Malware reports

On-line Scanner Top Twenty for March 2006

Position Change in position Name Percentage
1. New!
New
Trojan-PSW.Win32.LdPinch.air 23.17
2. New!
New
Trojan-Downloader.Win32.Delf.ajd 10.71
3. No Change
0
Trojan-Spy.Win32.Banker.ark 2.30
4. New!
New
Trojan-Downloader.Win32.Small.ckj 2.26
5. New!
New
Trojan-Downloader.Win32.Small.axy 0.93
6. Down
-4
Trojan-Spy.Win32.Banker.anv 0.92
7. Down
-3
Trojan-Spy.Win32.Bancos.ha 0.88
8. Down
-1
Email-Worm.Win32.Wukill 0.79
9. New!
New
not-a-virus:Porn-Dialer.Win32.PluginAccess.gen 0.76
10. New!
New
Trojan-Downloader.Win32.Zlob.in 0.55
11. Down
-1
not-a-virus:PSWTool.Win32.RAS.a 0.49
12. Up
+8
Virus.Win32.Parite.b 0.44
13. New!
New
Trojan-PSW.Win32.LdPinch.ais 0.42
14. New!
New
Trojan-Downloader.Win32.Agent.xz 0.40
15. New!
New
Trojan-Downloader.Win32.Small.cni 0.40
16. New!
New
Exploit.HTML.CodeBaseExec 0.39
17. New!
New
Trojan-Downloader.Win32.IstBar.no 0.38
18. Down
-13
Worm.Win32.Feebs.gen 0.38
19. New!
New
Backdoor.Win32.IRCBot.nw 0.38
20. New!
New
Trojan-Dropper.Win32.Agent.aiq 0.36
Other malicious programs 52.69

At first glance, the March statistics from the online scanner shows that the Online Scanner Top Twenty ratings continue to change radically from month to month. In February, 12 new malicious programs appeared in the rankings, and the same happened in March. However, the viruses which made up the January Top Twenty have almost entirely vanished from the rankings.

On the surface, the changes which took place at the top of the table this month seem nothing out of the ordinary. However, the leaders make up such a high percentage of traffic that they have broken all records set by their predecessors. The LdPinch.air Trojan, which steals passwords, caused a significant outbreak on Runet in the middle of March. This Trojan was mass mailed using spammer technologies, and the mass mailing was carried out in several stages – in addition to LdPinch, a Trojan-Downloader was sent out, which then downloaded LdPinch.air to the victim machine. And it is this Trojan-Downloader, Win32.Delf.ajd which takes second place in the on-line scanner rankings, with a high share of overall traffic, more than 10%. Undoubtedly the LdPinch incident was the major event of March.

Banker.ark is also high in the rankings, but in contrast to LdPinch, which steals passwords, this piece of spyware intercepts information for e-banking system accounts.

Worms have slackened their hold; the January Top Twenty was headed by Feebs.gen, which dropped to 18th place in March. February’s leader, Bagle.fj, also vanished from the rankings, just as it vanished from the email traffic statistics.)

Against the background noise caused by these worms, the relatively unknown Wukill maintains a certain stability. For the third month running, Wukill is located between 7th and 10th place. Exactly why, we don’t yet know – Wukill has not caused any outbreak worth noting.

Just like a month ago, the bulk of the ratings were occupied by Trojan programs, from the most widespread and dangerous classes – Trojan-Spy and Trojan-Downloader. Banker.anv, in 6th place, and Bancos.ha keep Banker.ark company in the hunt for bank account data. LDPinch, a family with hundreds of known variants, is also represented by LdPinch.ais, in 13th place.

The main way in which these Trojans are delivered to victim machines is by Trojan-Downloaders. There are 7 Trojan-Downloaders in this month’s Online Scanner ratings; this large number highlights the rapid evolution of this type of malware. There were only four Trojan-Downloaders in the February rankings.
Nyxem.e, which caused something of a fuss in January this year, finally disappeared from the rankings, and has also been entirely absent from other statistics. However, Parite.b, a classic file virus has moved dramatically up the rankings, jumping eight positions to 12th place.

It’s also interesting that an old exploit for a Windows vulnerability, CodeBaseExec has put in an appearance this month. This exploit was used by some worms a few years ago, and has now been resurrected, even though the majority of users installed patches long ago.

Summary:

New Trojan-PSW.Win32.LdPinch.air, Trojan-Downloader.Win32.Delf.ajd, Trojan-Downloader.Win32.Small.ckj, Trojan-Downloader.Win32.Small.axy, not-a-virus:Porn-Dialer.Win32.PluginAccess.gen,
Trojan-Downloader.Win32.Zlob.in, Trojan-PSW.Win32.LdPinch.ais, Trojan-Downloader.Win32.Agent.xz, Trojan-Downloader.Win32.Small.cni, Exploit.HTML.CodeBaseExec, Trojan-Downloader.Win32.IstBar.no, Backdoor.Win32.IRCBot.nw, Trojan-Dropper.Win32.Agent.aiq.
Moved up Virus.Win32.Parite.b
Moved down Trojan-Spy.Win32.Banker.anv, Trojan-Spy.Win32.Bancos.ha, Email-Worm.Win32.Wukill, not-a-virus:PSWTool.Win32.RAS.a, Worm.Win32.Feebs.gen
No change Trojan-Spy.Win32.Banker.ark

On-line Scanner Top Twenty for March 2006

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox