Online Scanner Top Twenty for May 2006

Kaspersky Lab’s latest monthly analysis of the Kaspersky Online Scanner reveals two of the most common Trojans remain in the Top Ten

Position	Change in position	Name	Percentage
1.	+5	Trojan-Spy.Win32.Banker.anv	2.12
2.	+1	Trojan-Spy.Win32.Banker.ark	1.98
3.	+8	Trojan.Win32.Agent.qt	1.39
4.	+4	Email-Worm.Win32.Rays	1.30
5.	New!	Trojan.Win32.VB.ami	1.18
6.	New!	Trojan-Downloader.Win32.Agent.td	1.06
7.	New!	Trojan-Dropper.Win32.Agent.tz	0.98
8.	New!	VirTool.Win32.Patcher.a	0.91
9.	+1	Packed.Win32.Tibs	0.81
10.	+6	not-a-virus:PSWTool.Win32.RAS.a	0.80
11.	+9	Backdoor.Win32.Rbot.gen	0.80
12.	+6	Exploit.HTML.CodeBaseExec	0.79
13.	New!	Trojan-Spy.Win32.Delf.jp	0.77
14.	New!	not-a-virus:Monitor.Win32.Ardamax.k	0.72
15.	New!	Email-Worm.Win32.Scano.v	0.67
16.	-15	Trojan-Downloader.Win32.Delf.alf	0.62
17.	New!	Email-Worm.Win32.Brontok.a	0.59
18.	Return	Virus.Win32.Parite.b	0.55
19.	New!	not-a-virus:AdWare.Win32.AdvertMen.a	0.55
20.	-6	not-a-virus:Porn-Dialer.Win32.PluginAccess.gen	0.49
Other malicious programs			80.92

In our fifth month of analyzing the statistics collected by the online scanner the two most common Trojans are clearly identified. Banker.anv has been in the Top Ten since January, Banker.ark since February. In May both reached the top of the ratings. Compared to the rest of the Top Twenty, where almost half the malicious programs are replaced every month, these two Trojans are real old-timers.

The two Trojans are near-identical twins. Both are written in Delphi and designed to steal data from users of a number of Brazilian banks. Brazilian hackers use all possible methods for delivering Trojans to users’ computers, including spam, Trojans embedded in the installation files of some programs, exploitation of browser vulnerabilities, etc.

We have recorded over 3,000 minor modifications of Banker.anv alone! For variant .ark the figure is even greater: over 4,000.
In contrast to previous months, in May we did not detect a large number of Trojan-Downloader programs. Only two achieved positions in the ratings. One of them is new (Agent.td, 6th position) and the other, Delf.aif, dropped 15 positions in the space of a month. At the same time, there is an unusually large number of email worms, and it is interesting that the ones in the online ratings are not the same as those which made it to the email Top Twenty.

Rays got as high as 4th place, a very impressive result for a primitive email worm. Scano.v is a new name in our rating (two other worms of the same family are in the email Top Twenty). The interesting thing about the third worm, Brontok.a, is that it first appeared as far back as last October, but it somehow remained inconspicuous until it caused local outbreaks in a number of major European companies.

As regards classic file viruses, they are playing musical chairs again. Redlof.a and Hidrag.a, which nearly reached the middle of the ratings in April, have disappeared, while Parite.b is back. It successfully increased its presence in February and March, and then in April it suddenly disappeared from the Top Twenty. This must have been due to a slight error in our calculations rather than a sign of a Parite.b outbreak coming to a close. This is a very persistent virus that is very hard to remove from the system.

As usual, this month’s Top Twenty includes exploits, backdoors, adware and “greyware” programs. We reported on practically all of them in past months, so here we will only mention the two newcomers: Ardamax.k, a commercial keylogger, and AdvertMen.a, an adware program.

Ardamax is not considered a Trojan because it was developed by a legitimate software company and is sold as a legal program. However, authors of many malicious programs are happy to regard it as a ready-made spyware module they can use instead of bothering to write their own. Commercial keyloggers are one of the biggest gray areas in the relations between antivirus companies and software developers. Even though they can be used as Trojans, these programs do have legal and genuinely legitimate applications.

AdvertMen.a is a typical adware program. It is distributed with a number of shareware programs. After being installed on a computer, it connects to the developer’s site and shows advertising in the browser window once in a while. This is how practically any adware works, but AdvertMen.a was apparently the most successful such program in May.

Summary