Malware reports

Online Scanner Top Twenty for May 2007

Position Change in position Name Percentage
1. New!
New!
Trojan-Downloader.Win32.Agent.bjo 1.24
2. Up
+4
Trojan.Win32.Agent.qt 1.23
3. Up
+2
not-a-virus:AdWare.Win32.Virtumonde.if 1.19
4. Return
Return
Backdoor.IRC.Zapchast 1.17
5. New!
New!
Trojan-Downloader.Win32.LoadAdv.gen 1.16
6. New!
New!
Email-Worm.Win32.Zhelatin.dp 1.13
7. New!
New!
Email-Worm.Win32.Zhelatin.dn 1.12
8. No Change
0
Virus.VBS.Small.a 1.07
9. New!
New!
Trojan.Win32.Dialer.qn 0.90
10. New!
New!
Email-Worm.Win32.Zhelatin.dm 0.85
11. Down
-7
Email-Worm.Win32.Brontok.q 0.73
12. New!
New!
IM-Worm.Win32.VB.az 0.68
13. New!
New!
Email-Worm.Win32.Warezov.ns 0.67
14. No Change
0
Email-Worm.Win32.Rays 0.67
15. New!
New!
Trojan.Win32.Obfuscated.en 0.63
16. New!
New!
not-a-virus:AdWare.Win32.Virtumonde.bq 0.54
17. New!
New!
Trojan-Downloader.Win32.Small.ddp 0.51
18. New!
New!
not-a-virus:Monitor.Win32.Perflogger.ca 0.50
19. Return
Return
not-a-virus:PSWTool.Win32.RAS.a 0.48
20. Return
Return
Virus.Win32.Parite.b 0.48
Other malicious programs 83.05

By May 2007, some trends had started to shape themselves in our online statistics. Email worms are the most common among all the classes of malicious programs which we include, with a total of four different families and six different variants this month. Among these are some veterans such as Rays and Brontok, as well as some of the new generation worms actively targeting users’ mailboxes, such as Zhelatin and Warezov.

The first seven malicious programs are something of a monolith, with mere hundredths of a percent between placings. If we compiled our statistics a couple of days earlier or a couple of days later, the picture might look very different. There is no clear leader in March. Although Trojan-Downloader.Agent.bjo takes first place, this is one of those programs which has an extremely short life cycle, and which will disappear as quickly as it appeared. Trailing Agent.bjo by an extremely small margin are Trojan.Win32.Agent.qt, and Virtumonde.if, an adware program. Neither of these malicious programs is new to the rankings, and they look set to maintain their presence in our Online Top Twenty for a while. A wide range of methods is used to spread Virtumonde on the Internet: rootkit technologies, Trojan downloader programs, and spam mass mailings.

It’s interesting that the virus writers who are creating Trojan downloaders are actively varying the type of files downloaded, ranging from obviously malicious programs to adware. One day it might be an email worm that’s downloaded, while the day after it’s the latest version of Virtumonde, an advertising program, and the day after that, yet another type of program. However, more often than not, it’s adware that is downloaded, and this isn’t surprising – profits from Internet advertising have amounted to billions of dollars for some time now. A typical example of such a Trojan is Trojan-Downloader.Win32.LoadAdv.gen, which took fifth place in May. It showed increased activity towards the end of the month, so may well be higher up the rankings next month.

Zhelatin, pushed into sixth place by a small margin, isn’t likely to remain in our ratings for long. The authors of this worm are releasing new variants too quickly on the heels of the previous variant for this malicious program to make a significant impact on our rankings.

April was the first time an IM-Worm was present in the Online Top Twenty. It seemed likely that IM-Worm.Win32.Sohanad.t had set a precedent, and this is confirmed by the May rankings, where IM-Worm.Win32.VB.az takes twelfth place. This is a worrying trend, as the majority of users aren’t particularly cautious when sent links by instant messenger – links which of course lead to an infected website.

A keylogging program from the Perflogger family, and the file virus Parite are down at the bottom of the rankings. For a long time now these programs have either been slipping off the bottom of the table, or returning to the Top Twenty. This shows that although neither program is really causing an epidemic, they are both maintaining a stable presence on users’ machines.

Summary

  • New: Trojan-Downloader.Win32.Agent.bjo, Trojan-Downloader.Win32.LoadAdv.gen, Email-Worm.Win32.Zhelatin.dp, Email-Worm.Win32.Zhelatin.dn, Trojan.Win32.Dialer.qn, Email-Worm.Win32.Zhelatin.dm, IM-Worm.Win32.VB.az, Email-Worm.Win32.Warezov.ns, Trojan.Win32.Obfuscated.en, not-a-virus:AdWare.Win32.Virtumonde.bq, Trojan-Downloader.Win32.Small.ddp, not-a-virus:Monitor.Win32.Perflogger.ca
  • Went up: Trojan.Win32.Agent.qt, not-a-virus:AdWare.Win32.Virtumonde.if
  • Went down: Email-Worm.Win32.Brontok.q
  • Re-entry: Backdoor.IRC.Zapchast, not-a-virus:PSWTool.Win32.RAS.a, Virus.Win32.Parite.b

Online Scanner Top Twenty for May 2007

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox