May 02 2006   |   comment

Alexander Gostev Aleks has headed the Global Research and Analysis Team at Kaspersky Lab since 2008, and specializes in all aspects of information security, including mobile malware. His responsibilities include detecting and analyzing new malware. His research and analytical articles are published both on dedicated IT sites and in the mass media. He has been with the company since 2002, and is based in Moscow.

Position	Change in position	Name	Percentage
1.	0	Net-Worm.Win32.Mytob.c	26.37
2.	0	Email-Worm.Win32.NetSky.t	9.00
3.	0	Email-Worm.Win32.LovGate.w	8.22
4.	+3	Email-Worm.Win32.NetSky.q	5.47
5.	+8	Email-Worm.Win32.LovGate.ad	4.69
6.	-2	Email-Worm.Win32.NetSky.b	4.09
7.	+10	Net-Worm.Win32.Mytob.y	3.36
8.	+1	Net-Worm.Win32.Mytob.t	3.31
9.	-4	Net-Worm.Win32.Mytob.u	3.25
10.	-2	Net-Worm.Win32.Mytob.q	2.48
11.	+4	Net-Worm.Win32.Mytob.w	2.29
12.	+8	Net-Worm.Win32.Mytob.a	2.26
13.	-3	Email-Worm.Win32.LovGate.ae	1.75
14.	New!	Email-Worm.Win32.Scano.e	1.45
15.	Return	Email-Worm.Win32.NetSky.aa	1.32
16.	New!	Net-Worm.Win32.Mytob.v	1.09
17.	-3	Email-Worm.Win32.NetSky.y	1.05
18.	Return	Email-Worm.Win32.Mydoom.l	1.04
19.	New!	Email-Worm.Win32.NetSky.af	0.89
20.	New!	Net-Worm.Win32.Mytob.cg	0.89
Other malicious programs			15.73

At first glance it may seem that the April Top Twenty is identical to Top Twenties from the past six months or so. Computer virology seems to have frozen in time: the same worms have been in the ratings for a long time already. However, this is only at first glance. Mytob.c, the leader of recent ratings, has a long way to go to achieve the numerical heights achieved by its infamous predecessors, such as Mydoom or Sobig or Klez. Between them, these worms managed to terrorize users for several years running.

Despite the fact the Mytob versions dominate the ratings this month, other well known worms are not giving up the battle for control of our computers.

April 2006 is notable for the fact that we finally see Zafi versions disappear completely. We have been expecting this for several months now: Zafi versions led the ratings at one point and then started moving up and down, occasionally climbing almost back to the top. The long life of this worm, which turned 2 this month, is due to its very interesting replication methods. This worm is a true polyglot. It sends out infected emails in over 15 European languages. Zafi picks the languages using the recipient domain as a guide.

Zafi has Hungarian roots, while Lovgate comes from Asia, possibly South Korea. This old timer appeared at the same time as Mydoom, Bagle, Netsky and Zafi. Unlike Netsky, which is slowly yielding to Mytob, new versions of Lovgate continue to appear in the ratings: in April we see two versions in the top 5. The authors of Lovgate stubbornly continue to churn out new versions, creating more and more classical email worms. In the meantime, the author of NetSky has been arrested and tried, the Bagle authors focus on launching localized outbreaks of Trojans and Mydoom has simply mutated into Mytob. Mytob has visibly gained altitude this month with a total of nine places including number one.

Last, but not least, we have a newcomer this month – Scano.e. The Scano family attracted attention both from both users and virus analysts. We were interested in the replication method: Scano spreads as a JavaScript file and includes rather complicated polymorphic code, which complicates detection. Scano is very similar to Feebs as far as polymorphic scripting is concerned. Feebs does not appear in the ratings, but it has generated regular questions from users. It seems as if polymorphic worms might well become a hot topic in the months to come.

As for the rest of the email ratings, the only other point of interest is that Mytob.y has jumped up 10 places and Mydoom.l has returned. The portion of other malicious code in email traffic has risen slightly from 13.33% to 15.73.

Summary: