Sober virus set to continue reign

By Matt Whipp

Posted on 5 Jan 2006 at 16:35

Antivirus vendors have totted up the figures for December, with some showing nearly four in five reports accountable to the Sober worms.

Sophos put the Sober-Z worm at number one for the month, claiming 78.9 per cent of reports. Given that the viruses which didn't make the top ten at all accounted for another 9.5 per cent, the remaining places on the chart don't make for a riveting read. Zafi-b took 3.3 per cent at number two, and Netsky-P still appears stuck barnacle-like to the chart at three, while the remaining bots muster around a per cent or so each.

We probably haven't seen the last of Sober though. Recent analysis of the worm showed that it is primed to download fresh code at midnight tomorrow, with the potential of causing another epidemic over the weekend.

Microsoft has added detection for the virus into its Malicious Software Removal Tool and the Windows Live Safety Cente and added that in addition to the attack scheduled for Friday evening, the worm is also set up to download fresh malicious code and running it every two weeks. Microsoft has also issued an advisory on the threat.

Finnish antivirus vendor F-Secure has a list of URLs the worm is programmed to look up on its website.

Russian antivirus vendor Kaspersky has a rather different take on the virus landscape for the festive month. It says Sober accounted for only around 5 per cent of the infection reports it received, and ancient Internet worm Zafi-d took the top slot with 29 per cent.

Like Sophos' chart, the top 20 is dominated by bot variants, a symptom of the growing business in botnets within the virus underground. But Kaspersky notes that one bot family seems to have all but disappeared. Some variants of the Doombot family reached as high as second place in Kaspersky's figures for November, yet now they're no longer on the radar. Kaspersky says that had new malicious programs been active over the month, the disappearance of Doombot would been straightforward, yet this has not happened.

Sophos' and Kaspersky's virus charts follow below:

Sophos
1 Sober-Z 78.9%
2 Zafi-B 3.3%
3 Netsky-P 2.3%
4 Mytob-EX 1.4%
5 Mytob-FO 1.2% new entry
6 Mytob-BE 0.7%
7 Zafi-D 0.6%
=7 Mytob-GH 0.6%
9 Mytob-C 0.5%
=9 Mytob-FM 0.5% new entry
Others 9.5%

Kaspersky
1+2Email-Worm.Win32.Zafi.d29.17%
2-1Net-Worm.Win32.Mytob.c17.30%
3+2Email-Worm.Win32.LovGate.w6.07%
4+9Email-Worm.Win32.Sober.y4.92%
5+13Email-Worm.Win32.Zafi.b3.73%
6+1Email-Worm.Win32.NetSky.b3.58%
7-1Email-Worm.Win32.NetSky.q2.75%
8-Net-Worm.Win32.Mytob.t2.29%
9+1Net-Worm.Win32.Mytob.u2.28%
10+2Net-Worm.Win32.Mytob.q1.79%
11-2Net-Worm.Win32.Mytob.bk1.54%
12-1Net-Worm.Win32.Mytob.h1.45%
13NewTrojan-Spy.HTML.Bayfraud.hn1.36%
14Re-entryEmail-Worm.Win32.LovGate.ae1.35%
15+4Email-Worm.Win32.NetSky.y1.00%
16Re-entryNet-Worm.Win32.Mytob.w0.96%
17Re-entryNet-Worm.Win32.Mytob.a0.96%
18-1Email-Worm.Win32.Bagle.dx0.83%
19-4Net-Worm.Win32.Mytob.y0.81%
20Re-entryNet-Worm.Win32.Mytob.x0.79%
Other malicious programs15.07%