Online Scanner Top Twenty for March 2008

Position	Change in position	Name	Percentage
1	0	not-a-virus:AdWare.Win32.Virtumonde.gen	4.32
2	0	Email-Worm.Win32.Bagle.of	1.21
3	0	Trojan.Win32.Dialer.yz	0.95
4	+1	not-a-virus:PSWTool.Win32.RAS.a	0.82
5	+1	Email-Worm.Win32.Brontok.q	0.81
6	+10	Virus.Win32.Virut.n	0.79
7	New	Trojan-Downloader.Win32.Bagle.jh	0.71
8	+5	not-a-virus:AdWare.Win32.BHO.xq	0.63
9	New	Worm.Win32.AutoRun.byt	0.59
10	+9	Trojan.Win32.Delf.aam	0.46
11	-2	Email-Worm.Win32.Rays	0.45
12	New	P2P-Worm.Win32.Malas.d	0.43
13	New	not-a-virus:Monitor.Win32.Ardamax.ae	0.43
14	Return	Virus.Win32.Parite.b	0.42
15	New	Virus.Win32.AutoRun.abt	0.39
16	New	Backdoor.Win32.Bifrose.bgn	0.39
17	New	Packed.Win32.PolyCrypt.h	0.38
18	New	Trojan-Downloader.Win32.Bagle.ij	0.38
19	Return	Email-Worm.Win32.NetSky.q	0.38
20	-12	Trojan-Spy.Win32.Ardamax.n	0.38
Other Malicious Programs			84.68

Amazingly, for the second month in a row, not only has the leader of our Top Twenty not changed but the three programs at the top of the ranking have remained the same.

The adware program Virtumonde or, to be more precise, an entire family that we detect as Virtumonde.gen, remains firmly in top place. This adware program has been actively circulating for almost a year and the situation is deteriorating with every passing month.

Exactly the same can be said about the second entry in the rankings, which is the latest modification of the Bagle worm. However, in Bagle’s case, it’s been in circulation for four years rather than one. Bagle was first detected back in January 2004. The authors, whose identities still remain a mystery, are responsible for a substantial share of Internet spam.

Keeping Bagle.of company in the March Top Twenty are a couple of related programs – the Trojan-Downloader programs Bagle.jh and Bagle.ij. Both of them are newcomers to the ratings; March saw them being used to prepare the ground for new versions of Bagle. That means we can expect these worms to be widespread in April as well.

Unfortunately, last month’s forecast that the Virut.n epidemic would subside proved to be premature. After ranking sixteenth last month, Virut.n, the sole survivor of the Virut family, rose ten places to end March in sixth place. A repeat of the third-place finish by Virut.av in January could well be on the cards.

The simultaneous emergence of two Autorun programs – Worm.Win32.Autorun.byt and Virus.Win32.Autorun.abt – also deserves a mention. They make use of exactly the same propagation method as the veteran Brontok.q and Rays worms (which have been ever-present amongst the most widespread malicious programs over the last few years). As well being able to propagate independently, this latest pair of malicious programs also steals user data, which undoubtedly makes them a serious threat.

The Ardamax keylogger family continues to pester users – Ardamax.n, which dropped to the bottom of the Top Twenty in March, was joined by the ‘legitimate’ program Ardamax.ae in thirteenth place.

All in all, March differed very little from previous months – users were spied on, their passwords were stolen and their PCs were used to send spam and display adware.

Summary

New: Trojan-Downloader.Win32.Bagle.jh, Worm.Win32.AutoRun.byt, P2P-Worm.Win32.Malas.d, not-a-virus:Monitor.Win32.Ardamax.ae, Virus.Win32.AutoRun.abt, Backdoor.Win32.Bifrose.bgn, Packed.Win32.PolyCrypt.h, Trojan-Downloader.Win32.Bagle.ij

Went up: not-a-virus:PSWTool.Win32.RAS.a, Email-Worm.Win32.Brontok.q, Virus.Win32.Virut.n, not-a-virus:AdWare.Win32.BHO.xq, Trojan.Win32.Delf.aam,

Went down: Email-Worm.Win32.Rays, Trojan-Spy.Win32.Ardamax.n

Re-entry: Virus.Win32.Parite.b, Email-Worm.Win32.NetSky.q

No change: not-a-virus:AdWare.Win32.Virtumonde.gen, Email-Worm.Win32.Bagle.of, Trojan.Win32.Dialer.yz