Malware reports

Online Scanner Top Twenty for August 2006

Position Change in position Name Percentage
1. New!
New
Email-Worm.Win32.Mydoom.m 4.93
2. New!
New
Email-Worm.Win32.NetSky.q 0.74
3. Return
Return
Email-Worm.Win32.Nyxem.e 0.31
4. Up
+1
Trojan-Dropper.Win32.Agent.asl 0.22
5. New!
New
Backdoor.IRC.Zapchast 0.16
6. New!
New
Email-Worm.Win32.NetSky.aa 0.15
7. New!
New
Trojan-Downloader.Win32.Agent.arc 0.15
8. New!
New
Backdoor.Win32.mIRC-based 0.13
9. New!
New
Trojan-Proxy.Win32.Horst.av 0.12
10. New!
New
Virus.DOS.PS-MPC-based 0.10
11. Down
-8
Email-Worm.Win32.Rays 0.10
12. Up
+1
not-a-virus:Monitor.Win32.Perflogger.163 0.10
13. New!
New
not-a-virus:RiskTool.Win32.HideWindows 0.09
14. New!
New
Email-Worm.Win32.Bagle.fj 0.09
15. Down
-14
Trojan-Spy.Win32.Banker.anv 0.09
16. New!
New
Net-Worm.Linux.Ramen 0.09
17. Down
-13
Email-Worm.Win32.Brontok.q 0.09
18. Down
-3
Virus.Win32.Parite.b 0.08
19. New!
New
Backdoor.IRC.Acnuz 0.08
20. New!
New
Backdoor.IRC.Mimic 0.07
Other malicious programs 92.11

The August online scanner Top Twenty is the most unusual we have seen since we started keeping records. On the one hand, it bucks the trends which we been seeing lately. On the other hand, it contains a large number of malicious programs which have not previously make it into the online rankings, but which are worth taking a closer look at.

It’s interesting that these changes took place after we stated that the July Top Twenty was something of a watershed. We can used it to define which viruses should logically be in the rankings, as they spread via the Internet, and which viruses appear purely because of the way the online scanner functions. The latter are likely to disappear next month as quickly as they appeared this month.

The first three entries in this month’s online Top Twenty are similar to those found in the email rankings from the beginning of this year: three worms, two of which left their mark on 2004 and 2005, with Netsky.q being the most widespread virus of 2004. Both of these worms have now dropped out of the email rankings, and this indicates that they’re no longer circulating widely in mail traffic. There could be several reasons why these programs have now made an appearance in our online statistics. The main reason is the different way we get statistics for our different Top Twenties. The email Top Twenty is based on data generated by our antivirus which is placed on several major email servers, and reflects the number of malicious programs intercepted and deleted. However, the online statistics relate to the computers of individual users, who may not have an antivirus solution installed. Because of this, the collection of malicious programs detected is often rather random.

Third and fourth place are occupied by Nyxem.e and Trojan-Dropper.Win32.Agent.asl. Nyxem.e has experienced a rebirth over the last few months, and we noticed its increased presence in mail traffic, meaning that it would merely be a matter of time before it appeared in the online statistics. Agent.asl, in spite of losing in percentage terms, managed to move up a place in the rankings.

The next six positions are occupied by a mixture of dangerous recent malicious programs, viruses which first appeared several years ago, and veteran malware which is unable to function on modern operating systems.
Trojan-Downloader.Win32.Agent.arc and Trojan-Proxy.Win32.Horst.av belong to the first category. Horst.av is undoubtedly currently one of the most serious threats to users. This relatively complex multi-component Trojan includes a rootkit, and uses a range of polymorph techniques to evade detection by antivirus software.

Backdoor.IRC.Zapchast and Backdoor.Win32.mIRC-based and Netsky.a all belong to the second category. As can be seen from the names, the first two malicious programs are Trojans which are controlled via IRC. We first started detected Zapchast back in 2002. Since then the number of known variants has risen to over one thousand. It seems likely that one of these variants caused a local epidemic in August 2006, explaining this program’s presence in the rankings.
Virus.DOS.PS-MPC-based is the curiosity of this month’s online Top Twenty. This virus is not a specific file, but a multitude of variants which are created using the PS-MPC, a virus constructor. The results have been around for more than ten years, but as this month’s rankings show, there are people around who think they can use the constructor to create an undetectable malicious program. This is the only logical explanation for the otherwise inexplicable fact that the on-line scanner was used to check such files so many times that Virus.DOS.PS-MPC made it to tenth place.

The lower half of the table, which includes Rays, Brontok, Perflogger (a keylogging program), Parite.b, looks very familiar. The Trojan spy Banker.anv, an old inhabitant among the top places, fell 14 places this month to the lower half of the table. However, it’s likely that it will rise back up towards the top of the table in September.

The last two places are occupied by programs which, logically, are misfits. However, it’s quite possible that they are closely connected to Backdoor.IRC.Zapchast, which was mentioned above. If this is the case, then their presence is entirely logical. However, the presence of Ramen, a Linux worm, in 16th place, is strange. Although it’s the most widespread malicious program for Linux, we’ve never seen in it such numbers before. It will be interesting to see how Ramen performs in September.

Summary

New Email-Worm.Win32.Mydoom.m, Email-Worm.Win32.NetSky.q, Backdoor.IRC.Zapchast, Email-Worm.Win32.NetSky.aa, Trojan-Downloader.Win32.Agent.arc, Backdoor.Win32.mIRC-based., Trojan-Proxy.Win32.Horst.av, Virus.DOS.PS-MPC-based, not-a-virus:RiskTool.Win32.HideWindows, Email-Worm.Win32.Bagle.fj, Net-Worm.Linux.Ramen, Backdoor.IRC.Acnuz., Backdoor.IRC.Mimic
Moved up Trojan-Dropper.Win32.Agent.asl, not-a-virus:Monitor.Win32.Perflogger.163
Moved down Email-Worm.Win32.Rays, Trojan-Spy.Win32.Banker.anv, Email-Worm.Win32.Brontok.q, Virus.Win32.Parite.b
Re-entry Email-Worm.Win32.Nyxem.e

Online Scanner Top Twenty for August 2006

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox