Jun 01 2007   |   comments (3)

Alexander Gostev Aleks has headed the Global Research and Analysis Team at Kaspersky Lab since 2008, and specializes in all aspects of information security, including mobile malware. His responsibilities include detecting and analyzing new malware. His research and analytical articles are published both on dedicated IT sites and in the mass media. He has been with the company since 2002, and is based in Moscow.

Position	Change in position	Name	Proactive Detection Flag	Percentage
1.	0	Email-Worm.Win32.NetSky.t	Trojan.generic	15.31
2.	+1	Email-Worm.Win32.NetSky.q	Trojan.generic	14.76
3.	+1	Email-Worm.Win32.Bagle.gt	Trojan.generic	13.46
4.	New!	Email-Worm.Win32.Sober.aa	Hidden Install	11.86
5.	+1	Worm.Win32.Feebs.gen	Hidden Data Sending	6.49
6.	+6	Email-Worm.Win32.NetSky.aa	Trojan.generic	5.44
7.	0	Net-Worm.Win32.Mytob.c	Trojan.generic	3.33
8.	New!	Trojan-Downloader.Win32.Agent.bqs	*	2.44
9.	+1	Email-Worm.Win32.Scano.gen	Trojan.generic	2.22
10.	-1	Email-Worm.Win32.NetSky.b	Trojan.generic	2.20
11.	New!	Virus.Win32.Grum.a	**	2.18
12.	+7	Net-Worm.Win32.Mytob.t	Worm.P2P.generic	1.63
13.	+4	Email-Worm.Win32.LovGate.w	Trojan.generic	1.34
14.	Return	Net-Worm.Win32.Mytob.dam	[Damaged]	1.18
15.	Return	Email-Worm.Win32.NetSky.x	Trojan.generic	1.17
16.	-3	Email-Worm.Win32.Mydoom.l	Trojan.generic	1.12
17.	Return	Exploit.Win32.IMG-WMF.y	***	0.99
18.	-2	Email-Worm.Win32.Zhelatin.dam	[Damaged]	0.72
19.	New!	Email-Worm.Win32.Warezov.ns	Invader	0.62
20.	New!	Virus.Win32.Cheburgen.a	**	0.57
Other malicious programs				10.97
* — this is a downloader for Email-Worm.Win32.Warezov. It is detected as Invader. ** — PDM is not designed to detect classic viruses. *** — WMF graphics file.

A first look at the top of the table for May might give the impression that we've slipped back in time to the end of 2005. You can rub your eyes as hard as you want but it won't change anything – Netsky, Bagle and Sober are topping the rankings again, just as they were a few years ago.

We could have seen this coming. Netsky.t and Netsky.q have been among the leaders in our Top Twenties for quite a while now; Bagle.gt has spent several months now moving up the table towards the top three, and fourth place this month was unexpectedly taken by Sober.aa. The first samples of this worm were detected by Kaspersky Lab analysts on 7th April 2007. This may not seem very significant, but the previous version of this worm, Sober.z, dates back to the middle of November 2005! More than a year and a half has passed since then. Sober.z was one of the most widespread worms in its time - it seemed then as though the German police were hot on the unknown author's tracks, and that an arrest would be imminent. However, nothing happened, and now someone (perhaps someone different from the worm's original author) has released a new version of this old email worm. The result is clear – Sober.aa, a primitive worm, has been able to squeeze out worms with far more advanced functionality, and it may well climb higher in the ratings in months to come.

The Warezov and Zhelatin worm families are among the victims in this latest struggle between viruses. Warezov.ms, which came second in the April Top Twenty, has fallen off the bottom of the table, and Warezov.ns, which came to take its place, wasn't able to rise higher than the very modest 19th place. However, Trojan-Downloader.Win32.Agent.bqs has raised a red flag – it was mass-mailed on 24th May and has risen to 8th place in the May Top Twenty. This is a warning sign as it's Agent.bqs which downloads new versions of Warezov to victim machines, creating a potentially huge epidemic and a gigantic botnet.

In May phishers were less active than in April and March. There's not a single phishing email in the entire Top Twenty this month. However, this is clearly a temporary phenomenon and phishing attacks will undoubtedly be back to take their place in the rankings of the most common threats in mail traffic. Interestingly, tenth and twentieth place this month are two classic file viruses, Grum and Cheburgen. File viruses are not typical for the Top Twenty but gained their place due due to an peculiarity of the life cycle of a file virus. Just as happens in the natural world, Grum and Chebrugen are effectively parasites. They aren't able to spread by themselves, either via the Internet or across local networks. However, they are extremely aggressive and will infect all files on the victim machine indiscriminately. As a result, email worm files on the victim machine will be infected. And the consequence is that an infected message sent from the victim machine will contain a 'sandwich' - a worm file which is also infected with a file virus.

Other malicious programs made up 10.97% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.

Summary

• New: Email-Worm.Win32.Sober.aa, Trojan-Downloader.Win32.Agent.bqs, Virus.Win32.Grum.a, Email-Worm.Win32.Warezov.ns, Virus.Win32.Cheburgen.a
• Moved up: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.Bagle.gt, Worm.Win32.Feebs.gen, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Scano.gen, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.LovGate.w
• Moved down:Email-Worm.Win32.NetSky.b, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.Zhelatin.dam
• Re-entry: Net-Worm.Win32.Mytob.dam, Email-Worm.Win32.NetSky.x, Email-Worm.Win32.Warezov.ns