Malware reports

On-line Scanner Top Twenty February 2006

Position Change in position Name Percentage
1. New!
New!

Email-Worm.Win32.Bagle.fj
4.76
2. Up
+7

Trojan-Spy.Win32.Banker.anv
2.20
3. New!
New!

Trojan-Spy.Win32.Banker.ark
2.04
4. Up
+2

Trojan-Spy.Win32.Bancos.ha
1.56
5. Down
-4

Worm.Win32.Feebs.gen
1.44
6. Down
-2

Trojan-Spy.Win32.Banker.ahy
1.06
7. Up
+3

Email-Worm.Win32.Wukill
0.92
8. New!
New!

Trojan-Downloader.Win32.VB.vz
0.90
9. New!
New!

Trojan-Downloader.Win32.Adload.t
0.89
10. Up
+9

not-a-virus:PSWTool.Win32.RAS.a
0.77
11. New!
New!

Backdoor.Win32.ControlTotal.ag
0.67
12. New!
New!

not-a-virus:Monitor.Win32.Perflogger.az
0.67
13. Up
+2

Trojan-Downloader.Win32.INService.gen
0.63
14. New!
New!

Backdoor.Win32.Rbot.gen
0.55
15. New!
New!

Trojan-PSW.Win32.PdPinch.gen
0.54
16. Down
-8

Email-Worm.Win32.Nyxem.e
0.54
17. New!
New!

Trojan-Downloader.Win32.Harnig.bb
0.47
18. New!
New!

Email-Worm.Win32.NetSky.q
0.46
19. New!
New!

Trojan-Spy.Win32.Bancos.u
0.44
20. New!
New!

Virus.Win32.Parite.b
0.44
Other malicious programs 78.05

This is the second month that we are analyzing the data we collect from our on-line scanner. We can now make preliminary comparisons with our mail traffic statistics and analyze emerging trends.

The first interesting point is the fact that the numbers in this table fluctuate far more than the numbers in the mail traffic rankings. In February, 12 new malicious programs appeared, and out of the five programs which headed the January rankings, only 2 programs are still in the rankings. This is a natural result, given that there are many more malicious programs than just those which propagate via email.

However, the rankings do include email worms, and they are certainly not at the bottom of the list. They are leading the rankings for the second month in a row: in January, Worm.Win32.Feebs.gen was in first place, but in February fell to 5th place. Email-Worm.Win32.Bagle.fj rose to first place, in comparison with the 6th place it occupied in the mail traffic rankings.

Out of the rest of the worms in this list, it’s worth highlighting Wukill, which did not make it into the mail traffic rankings. However, the online scanner data shows it overtaking NetSky.q, which reached 9th place in the mail traffic rankings.

The second interesting point is that most of the malicious programs in the rankings are Trojans, just as was the case a month ago. The majority of these are from the most widespread and most dangerous classes of Trojan-Spy and Trojan-Downloader. There are four Trojans in the top six positions, and these programs are designed to steal user data for online banking and e-payment systems. This is worrying, because there are actually a great many of these Trojans, and they are very wide spread. In short, while email worms are the number one threat today, Trojans come second. Moreover, in terms of potential financial losses, these Trojans are more dangerous than email worms.
We also shouldn’t forget that these programs are usually installed to victim machines by Trojan-Downloaders. This type of malicious code constantly monitors malware sites, and downloads the newest variants of other malicious programs and Adware. If a machine is infected with a Trojan-Downloader, it won’t be long before the machine becomes a menagerie of malicious code. Trojan-Downloaders occupy 8th, 9th, 13th and 17th place in our on-line scanner ratings.

As for the rest of the rankings, Nyxem.e dropped to 8th place, showing that the epidemic has already peaked. The likelihood of users losing vital data when the worm’s payload triggers on the 3rd of each month is already low.
Of course, no rankings would be complete without a classic file virus. In February, an old acquaintance in the form of Parite.b made a comeback; this virus has been around since the turn of the millennium, which shows that the life cycle of file viruses is considerably longer than that of other malicious programs.

Summary:

New Email-Worm.Win32.Bagle.fj, Trojan-Spy.Win32.Banker.ark, Trojan-Downloader.Win32.VB.vz, Trojan-Downloader.Win32.Adload.t, Backdoor.Win32.ControlTotal.ag, not-a-virus:Monitor.Win32.Perflogger.az, Backdoor.Win32.Rbot.gen, Trojan-PSW.Win32.PdPinch.gen, Trojan-Downloader.Win32.Harnig.bb, Email-Worm.Win32.NetSky.q, Trojan-Spy.Win32.Bancos.u, Virus.Win32.Parite.b
Moved up Trojan-Spy.Win32.Banker.anv, Trojan-Spy.Win32.Bancos.ha, Email-Worm.Win32.Wukill, Trojan-Downloader.Win32.INService.gen
Moved down Trojan-Spy.Win32.Banker.anv, Trojan-Spy.Win32.Bancos.ha, Email-Worm.Win32.Wukill, Trojan-Downloader.Win32.INService.gen
Moved down: Worm.Win32

On-line Scanner Top Twenty February 2006

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox