Online Scanner Top Twenty for March 2007

Position	Change in position	Name	Percentage
1.	New	Backdoor.Win32.Padodor.gen	11.29
2.	+2	not-a-virus:Monitor.Win32.Perflogger.163	1.23
3.	+2	Email-Worm.Win32.Brontok.q	1.01
4.	+4	not-a-virus:PSWTool.Win32.RAS.a	0.86
5.	+4	Trojan-Downloader.Win32.Small.ddp	0.72
6.	-3	Email-Worm.Win32.Rays	0.72
7.	New	Worm.Win32.AutoIt.d	0.66
8.	New	Trojan-Dropper.Win32.Agent.bdy	0.61
9.	+4	not-a-virus:Monitor.Win32.Perflogger.ad	0.61
10.	New	not-a-virus:AdWare.Win32.Virtumonde.bq	0.51
11.	-9	Trojan.Win32.Agent.qt	0.50
12.	New	Trojan-Spy.VBS.Marang.a	0.50
13.	New	Trojan.Win32.Obfuscated.ev	0.50
14.	New	Email-Worm.Win32.Warezov.jx	0.46
15.	New	Email-Worm.Win32.Zhelatin.bq	0.45
16.	New	Email-Worm.Win32.Warezov.mi	0.44
17.	-5	not-a-virus:AdWare.Win32.Virtumonde.ha	0.43
18.	-2	Trojan-Spy.Win32.Bancos.zm	0.39
19.	Return	Virus.Win32.Hidrag.a	0.38
20.	New	not-a-virus:AdWare.Win32.Dm.y	0.38
Other malicious programs			77.35

Our Online Scanner Top Twenty continues to surprise with its rotation of malicious programs. A few months ago Trojan-Dialers were being spread very actively. In February, Warezov worms took their place. Rays, Brontok, and Mydoom, three older worms, also managed to gain places near the top of the rankings. This month there was another big shake-up.

In March, Backdoor.Win32.Padodor.gen ended up in first place. This was completely unexpected, as Padodor is a historical relic. This family of malicious programs first appeared in 2004 and used the MS04-011 vulnerability in order to spread. Padodor has received a fair amount of media attention over the past few years, being tagged as one of the most dangerous and widespread backdoors in the course of 2004 and 2005. The Russian mass media also noted the fact that the backdoor was created by a notorious Russian virus writing group called Hang Up Team.

And now Padodor is back again. We think that this may be connected to the activity shown by Zhelatin worms in February and March. Files which are part of Padodor have been detected on machines infected by Zhelatin, and a figure of 11% shows the scale of the problem.

The top half of our March rankings provides a fairly accurate picture of the threats targeting users these days. It includes nearly all types of malicious program, including four from the category ‘not-a-virus’; This is the first time programs from this category have gained so many places in our rankings. It’s worrying that three out of the four programs have keylogging functionality – even though they are legitimate software, they can be used for criminal ends. Even more worrying, many antivirus programs are unable to detect such applications.

The March Online Scanner Top Twenty includes two variants of Virtumonde, an adware program, indicating that is continuing to spread for the fourth month in a row. It has been joined in the ratings by Dm, another adware program.

Among the other new programs which have appeared in this month’s rankings are a number of worms: two new Warezov variants, one Zhelatin variant, and the very mysterious Worm.Win32.Autoit.d. This worm is only able to propagate via local network resources with write access, a characteristic very similar to Rays and Brontok. Both these worms have managed to stay in our rankings for a long time; it remains to be seen whether Autoit will be able to do the same.

Summary:

• New: Backdoor.Win32.Padodor.gen, Worm.Win32.AutoIt.d, Trojan-Dropper.Win32.Agent.bdy, not-a-virus:AdWare.Win32.Virtumonde.bq, Trojan-Spy.VBS.Marang.a, Trojan.Win32.Obfuscated.ev, Email-Worm.Win32.Warezov.jx, Email-Worm.Win32.Zhelatin.bq, Email-Worm.Win32.Warezov.mi, not-a-virus:AdWare.Win32.Dm.y
• Moved up: not-a-virus:Monitor.Win32.Perflogger.163, Email-Worm.Win32.Brontok.q, not-a-virus:PSWTool.Win32.RAS.a, Trojan-Downloader.Win32.Small.ddp, not-a-virus:Monitor.Win32.Perflogger.ad
• Moved down: Email-Worm.Win32.Rays, Trojan.Win32.Agent.qt, not-a-virus:AdWare.Win32.Virtumonde.ha, Trojan-Spy.Win32.Bancos.zm
• Re-entry: Virus.Win32.Hidrag.a