Kaspersky Labs Top 20 Malware October 2004

1 – I-Worm.NetSky.q 15.95
2 – I-Worm.NetSky.aa 14.45
3 +1 I-Worm.NetSky.b 10.52
4 +8 I-Worm.Bagle.as 7.43
5 +1 I-Worm.Bagle.z 6.59
6 -1 I-Worm.Mydoom.m 5.90
7 New I-Worm.Bagle.at 4.01
8 -5 I-Worm.Zafi.b 3.03
9 – I-Worm.NetSky.t 2.90
10 -3 I-Worm.NetSky.d 2.83
11 -1 I-Worm.NetSky.y 2.31
12 -1 I-Worm.LovGate.w 2.30
13 – I-Worm.Mydoom.l 1.82
14 New I-Worm.Mydoom.ab 1.75
15 -1 I-Worm.NetSky.r 1.39
16 – I-Worm.Bagle.gen 1.37
17 Re-entry I-Worm.MyDoom.r 1.31
18 -1 I-Worm.NetSky.c 0.95
19 – I-Worm.Bagle.ah 0.87
20 Re-entry Backdoor.Win32.Rbot.gen 0.68
Other malicious programs 11.64

October, like September, saw further new variants of Mydoom and Bagle. Mydoom.ab (Swash.a) and Bagle.at appeared within a few days of each other. In fact, Bagle.at was followed immediately by a clone: Bagle.au, thought the clone did not make the Top Twenty. The Bagle mass mailing, October 29, was so effective that it took Bagle.at only 3 days to reach seventh place in the Top Twenty.

On the other hand, the high ranking was achieved in the first day: the numbers have fallen in the past two days and Bagle.at may well not rank so high in November. A new version of the Hungarian I-Worm, Zafi.c was detected in the interim between Mydoom.ab and Bagle.at. This third variant has not been seen in the wild yet, though an outbreak is highly probable if we remember how long the previous variant was in the Top Twenty.

In all other respects, the October Top Twenty is almost identical to the September Top Twenty. Netsky variants are on top, with Bagle and Mydoom variants continuing their fruitless efforts to outrank them. Bagle.as has moved noticeably: 8 slots in one month. Zafi.b continues falling – 5 places and a high probability of leaving the Top Twenty by November. If this occurs, LovGate.w will be the only malicious program on the list that is no a member of the Big Three.

TrojanDownloader.JS.Gen and TrojanDropper.VBS.Zerolin have already left the rankings, despite a number of mass mailings containing these programs. However, other malicious programs proved more active and pushed these Trojans out of the Top Twenty.

However, other malicious programs continue to challenge the Big Three – Backdoor.Win32.Rbot.gen returned to the ratings this month. This backdoor, a hard-hitting bot, is controlled via IRC channels: it normally spreads by exploiting various vulnerabilities in Windows (RPC DCOM, LSASS and so forth). This month, virus writers seem to have decided that SP2 for Windows XP created too many barriers: they chose to send Rbot via email instead, and successfully as statistics demonstrated.

Sadly, we cannot look forward to life without Bagle and Mydoom yet. The source codes of both worms have been widely publicized on the Internet and spread by the worms themselves. Most of the virus activity we have witnessed recently has been caused by variants of these two worms, or, to be precise, recompiled versions of the published source code.

New to the Top Twenty: Bagle.at, Mydoom.ab
Moved up: NetSky.b, Bagle.as, Bagle.z
Moved down: Mydoom.m, Zafi.b, NetSky.d, NetSky.y, LovGate.w, NetSky.r, NetSky.c
No change: NetSky.q, NetSky.aa, NetSky.t, Mydoom.l, Bagle.gen, Bagle.ah
Returned to the Top Twenty: Mydoom.r, Rbot.gen