NetSky.q leads the way in October

For three months we’ve watched Mytob.c and Nyxem.e waging a bitter battle for first place. Both worms have stubbornly taken percentage points from the other. It’s difficult to say how long this could have continued – of course, a major epidemic would have changed the situation, but in 2006 email worms, the plague of the Internet, are almost a thing of the past. Now standard Trojan programs and network worms which use vulnerabilities in Windows to spread (such as the recently discovered MS06-040) are far more active.

However, in October everything changed in the blink of an eye. Warezov burst onto the scene, and this shook our statistics right to their foundations, with only 5 malicious programs out of September’s 20 remaining. In October, Warezov caused a headache for antivirus companies throughout the world. The worm’s burst of activity towards the end of the month, when as many as 20 new variants appeared in the space of 24 hours, was a particular challenge.

Warezov’s October madness resulted in 7 variants making it into the rankings – a debut comparable only to that of Mytob. Warezov, in all its modifications, made up more than 27% of all malicious code in mail traffic, and if we calculated overall prevalence according to family, rather than modification, then Warezov would have been October’s absolute leader. As it stands, Warezov.dn occupies second place, a mere two percent behind 2004’s leader, Netsky.q. This worm has returned to the top of the ratings, but it’s difficult for us to say why; it may be the start of a new trend, or simply an isolated burst of activity, which we’ve seen previously on a number of occasions.

Warezov is extremely similar to the notorious Bagle in a number of ways. Although Warezov is based on Mydoom.a source code, and Bagle’s code was totally original, developed by an unknown group of virus writers, we still view these worms as relatives. Firstly, the epidemics are organized in a very similar way – releasing multiple variants in a very short space of time, with different variants being released in different regions (e.g. one variant being spammed in Russia, another one in Europe.) Secondly, they have the same functionality (installing other modules from Trojanized sites, and harvesting email addresses before sending them to malicious users.) Bagle was the first worm which used virus technologies in order to get new data for spammer databases; Warezov repeats this tactic. Thirdly, Warezov’s appeared within a week of new Bagle variants failing to appear. It’s unlikely that Bagle’s authors decided suddenly to go out of business exactly as another group decided to take over the reins; it seems highly likely that the two worms were created by the same group. Finally, Bagle had a huge influence on the antivirus industry as a whole, forcing antivirus companies to come up with new methods of protection. Warezov has brought a new challenge: coping with code obfuscation, and also the need to respond in an ever shorter period of time to new variants.

However, Bagle has not totally disappeared. Although new versions are not appearing, old variants are still spreading actively. Our Top Twenty bears witness to this, with Bagle variants taking third, sixth and eighteenth place.

Another worm which employs code obfuscation is Scano. KL virus analysts successfully tackled its polymorphic script engine a few months ago, but Scano nevertheless remains widespread. In spite of the fact that we have modified the methods used for calculating our statistics, Scano.gen remained in fourth place in September, just as it did in October.

One unpleasant fact which has to be faced is that Warezov, Bagle, and Scano all appear to have a “Cyrillic’ background, and to have been created either in Russia, or in the former USSR.

Bankfraud.od, the most common phishing attack in August, remains the most widespread in October. In September Bankfraud fell one place, and dropped a further two in October. However, phishing attacks are continuing to increase in mail traffic, and in the near future we will be providing separate data on the prevalence of such attacks.
Other malicious programs made up 19.1% of all malicious programs intercepted in mail traffic. This confirms that a large number of other worms and Trojans are still actively circulating.

1	Email-Worm.Win32.NetSky.q	13.14
2 Email-Worm.Win32.Warezov.dn 11.00
3 Email-Worm.Win32.Bagle.gen 10.43
4 Email-Worm.Win32.Scano.gen 7.97
5 Email-Worm.Win32.Warezov.ev 6.32
6 Email-Worm.Win32.Bagle.mail 4,04
7 Email-Worm.Win32.Warezov.dc 3.65
8 Email-Worm.Win32.Mydoom.l 2.89
9 Email-Worm.Win32.Mydoom.m 2.74
10 Email-Worm.Win32.Scano.e 2.46
11 2.41
12 Email-Worm.Win32.NetSky.aa 2.08
13 Email-Worm.Win32.NetSky.b 2.04
14 Net-Worm.Win32.Mytob.c 2.01
15 Trojan-Spy.HTML.Bankfraud.od 1.84
16 1.83
17 Email-Worm.Win32.Warezov.gen 1.26
18 Email-Worm.Win32.Bagle.dx 1.24
19 Email-Worm.Win32.Warezov.dh 0.84
20 0.80
Other malicious programs 19.01

Variants from the Warezov family 27.31

Source: Kaserpsky (

Don't miss