Jun 30 2006   |   comment

Alexander Gostev Aleks has headed the Global Research and Analysis Team at Kaspersky Lab since 2008, and specializes in all aspects of information security, including mobile malware. His responsibilities include detecting and analyzing new malware. His research and analytical articles are published both on dedicated IT sites and in the mass media. He has been with the company since 2002, and is based in Moscow.

Position	Change in position	Name	Percentage
1.	0	Net-Worm.Win32.Mytob.c	29.01
2.	New	Email-Worm.Win32.Nyxem.e	16.70
3.	-1	Email-Worm.Win32.LovGate.w	8.64
4.	+2	Email-Worm.Win32.NetSky.b	5.55
5.	-1	Email-Worm.Win32.LovGate.ad	4.02
6.	+2	Net-Worm.Win32.Mytob.t	2.92
7.	+3	Net-Worm.Win32.Mytob.q	2.75
8.	-1	Net-Worm.Win32.Mytob.u	2.07
9.	+9	Net-Worm.Win32.Mytob.x	1.92
10.	-1	Net-Worm.Win32.Mytob.a	1.86
11.	+1	Email-Worm.Win32.NetSky.y	1.76
12.	+2	Email-Worm.Win32.NetSky.x	1.58
13.	Return	Net-Worm.Win32.Mytob.v	1.51
14.	Return	Net-Worm.Win32.Mytob.r	1.42
15.	-12	Email-Worm.Win32.NetSky.q	1.25
16.	-5	Net-Worm.Win32.Mytob.w	1.11
17.	Return	Email-Worm.Win32.NetSky.af	0.92
18.	Return	Net-Worm.Win32.Mytob.gen	0.88
19.	New	Net-Worm.Win32.Mytob.bx	0.83
20.	-15	Email-Worm.Win32.NetSky.t	0.82
Other malicious programs			12.48

The virus world has suffered a shock. The general public and media may not have noticed, but an analysis of email antivirus logs reveals that the changes are quite stark. We have analyzed these changes in this month’s Top 20, and present them below.

We are not yet sure of why these changes have occurred, but the Email Top 20 has not changed this much for a long while. Antivirus vendors issued a number of alerts during June, but most of these worms do not appear in the rankings. Take Bagle.fy, for instance, which we also detect as Bagle.mail and Baglel.gen. This variant of Bagle was active in mid-June, although it appeared as a localized outbreak that lasted only a few days. A close look at the Top 20 shows that Bagle.fy did not make it into the rankings at all. One reason for this could be because many contemporary worms reach their peak months after they first appear, which can be seen from the Nyxem.e case described below.

Nyxem.e occupies the second place in the June rankings. Virus and industry analysts undoubtedly remember this worm well. It appeared in January 2006 and received a lot of media coverage. According to a number of antivirus vendors, Nyxem.e infected hundreds of thousands of machines around the globe, though mainly in India and Peru. Everyone waited with bated breath for February 3, when Nyxem was supposed to delete files on infected machines. The panic was so widespread that municipal authorities in Milan decided to leave their computers turned off on February 3. Fortunately, the hyped outbreak did not occur. In fact, Nyxem did not even appear in our Top 20 for several months.

It seems as though we could have simply forgotten about Nyxem.e. But, lo and behold, Nyxem.e appeared in email traffic in early June and the numbers rose throughout the month to reach 17%. As a result, Nyxem.e is in second place this month. We don’t yet know exactly what happened and where the dam broke, but we do urge users to take precautions on July 3, since the file destruction module is programmed to run on the 3rd of every month. We don’t advocate panicking, but heightened awareness and strict adherence to standard security policies is advisable.

The unexpected revival of Nyxem.e is only one of the unusual events during June. The dramatic fall of longtime leaders Netsky.q and Netsky.t is another surprise; and a fascinating one at that.

Netsky.q was the most widespread email worm in 2004 and has remained at the top of our ratings since then. Netsky.t rose rapidly at the beginning of 2006 and continued to rise until June. This month both worms dropped significantly with Netsky.q falling to 15th place and Netsky.t to 20th. It is very possible that both worms will disappear entirely from our ratings in July.

The rise of Nyxem.e cannot be blamed for the fall of the Netsky variants, because all Nyxem.e did was to push LovGate.w to third place. It is much more likely several factors are to blame – namely, 3 Mytob variants returned to the ratings, a new Mytob appeared, and finally we have the latest Netsky variant, Netsky.af, which re-appeared in the ratings this month.

Mytob.c in the meantime continues to hold 1st place where it has been since February 2006. This month Mytob.c accounts for 30% of malware in email traffic. It is unclear what will happen in the next few months with Nyxem.e pushing ahead, though Bagle.fy might also take a shot at the top spot. Likewise, we can’t forget about as yet unknown malware. The latter is less likely, however, since email worms have been unfashionable among virus writers for over a year now, with the focus having shifted to Trojan-spyware. The percentage of other malware has dropped back down to 12 percent, showing that popular worms are spreading more, than less well known ones.

Summary