.bt. This variant is almost identical to its predecessors - the authors of Mytob, who call themselves HELLBOT, are continuing to experiment with packers (hoping that newly packed variants will evade detection) or changing the bot function, and the list of IRC channels used to control the program. This is being done because channels used by previous variants have been quickly closed by IRC server administrators.

The various Mytobs are well entrenched in the top ten, taking 2nd, 5th, 6th, 8th and 10th place. Mytob.bi brings up the rear in the top ten, and this program was leader of the month in terms of statistics, rising a whole 8 places at once. The same figure applies to another veteran of the ratings, LovGate.w, although this time the movement is downwards. If LovGate.w continues to fall in the ratings, the Korean worm won't be in evidence next month.

Most interesting of all is the trio of worms which have returned to the Top Twenty. It is these worms which have caused Mytob to lose position, and they have taken the places previously occupied by Mytob variants.

First in line is NetSky.d. It was last seen in May, in 15th position, and in June it fell off the bottom of the ratings, and has now returned in triumph to 12th place. The four NetSky representatives are in 1st, 7th, 9th and 12th place. With this showing, the decision of the German court to give Sven Jaschan an 18 month suspended sentence and 30 hours community service seems all the more amazing.

The other two returnees are in 19th and 20th place, at the very bottom of the ratings. However, if Mytob continues to move down the chart, these two may well rise further up the table.

Mydoom.m is one of Mytob's older brothers. Mytob variants and Mydoom.m are all based on the source code of Mydoom.a, and are a clear example of the consequences of publishing virus source code on the Internet. It's just as dangerous, and in fact even more harmful that spreading a single virus or worm, as it incites other virus writers to use the source code in their malicious programs. Who knows what would have happened if the source code of Mydoom.m had not been published on the Internet in February 2004? How would the virus landscape today have been different? One thing is clear - there would have been no new Mydooms or Mytobs in the ratings this month.

Rounding off the Top Twenty is one of the many Bagles, this time Bagle.ah. This old familiar virus is marking the one year anniversary of its detection with an inexplicable burst of activity.

Other malicious programs make up a significant percentage (18.86%) of all those intercepted in mail traffic. This indicates that a large number of worms and Trojans from other families are still in circulation.

Summary: