On-line Scanner Top Twenty for March 2006

Position	Change in position	Name	Percentage
1.	New	Trojan-PSW.Win32.LdPinch.air	23.17
2.	New	Trojan-Downloader.Win32.Delf.ajd	10.71
3.	0	Trojan-Spy.Win32.Banker.ark	2.30
4.	New	Trojan-Downloader.Win32.Small.ckj	2.26
5.	New	Trojan-Downloader.Win32.Small.axy	0.93
6.	-4	Trojan-Spy.Win32.Banker.anv	0.92
7.	-3	Trojan-Spy.Win32.Bancos.ha	0.88
8.	-1	Email-Worm.Win32.Wukill	0.79
9.	New	not-a-virus:Porn-Dialer.Win32.PluginAccess.gen	0.76
10.	New	Trojan-Downloader.Win32.Zlob.in	0.55
11.	-1	not-a-virus:PSWTool.Win32.RAS.a	0.49
12.	+8	Virus.Win32.Parite.b	0.44
13.	New	Trojan-PSW.Win32.LdPinch.ais	0.42
14.	New	Trojan-Downloader.Win32.Agent.xz	0.40
15.	New	Trojan-Downloader.Win32.Small.cni	0.40
16.	New	Exploit.HTML.CodeBaseExec	0.39
17.	New	Trojan-Downloader.Win32.IstBar.no	0.38
18.	-13	Worm.Win32.Feebs.gen	0.38
19.	New	Backdoor.Win32.IRCBot.nw	0.38
20.	New	Trojan-Dropper.Win32.Agent.aiq	0.36
Other malicious programs			52.69

At first glance, the March statistics from the online scanner shows that the Online Scanner Top Twenty ratings continue to change radically from month to month. In February, 12 new malicious programs appeared in the rankings, and the same happened in March. However, the viruses which made up the January Top Twenty have almost entirely vanished from the rankings.

On the surface, the changes which took place at the top of the table this month seem nothing out of the ordinary. However, the leaders make up such a high percentage of traffic that they have broken all records set by their predecessors. The LdPinch.air Trojan, which steals passwords, caused a significant outbreak on Runet in the middle of March. This Trojan was mass mailed using spammer technologies, and the mass mailing was carried out in several stages – in addition to LdPinch, a Trojan-Downloader was sent out, which then downloaded LdPinch.air to the victim machine. And it is this Trojan-Downloader, Win32.Delf.ajd which takes second place in the on-line scanner rankings, with a high share of overall traffic, more than 10%. Undoubtedly the LdPinch incident was the major event of March.

Banker.ark is also high in the rankings, but in contrast to LdPinch, which steals passwords, this piece of spyware intercepts information for e-banking system accounts.

Worms have slackened their hold; the January Top Twenty was headed by Feebs.gen, which dropped to 18th place in March. February’s leader, Bagle.fj, also vanished from the rankings, just as it vanished from the email traffic statistics.)

Against the background noise caused by these worms, the relatively unknown Wukill maintains a certain stability. For the third month running, Wukill is located between 7th and 10th place. Exactly why, we don’t yet know – Wukill has not caused any outbreak worth noting.

Just like a month ago, the bulk of the ratings were occupied by Trojan programs, from the most widespread and dangerous classes – Trojan-Spy and Trojan-Downloader. Banker.anv, in 6th place, and Bancos.ha keep Banker.ark company in the hunt for bank account data. LDPinch, a family with hundreds of known variants, is also represented by LdPinch.ais, in 13th place.

The main way in which these Trojans are delivered to victim machines is by Trojan-Downloaders. There are 7 Trojan-Downloaders in this month’s Online Scanner ratings; this large number highlights the rapid evolution of this type of malware. There were only four Trojan-Downloaders in the February rankings.
Nyxem.e, which caused something of a fuss in January this year, finally disappeared from the rankings, and has also been entirely absent from other statistics. However, Parite.b, a classic file virus has moved dramatically up the rankings, jumping eight positions to 12th place.

It’s also interesting that an old exploit for a Windows vulnerability, CodeBaseExec has put in an appearance this month. This exploit was used by some worms a few years ago, and has now been resurrected, even though the majority of users installed patches long ago.

Summary: