Top ten viruses and hoaxes reported to Sophos in November 2005

Sophos Press Release

Sophos reports highest ever record of new malware, and new Sober worm shoots to #1

Sophos, a world leader in protecting businesses against viruses, spyware and spam, has revealed the top ten viruses and hoaxes causing problems for businesses around the world during the month of November 2005.

The report, compiled from Sophos's global network of monitoring stations, reveals that, despite being detected very late in the month, the Sober-Z worm has stormed to the top of the charts, and at its peak accounted for one in every 13 emails sent. The proliferation of Sober-Z has caused Netsky-P, the worm written by convicted German teenager Sven Jaschan, to fall to second position after dominating the number one spot for the past four months.

The top ten viruses in November were as follows:

Position Last
Malware Percentage of reports
Others 25.4%

The new Sober-Z worm, which currently accounts for a massive 42.9% of all viruses reported to Sophos, sends itself as an email attachment and attempts to turn off security software on the user's computer. Once the attached file is run, the worm scans the user's hard drive for email addresses, in its search for other computers to infect. The author of this worm has been operating anonymously for more than two years, and this latest threat is the cyber criminal's most widespread virus yet.

"Since we saw the first Sober worm back in October 2003, its author has tried to improve upon tried-and-tested tricks to dupe computer users into launching infected attachments," said Carole Theriault, senior security consultant at Sophos. "This latest worm purports to be a warning from CIA and FBI agents, accusing recipients of visiting illegal websites. Mocking the feds is a sure-fire way of goading the authorities, and you can't help but wonder whether the author is desperate to be caught."

Sober worms are frequently bilingual, configured to spread in both English and German. As well as posing as communication from an FBI or CIA agent, Sober-Z also references the German version of 'Who Wants to be a Millionaire' as well as US star Paris Hilton.

This month's chart consists of only three virus families - Netsky, Mytob and Zafi, indicating that virus writers are continuing to create variants of established threats, which prove most effective for financial gain.

"The Sober family may seem as hard to exterminate as a colony of cockroaches, but they can be stopped from infesting a network if users remain vigilant when facing unsolicited emails," continued Theriault. "These worms have posed little threat to computers armed with first-class anti-virus and anti-spam software, and run by users who follow safe computing practices."

The Mytob family continues to spread far and wide and the variants make up half of the top ten, demonstrating the family's persistent and varied attacks. Aside from Sober-Z, this month's chart is dominated by the Mytob, Netsky and Zafi virus families - showing that cyber criminals are increasingly bringing out new variants of established threats in order to maximise their impact.

Sophos's research shows that 2.7%, or one in 38 emails is viral. Sophos now identifies and protects against a total of 114,082 viruses, an increase of 1,940 on last month.

In order to minimise exposure to viruses, Sophos recommends that companies deploy a policy at their email gateway which blocks unwanted executable attachments from being sent into their organisation from the outside world. Companies should also run up- to-date anti-virus software, firewalls and install the latest security patches.

The top ten hoaxes reported to Sophos during November 2005 were as follows:

Position Hoax Percentage of reports
1Hotmail hoax
2Meninas da Playboy
3Bonsai kitten
4A virtual card for you
5Budweiser frogs screensaver
6Jamie Bulger
7Sainsbury's gift vouchers
8Bill Gates fortune
9HIV Needles
10Mobile phone hoax

"We advise all companies to consider circulating a policy on virus hoaxes to curb the spread of these annoying emails that can cause mail overload and results in down time and loss of profits, " said Theriault. "Although they do not cause serious network damage, certain hoaxes, such as the HIV Needle email, are cruel tricks that can be very upsetting for those users receiving them."

Sophos has made available a free, constantly updated information feed for intranets and websites which means users can always find out about the latest viruses and hoaxes.

Graphics of the above top ten virus chart are also available.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at