NetSky was the top worm in February

In last month’s Top Twenty, we noted that Warezov worms had been almost totally beaten back by Bagle. Only a single Warezov variant remained in January’s Top Twenty, and Bagle.gt led the rankings.

1	+3		Email-Worm.Win32.NetSky.t		15.82%

2	-1		Email-Worm.Win32.Bagle.gt		11.85%

3	New		Email-Worm.Win32.Zhelatin.dam		8.19%

4	-2		Email-Worm.Win32.NetSky.q		7.92%

5	New		Email-Worm.Win32.Zhelatin.o		6.83%

6	New		Email-Worm.Win32.Warezov.ls		5.03%

7	+2		Net-Worm.Win32.Mytob.c			3.72%

8	New		Email-Worm.Win32.Zhelatin.u		3.58%

9	New		Email-Worm.Win32.Zhelatin.m		3.30%

10	-7		Email-Worm.Win32.NetSky.aa		3.27%

11	New		Email-Worm.Win32.Zhelatin.r		2.87%

12	New		Trojan-Downloader.Win32.Tibs.jr	2.43%

13	New		Email-Worm.Win32.Zhelatin.t		1.94%

14	Return	Email-Worm.Win32.Scano.gen		1.83%

15	Return	Email-Worm.Win32.Nyxem.e		1.66%

16	Return	Email-Worm.Win32.NetSky.b		1.59%

17	New		Packed.Win32.PePatch.gr			1.52%

18	Return	Net-Worm.Win32.Mytob.t			1.39%

19	-14		Email-Worm.Win32.Bagle.gen		1.26%

20	-		Exploit.Win32.IMG-WMF.y			1.14%

Other malicious programs					12.86

However, the world of computer viruses takes after nature, in that it abhors a vacuum, and as usually, new and more dangerous malicious programs have come to fill the void.

This was the case in February, when we witnessed several epidemics caused by a new family of worms: Zhelatin.Zhelatin is the ‘storm worm’ that got such wide coverage in the mass media at the beginning of the year. The worm spreads as emails with a range of topics designed to pique the recipient’s curiosity – the terrible hurricane in Western Europe, the death of President Putin, and the resurrection of Saddam Hussein.

Although Zhelatin was initially thought to be a new Warezov variant, closer analysis revealed a new family of malicious programs which probably originated in Asia.

During February we issued three virus alerts with a ‘medium’ threat rating. All these alerts were due to the rapid spread of new Zhelatin variants in mail traffic. Naturally, these outbreaks have had an effect on the February Top Twenty: out of the nine new malicious programs, six of them are Zhelatin variants.

The struggle between Zhelatin and Bagle.gt resulted in a veteran worm, Netsky.t, taking first place, while Bagle.gt dropped back to second position. Zhelatin, meanwhile, managed by weight of numbers to occupy four of the top ten places.

When a new leader heads the rankings, there’s usually a general shake-up, with new programs making their first appearance, and old viruses making a comeback. As noted above, there are nine new malicious programs in the February Top Twenty, and four re-entries, including some old friends such as Nyxem.e, Scano.gen and Netsky.b. This demonstrates once again that today’s email worms have a long lifespan, and may be found in traffic years after their first appearance.

Other malicious programs made up a significant percentage (12.86%) of all malicious code found in mail traffic, indicating that a considerable number of other worms and Trojans are currently actively circulating.

Source: Kaspersky Labs.