Friday, June 2, 2006

May Virus Top 10

PayPal is back on top. The Chase Bank is no longer the main target of phishing authors

Avira, one of the pioneers in the IT security area, reveals today the monthly malware hierarchy based on specific sources and our expert’s opinions. This month, as can be seen, there are only two newcomers to our table: Worm/Lovgate.AU.2 and Worm/Mytob.U.

Worm/Mytob.U was discovered on 4 April 2005 and occupies the penultimate position with a percentage of 2.3 % of all infections reported this month. Mytob.U uses as methods of propagation: electronic mail and local networks. In order to ensure its propagation, the malware attempts to connect to other machines using the MS04-011 Exploit (LSASS Vulnerability). On the compromised machine, the worm will create an FTP script with the intention of downloading the malware to the remote location.

If last month, the supremacy was held by the Netsky family, which made up half of the April Virus Top 10, demonstrating the family’s persistent, in May we uncovered more Mytob variants. The Mytob family continues to spread far and wide, but we can’t say that the Mytob family is more active since 28.7 percentages of all reports in May were versions of famous Netsky.P.

The new entry from April - Worm/Bagz.C.2 reached the third position in May, with a 2.3 % increase, and Netsky.X, which occupied the second position in last malware chart, dropped to the fifth position.

The number of the bagle worm variants still intercepted and detected as “Worm/Bagle.gen”, continues to raise and this month all this bagle submissions covered 11.8 percentages.
However, since it is not a version-specific but a generic detection, it’s not listed in the malware ranking.

Interesting is that around 0.5% of all submissions are still cross infected with file infectors, as follows: 0.4% by W32/Funlove.4099 and the last 0.1% by W32/Parite, W32/Xorala.3.B, W32/Xorala, W95/Kriz.4608, W32/Stanit, W32/Elkern.C and W95/Tenrobit.B.

A new security gap was discovered on 21 May 2006 in Microsoft Word. If a modified document is opened, the exploit code runs an embedded encrypted file.

Avira was among the first IT-security providers that added a generic detection of the word exploit code to its scan engine. However, the Avira virus experts haven’t intercepted any sample in their traps that contain the 0-day word exploit.

Last but not least, the Trojan TR/Drop.Sinowal.U was discovered on 30 May by Avira virus annalists. The trojan, which does not contain an own spreading routine but was seeded via email, poses as an email from Microsoft support, offering an Windows update. The malware relies on social engineering and uses the following subject line: “Achtung! Wichtige Nachrichten von Microsoft Windows Update!” (Attention! Important infromation from Microsoft Windows update!).

Here is a first shot of our May Virus Top 10:
Worm/NetSky.P 28.7 %
Worm/Lovgate.W 4.8 %
Worm/Bagz.C.2 4.0 %
Worm/NetSky.AA 3.2 %
Worm/NetSky.X  2.9 %
Worm/Mytob.AD 2.9 %
Worm/Mytob.IN.2 2.7 %
Worm/Lovgate.AU.2 2.4 %
Worm/Mytob.U 2.3 %
Worm/Mytob.AT 2.2 %
Others 43.9 %

For technical information on any of these worms, please see the detailed descriptions on the Avira website. Also, please keep in mind that all Avira users are perfectly protected against these threats. Make sure you update Avira on a regular basis in order to stay safe from malware.

As for the phishing situation in May, the phishing attack of the Chase Bank is no longer the number-one target of phishing authors.

After two months of being in pole position, the Chase Bank phishing was replaced by the PayPal phishing attack, accounting for over 41.28 % of all phishing attacks.

PayPal 41.28 %
Ebay 14.86 %
11.92 %
Volksbank 7.13 %
Wells Fargo 5.16 %
Others 19.66 %
This month, are happening amazing things in the world of malware. We noticed a lot of new phishing targets such as: Washington Mutual Bank, American National Bank of Texas, E-gold, Evergreen Credit Union and many others.

These smaller, targeted attacks are on the increase and that indicate that phishing authors search for new victims anytime.

Avira strongly recommends all users to be careful with suspicious emails and unexpected attachments, no matter what interesting subjects they might claim to be carrying and to update their virus protection on a regular basis.

If you want to know more about these forms of cyber crime, please see or search for detailed descriptions on our website:

For more information on how to recognize a phishing fraud, take your time to read our dedicated page:

Remember that we are here to assist you against the malware threat. Get rid of your doubts when facing a suspect file: just send it to and we will analyze it for you. Take a moment to see how to submit malware and then follow our instructions to send the suspicious file:

About Avira

Avira (formerly H+BEDV) is among the pioneers of IT security. Already in 1988 the German security specialist developed system-spanning security solutions for the business and private customer area under the brand name AntiVir. Leading national and international companies, various educational institutions as well as public contractors are among their customers.

With a broad portfolio, Avira offers professional security solutions for workstations, file, web and mail servers as well as for PDAs and smartphones. Along with a high performance offering for the Windows environment, Avira is one of the technological leaders in the UNIX market. Furthermore, in 2005 the company brought worldwide the first SAP certified virus protection solution for SAP NetWeaver to the market.

The Avira AntiVir virus protection solution is regularly honored with the VB 100% Award and is in possession of a current Technical Inspection Agency (TÜV) certificate. The company’s high level of expertise in the area of IT security has also been documented through close cooperation with the Bundesamt für Sicherheit in der Informationstechnik (German Federal Office for Information Security; BSI).

Avira security solutions are available from numerous Avira dealers in Europe and abroad.


About Avira

Avira protects people in the connected world – enabling everyone to manage, secure, and improve their digital lives. The Avira umbrella covers a portfolio of security and performance applications for Windows, Android, Mac, and iOS. In addition, the reach of our protective technologies extends through OEM partnerships. Our security solutions consistently achieve best-in-class results in independent tests for detection, performance, and usability. Avira is a privately-owned company that employs 500 people. Its headquarters are near Lake Constance, in Tettnang, Germany, and the company has additional offices in Romania, India, Singapore, China, Japan & the United States. A portion of Avira's sales support the Auerbach Foundation, which assists education, children, and families in need. For more information about Avira visit