Malware reports

Online Scanner Top Twenty for July 2006

Position Change in position Name Percentage
1. No Change
0
Trojan-Spy.Win32.Banker.anv 1.59
2. New!
New
Trojan-Dropper.Win32.Microjoin.bx 1.41
3. No Change
0
Email-Worm.Win32.Rays 1.12
4. Up
+2
Email-Worm.Win32.Brontok.q 0.97
5. New!
New
Trojan-Dropper.Win32.Agent.asl 0.91
6. Up
+4
not-a-virus:PSWTool.Win32.RAS.a 0.85
7. New!
New
Trojan-Dropper.Win32.Agent.arv 0.83
8. New!
New
Trojan-Downloader.Win32.Small.ddp 0.76
9. New!
New
Packed.Win32.Klone.g 0.67
10. New!
New
not-a-virus:AdWare.Win32.Delf.j 0.65
11. Down
-2
Trojan.Win32.VB.ami 0.64
12. Up
+8
Email-Worm.Win32.Bagle.gen 0.58
13. New!
New
not-a-virus:Monitor.Win32.Perflogger.163 0.52
14. Return
Return
Backdoor.Win32.Rbot.gen 0.47
15. Return
Return
Virus.Win32.Parite.b 0.44
16. Down
-4
Trojan-Spy.Win32.Banbra.gi 0.43
17. New!
New
P2P-Worm.Win32.VB.dw 0.42
18. Return
Return
Virus.Win32.Hidrag.a 0.42
19. New!
New
Trojan-Spy.Win32.Agent.gk 0.42
20. New!
New
Trojan-Downloader.Win32.Obfuscated.n 0.42
Other malicious programs 85.48

The July online scanner Top Twenty is something of a watershed as it includes absolutely all classes of malicious program: viruses, worms, Trojans, backdoors, adware and potentially malicious programs. This huge variety one again confirms that today, a computer is vulnerable to attack by any type of malicious program. The question is not whether a computer will be attacked, but how significant the loss will be. In these terms, it’s Trojan spy programs which cause the greatest damage.

As a quick look at the online rankings shows, virus writers are currently obsessed with malicious code which can be used for espionage. This month’s Top Twenty includes more than ten programs which use one method or another to harvest user information and confidential data such as bank account numbers.

Banker.anv holds first place for the third month in a row. This malicious program originates in Brazil, and it’s spread throughout the world. SInce January 2006, it’s invariably to be found somewhere towards the top of the rankings. Russian Trojan writers aren’t lagging behind their Brazilian colleagues either; Trojan-Dropper.Win32.Microjoin.bx occupies second place. This program is one of the most widespread carriers for LdPinch, another spy program of Russian origin. In July, the Russian segment of the Internet was flooded when LdPinch used ICQ to spread, having been installed by Microjoin. Taking into account the fact that LdPinch deletes itself from the victim machine once it has done its work, the presence of Microjoin.bx in second place gives us some idea of the scale on which LdPinch was sent out.

One surprise is the two email worms in the top half of the table. If we compare these rankings with the email traffic rankings, it’s clear that neither Rays nor Brontok are particularly widespread, although both these worms have figured in our online statistics before. Another hybrid creation, Bagle.gen, a combination of a worm and a spy program, is rising up the table to join them. In June, this malicious program was in 20th place; this month, however, it’s reached 12th place, and shows no signs of slowing down.

Among the rest of the malicious programs in this month’s Top Twenty, it’s notable that two classic file viruses, Parite.b and Hidrag.a have staged a return. As if to contradict repeated assertions that classic viruses are on the verge of extinction, these two programs are exhibiting remarkable resilience. Essentially, they have outlived other malicious code (worms and Trojans) which appeared at the same time several years ago. And going on the statistics and user reports that we see, this pair have no intention of surrendering. An estimate of the number of machines infected by these two programs would probably be far larger than the number infected by any worm which caused a global epidemic.

Summary

New Trojan-Dropper.Win32.Microjoin.bx, Trojan-Dropper.Win32.Agent.asl, Trojan-Dropper.Win32.Agent.arv, Trojan-Downloader.Win32.Small.ddp, Packed.Win32.Klone.g, AdWare.Win32.Delf.j, Monitor.Win32.Perflogger.163, P2P-Worm.Win32.VB.dw, Trojan-Spy.Win32.Agent.gk, Trojan-Downloader.Win32.Obfuscated.n
Moved up Email-Worm.Win32.Brontok.q, not-a-virus:PSWTool.Win32.RAS.a, Email-Worm.Win32.Bagle.gen
Moved down Trojan.Win32.VB.ami, Trojan-Spy.Win32.Banbra.gi
Re-entry Backdoor.Win32.Rbot.gen, Virus.Win32.Parite.b, Virus.Win32.Hidrag.a

Online Scanner Top Twenty for July 2006

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox