Online Scanner Top Twenty for July 2006

Position	Change in position	Name	Percentage
1.	0	Trojan-Spy.Win32.Banker.anv	1.59
2.	New	Trojan-Dropper.Win32.Microjoin.bx	1.41
3.	0	Email-Worm.Win32.Rays	1.12
4.	+2	Email-Worm.Win32.Brontok.q	0.97
5.	New	Trojan-Dropper.Win32.Agent.asl	0.91
6.	+4	not-a-virus:PSWTool.Win32.RAS.a	0.85
7.	New	Trojan-Dropper.Win32.Agent.arv	0.83
8.	New	Trojan-Downloader.Win32.Small.ddp	0.76
9.	New	Packed.Win32.Klone.g	0.67
10.	New	not-a-virus:AdWare.Win32.Delf.j	0.65
11.	-2	Trojan.Win32.VB.ami	0.64
12.	+8	Email-Worm.Win32.Bagle.gen	0.58
13.	New	not-a-virus:Monitor.Win32.Perflogger.163	0.52
14.	Return	Backdoor.Win32.Rbot.gen	0.47
15.	Return	Virus.Win32.Parite.b	0.44
16.	-4	Trojan-Spy.Win32.Banbra.gi	0.43
17.	New	P2P-Worm.Win32.VB.dw	0.42
18.	Return	Virus.Win32.Hidrag.a	0.42
19.	New	Trojan-Spy.Win32.Agent.gk	0.42
20.	New	Trojan-Downloader.Win32.Obfuscated.n	0.42
Other malicious programs			85.48

The July online scanner Top Twenty is something of a watershed as it includes absolutely all classes of malicious program: viruses, worms, Trojans, backdoors, adware and potentially malicious programs. This huge variety one again confirms that today, a computer is vulnerable to attack by any type of malicious program. The question is not whether a computer will be attacked, but how significant the loss will be. In these terms, it’s Trojan spy programs which cause the greatest damage.

As a quick look at the online rankings shows, virus writers are currently obsessed with malicious code which can be used for espionage. This month’s Top Twenty includes more than ten programs which use one method or another to harvest user information and confidential data such as bank account numbers.

Banker.anv holds first place for the third month in a row. This malicious program originates in Brazil, and it’s spread throughout the world. SInce January 2006, it’s invariably to be found somewhere towards the top of the rankings. Russian Trojan writers aren’t lagging behind their Brazilian colleagues either; Trojan-Dropper.Win32.Microjoin.bx occupies second place. This program is one of the most widespread carriers for LdPinch, another spy program of Russian origin. In July, the Russian segment of the Internet was flooded when LdPinch used ICQ to spread, having been installed by Microjoin. Taking into account the fact that LdPinch deletes itself from the victim machine once it has done its work, the presence of Microjoin.bx in second place gives us some idea of the scale on which LdPinch was sent out.

One surprise is the two email worms in the top half of the table. If we compare these rankings with the email traffic rankings, it’s clear that neither Rays nor Brontok are particularly widespread, although both these worms have figured in our online statistics before. Another hybrid creation, Bagle.gen, a combination of a worm and a spy program, is rising up the table to join them. In June, this malicious program was in 20th place; this month, however, it’s reached 12th place, and shows no signs of slowing down.

Among the rest of the malicious programs in this month’s Top Twenty, it’s notable that two classic file viruses, Parite.b and Hidrag.a have staged a return. As if to contradict repeated assertions that classic viruses are on the verge of extinction, these two programs are exhibiting remarkable resilience. Essentially, they have outlived other malicious code (worms and Trojans) which appeared at the same time several years ago. And going on the statistics and user reports that we see, this pair have no intention of surrendering. An estimate of the number of machines infected by these two programs would probably be far larger than the number infected by any worm which caused a global epidemic.

Summary