Top 10 viruses that caused havoc in 2006
Subscribe to the 
RSS Feed or by Email and receive free daily updates
Pandasoftware recently published an article listing the top 10 viruses for the year ending 2006. I ran some computation on the numbers reported to come up with the following graphs and conclusions:
Fig (1): Out of the top 10 viruses, what type of virus constituted what number (Click to Enlarge Image)
Fig (2): Percentage out of the total infection, contributed by our top 10 (Click to Enlarge Image)
Fig (3): Total percentage infection by virus type among just the top 10 (Click to Enlarge Image)
I came to the following conclusions:
- Worms were the most popular among the top 10 (Please refer to the article here if you want to find out the differences between a worm, trojan and a virus)
- The percentage infection of worms, among their top ten partners, far exceeded the other types
- The total contribution to the infection by the top 10 was mere 9.54%, which shows that no single type of virus caused widespread havoc in 2006 and that there were lot of viruses that came out in 2006
- Threat level of non of the top ten virus types was high which means there were no “deadly” viruses in 2006
- All of the top ten viruses affected Win XP and Win 2000 but some did not affect Win 2003 which implies (not in a full proof manner) that Win 2003 is better designed to handle virus threats
List of top 10 viruses for the year 2006 as per pandasoftware are:
| Virus Name | % of Total Infections | Details |
|---|---|---|
| W32/Sdbot.ftp.worm | 2.62 | Threat Level: Moderate
Type: Worm Systems Affected: Windows XP/2000/NT/ME/98/95 Description: Some variants of the Sdbot worm spread via the Internet by attacking random IP addresses. These variants attempt to exploit several vulnerabilities in Windows operating systems, such as RPC-DCOM, LSASS, etc. If they succeed in exploiting any of those vulnerabilities, they create and run a script, which downloads the worm via FTP. Symptoms: Sdbot.ftp is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer. For details visit: virusportal |
| W32/Netsky.P.worm | 1.22 | Threat Level : Moderate
Type: Worm Systems Affected: Windows 2003/XP/2000/NT/ME/98/95 Description: Netsky.P is a worm that deletes the entries that belong to several worms, including Mydoom.A, Mydoom.B, Mimail.T and several variants of Bagle. Netsky.P spreads via e-mail in a message with variable characteristics, and through peer-to-peer (P2P) file sharing programs. Netsky.P is automatically activated when the e-mail message is viewed through Outlook’s Preview Pane. It does this by exploiting a vulnerability in Internet Explorer, which allows e-mail attachments to be automatically run. This vulnerability exploit is known as Exploit/iFrame. Symptoms: Netsky.P is difficult to recognize, as it does not show any messages or warnings that indicate it has reached the computer For details visit: symantec.com |
| Exploit/Metafile | 1.08 | Threat Level : Low
Type: Hacking Tool Systems Affected: Windows 2003/XP/2000/NT/ME/98 Description: Metafile is a code specifically written in order to exploit a critical vulnerability on Windows 2003/XP/2000 computers in the library GDI32.DLL, which is used by the Windows Picture and Fax Viewer, Internet Explorer and Outlook, among other programs. If the target computer is vulnerable, Metafile allows arbitrary code to be executed in it. The vulnerability can be exploited by creating a specially crafted WMF (Windows MetaFile) image and then distributing it using any means: for example, hosting it in a web page and enticing users into accessing it. Note: it has been reported that if the original extension of a malicious WMF file is changed to the extension of other typical image formats (BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF or TIFF), the vulnerability is still exploitable. Symptoms: - For details visit: pandasoftware |
| W32/Tearec.A.worm!CME-24 | 0.79 | Threat Level: Moderate
Type: Worm Systems Affected: Windows XP/2000/NT/ME/98/95 Description: Tearec.A is a worm that disables and ends several antivirus programs, if they are installed on the affected computer. It also attempts to delete files belonging to several antivirus programs, peer-to-peer file sharing programs (P2P) and other Internet applications, which would make them stop working. Additionally, it monitors the network traffic of certain connections related with antivirus programs and email services. This way, it could obtain passwords. Tearec.A spreads via email in a message with variable characteristics and across computer networks. On the 3rd of every month, Tearec.A overwrites all the files that contain any of the following extensions: Symptoms: Tearec.A is easy to recognize once it has affected the computer, as it shows the following symptoms:
For details visit: virusportal.com |
| Trj/Qhost.gen | 0.76 | Threat Level: Low
Type: Trojan Systems Affected: Windows 2003/XP/2000/NT Description: Qhost.gen is a generic detection of a modification of the file HOSTS, which belongs to the Windows operating system. The file HOSTS contains several lines that Windows checks in order to solve the names to IP addresses. Windows checks this file before checking other services, such as WINS or DNS. Some malware, specially some variants of the worm Gaobot, overwrite or add some lines to that file, and they associate a list of web addresses to the IP127.0.0.1 (local host address). By doing so, affected users will not be able to visit these web sites included in the list. These web sites usually belong to different security software vendors, so the affected user is unable to visit these sites or update the antivirus solution, etc. Symptoms: Qhost.gen is difficult to recognize, as it does not display any messages or warnings that indicate it has reached a computer. However, if you are unable to visit certain web sites, which belong to security software vendors, your computer is probably affected by Qhost.gen. For details visit: pandasoftware.com |
| Trj/Torpig.A | 0.69 | Threat Level: Low
Type: Trojan Systems Affected: Windows 2003/XP/2000/NT/ME/98/95 Description: Torpig.A is a Trojan, which although seemingly inoffensive, can actually carry out attacks and intrusions. It captures certain information entered or saved by the user, with the corresponding threat to privacy: passwords saved by certain Windows services. Torpig.A does not spread automatically using its own means. It needs an attacking user’s intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc. Symptoms: - For details visit: pandasoftware.com |
| W32/Sober.AH.worm!CME-681 | 0.67 | Threat Level: Medium
Type: Worm Systems Affected: Windows 2003/XP/2000/NT/ME/98 Description: Sober.AH is a worm that ends several processes belonging to some security tools, among others. Sober.AH spreads via email, in a message written in English or German that contains an attached file with ZIP format. The email message will be written in German only if the mail domain extension is one of the following: de (Germany), ch (Switzerland), at (Austria) or li (Liechtenstein). Sober.AH is designed to connect to numerous servers between the 5th and 6th of January 2006, in order to download a malicious file to the affected computer. Symptoms: Sober.AH is easy to recognize once it has affected the computer, as it displays a fake error with the following text when it is run:
For details visit: pandasoftware.com |
| W32/Parite.B | 0.62 | Threat Level: Medium
Type: Virus Systems Affected: Windows XP/2000/NT/ME/98/95/3.X Description: Parite.B is a polymorphic virus that creates a dropper type file in the affected computer and infects files with EXE (executable) and SCR (screensaver) extensions. Parite.B spreads through the usual means used by viruses, (CD-ROMS, e-mail, Internet downloads, etc.). Furthermore, it also spreads across networks. When it has infected a computer in a network, it enumerates all the shared network drives in order to copy itself to them.
For details visit: pandasoftware.com |
| W32/Gaobot.gen.worm | 0.55 | Threat Level: Medium
Type: Worm Systems Affected: Windows 2003/XP/2000/NT Description: Gaobot.gen is a generic detection for future variants of the Gaobot family. This group of worms have backdoor characteristics, and share the following common features:
If you have a Windows 2003/XP/2000/NT computer, it is highly recommendable to download the security patches for the RPC DCOM and WebDAV vulnerabilities from the Microsoft website. Symptoms: A clear indication that Gaobot.gen has reached the computer is that the network traffic increases on the ports 135 and 445, as the worm attempts to exploit the RPC DCOM vulnerability. For details visit: pandasoftware.com |
| W32/Bagle.pwdzip | 0.54 | Threat Level: Low
Type: Worm Systems Affected: Windows 2003/XP/2000/NT/ME/98/95 Description: When several variants of Bagle, such as Bagle.F, Bagle.G, Bagle.H, Bagle.I, Bagle.N and Bagle.O, spread via e-mail, they can reach the computer in an attached file with a ZIP format and password-protected. As these files are encrypted using that password, antivirus programs cannot analyze their contents in order to check that they are virus-free before they are decompressed. Therefore, when one of these files reaches the computer, the antivirus program is not able to warn the user that the file is infected. This could induce a false sense of security. However, they can be detected before the user is tricked into opening them. Symptoms: - For details visit: pandasoftware.com |
A page full of virus screen shots can be found here.
Popularity: 4% [?]
