Online Scanner Top Twenty for August 2006

Position	Change in position	Name	Percentage
1.	New	Email-Worm.Win32.Mydoom.m	4.93
2.	New	Email-Worm.Win32.NetSky.q	0.74
3.	Return	Email-Worm.Win32.Nyxem.e	0.31
4.	+1	Trojan-Dropper.Win32.Agent.asl	0.22
5.	New	Backdoor.IRC.Zapchast	0.16
6.	New	Email-Worm.Win32.NetSky.aa	0.15
7.	New	Trojan-Downloader.Win32.Agent.arc	0.15
8.	New	Backdoor.Win32.mIRC-based	0.13
9.	New	Trojan-Proxy.Win32.Horst.av	0.12
10.	New	Virus.DOS.PS-MPC-based	0.10
11.	-8	Email-Worm.Win32.Rays	0.10
12.	+1	not-a-virus:Monitor.Win32.Perflogger.163	0.10
13.	New	not-a-virus:RiskTool.Win32.HideWindows	0.09
14.	New	Email-Worm.Win32.Bagle.fj	0.09
15.	-14	Trojan-Spy.Win32.Banker.anv	0.09
16.	New	Net-Worm.Linux.Ramen	0.09
17.	-13	Email-Worm.Win32.Brontok.q	0.09
18.	-3	Virus.Win32.Parite.b	0.08
19.	New	Backdoor.IRC.Acnuz	0.08
20.	New	Backdoor.IRC.Mimic	0.07
Other malicious programs			92.11

The August online scanner Top Twenty is the most unusual we have seen since we started keeping records. On the one hand, it bucks the trends which we been seeing lately. On the other hand, it contains a large number of malicious programs which have not previously make it into the online rankings, but which are worth taking a closer look at.

It’s interesting that these changes took place after we stated that the July Top Twenty was something of a watershed. We can used it to define which viruses should logically be in the rankings, as they spread via the Internet, and which viruses appear purely because of the way the online scanner functions. The latter are likely to disappear next month as quickly as they appeared this month.

The first three entries in this month’s online Top Twenty are similar to those found in the email rankings from the beginning of this year: three worms, two of which left their mark on 2004 and 2005, with Netsky.q being the most widespread virus of 2004. Both of these worms have now dropped out of the email rankings, and this indicates that they’re no longer circulating widely in mail traffic. There could be several reasons why these programs have now made an appearance in our online statistics. The main reason is the different way we get statistics for our different Top Twenties. The email Top Twenty is based on data generated by our antivirus which is placed on several major email servers, and reflects the number of malicious programs intercepted and deleted. However, the online statistics relate to the computers of individual users, who may not have an antivirus solution installed. Because of this, the collection of malicious programs detected is often rather random.

Third and fourth place are occupied by Nyxem.e and Trojan-Dropper.Win32.Agent.asl. Nyxem.e has experienced a rebirth over the last few months, and we noticed its increased presence in mail traffic, meaning that it would merely be a matter of time before it appeared in the online statistics. Agent.asl, in spite of losing in percentage terms, managed to move up a place in the rankings.

The next six positions are occupied by a mixture of dangerous recent malicious programs, viruses which first appeared several years ago, and veteran malware which is unable to function on modern operating systems.
Trojan-Downloader.Win32.Agent.arc and Trojan-Proxy.Win32.Horst.av belong to the first category. Horst.av is undoubtedly currently one of the most serious threats to users. This relatively complex multi-component Trojan includes a rootkit, and uses a range of polymorph techniques to evade detection by antivirus software.

Backdoor.IRC.Zapchast and Backdoor.Win32.mIRC-based and Netsky.a all belong to the second category. As can be seen from the names, the first two malicious programs are Trojans which are controlled via IRC. We first started detected Zapchast back in 2002. Since then the number of known variants has risen to over one thousand. It seems likely that one of these variants caused a local epidemic in August 2006, explaining this program’s presence in the rankings.
Virus.DOS.PS-MPC-based is the curiosity of this month’s online Top Twenty. This virus is not a specific file, but a multitude of variants which are created using the PS-MPC, a virus constructor. The results have been around for more than ten years, but as this month’s rankings show, there are people around who think they can use the constructor to create an undetectable malicious program. This is the only logical explanation for the otherwise inexplicable fact that the on-line scanner was used to check such files so many times that Virus.DOS.PS-MPC made it to tenth place.

The lower half of the table, which includes Rays, Brontok, Perflogger (a keylogging program), Parite.b, looks very familiar. The Trojan spy Banker.anv, an old inhabitant among the top places, fell 14 places this month to the lower half of the table. However, it’s likely that it will rise back up towards the top of the table in September.

The last two places are occupied by programs which, logically, are misfits. However, it’s quite possible that they are closely connected to Backdoor.IRC.Zapchast, which was mentioned above. If this is the case, then their presence is entirely logical. However, the presence of Ramen, a Linux worm, in 16th place, is strange. Although it’s the most widespread malicious program for Linux, we’ve never seen in it such numbers before. It will be interesting to see how Ramen performs in September.

Summary