Malware reports

Online Scanner Top Twenty for October 2006

Position Change in position Name Percentage
1. New!
New
Email-Worm.Win32.Warezov.cc 13.33
2. New!
New
Email-Worm.Win32.Warezov.gen 2.63
3. Down
-2
Trojan-Downloader.Win32.Delf.awg 2.04
4. New!
New
Email-Worm.Win32.Warezov.dc 1.73
5. New!
New
Email-Worm.Win32.Warezov.dn 1.08
6. New!
New
Trojan-Downloader.Win32.Adload.fu 0.88
7. Down
-5
Backdoor.IRC.Zapchast 0.84
8. Down
-3
Email-Worm.Win32.Brontok.q 0.80
9. Up
+8
not-a-virus:Monitor.Win32.Perflogger.163 0.73
10. New!
New
IM-Flooder.Win32.Delf.h 0.67
11. Return
Return
not-a-virus:Monitor.Win32.Perflogger.az 0.66
12. New!
New
Trojan.Win32.Diamin.ez 0.59
13. New!
New
Email-Worm.Win32.Warezov.bu 0.58
14. Down
-10
Email-Worm.Win32.Rays 0.54
15. New!
New
Email-Worm.Win32.Warezov.bt 0.45
16. New!
New
not-a-virus:AdWare.Win32.Softomate.u 0.43
17. Return
Return
Trojan.Win32.Agent.vg 0.39
18. New!
New
Email-Worm.Win32.Warezov.bs 0.38
19. No Change not-a-virus:PSWTool.Win32.RAS.a 0.37
20. New!
New
Trojan-Dropper.Win32.Agent.awy 0.33
Other malicious programs 70.55

Warezov’s October burst of activity dominates both Kaspersky Lab’s email and online scanner statistics this month. We also encountered worms from this family in September, but thought that October would prove fatal for this family, and that it would surrender its positions to Scano and Bagle. This proved to be completely wrong: in October Warezov accounted for 27% of all viruses detected in mail traffic and over 15% of viruses in the online rankings.

Seven new variants in one Top Twenty, and seven new variants in the other. With the exception of variants .gen and .dn which are common to both, the two separate rankings contain entirely different variants.

The leader in online statistics, Warezov.cc, accounted for over 13% of all viruses detected, which is an unprecedented achievement. Until now, malicious programs at the top of the charts have never broken the 5% barrier. The September leader, Trojan-Downloader.Win32.Delf.awg, has been dethroned. However, traces of the September 6th outbreak (when thousands of Mail.ru users received strange messages from an unknown girl containing the LdPinch Trojan) can still be seen in the rankings. This was one of the biggest Trojan attacks in 2006 so far, and a black day for the Russian Internet.

The top half of the chart, although inundated by Warezov variants, does contain other malicious programs. In other words, it effectively reflects all the problems faced by today’s Internet users: email worms, Trojan downloaders, keyloggers, backdoors and something which we have rarely mentioned before, IM-Flooders.

Delf.h, an IM-Flooder, is in tenth place. Such utilities are designed to send bulk messages to IM clients (ICQ, Miranda and Trillian). This type of program makes instant messaging spam a reality. Similar tricks are used by numerous Trojan spies that attack ICQ with invitations to visit a web page and see something interesting. Of course, such sites then turn out to have Trojans on them.

Backdoor.IRC.Zapchast continues to surprise us. This is a generic name for thousands of different scripts used by IRC backdoors, based on the standard mIRC client. Its presence in the chart may be due to the fact that the number of IRC users is growing rapidly because many file exchange networks have recently been closed down. IRC has not yet attracted the attention of law enforcement bodies and copyright protection agencies, and this old method of exchanging files and communicating is experiencing a rebirth.

Both Rays and Brontok have sunk in the rankings, ceding their positions to the multiple Warezov variants. However, these worms are very hard to remove completely from an infected computer, and it seems likely that they will continue to find their place in our statistics for a long time to come.

The Trojan spies that frequented our charts in summer are keeping a low profile. This does not mean that they have disappeared. On the contrary, they are becoming more numerous, but in terms of reach they are bound to be behind any worm.

Advertising programs (AdWare) installed on user computers by Trojans are as active as ever. A good example of such symbiosis is provided by Adload, a Trojan, and Softomate.u, an adware program, which occupy sixth and sixteenth place respectively in the October rankings.

Summary

New Email-Worm.Win32.Warezov.cc, Email-Worm.Win32.Warezov.gen, Email-Worm.Win32.Warezov.dc, Email-Worm.Win32.Warezov.dn, Trojan-Downloader.Win32.Adload.fu, IM-Flooder.Win32.Delf.h, Trojan.Win32.Diamin.ez, Email-Worm.Win32.Warezov.bu, Email-Worm.Win32.Warezov.bt, not-a-virus:AdWare.Win32.Softomate.u, Email-Worm.Win32.Warezov.bs, Trojan-Dropper.Win32.Agent.awy
Moved up not-a-virus:Monitor.Win32.Perflogger.163
Moved down Trojan-Downloader.Win32.Delf.awg, Backdoor.IRC.Zapchast, Email-Worm.Win32.Brontok.q, Email-Worm.Win32.Rays
No change not-a-virus:PSWTool.Win32.RAS.a
Re-entry not-a-virus:Monitor.Win32.Perflogger.az, Trojan.Win32.Agent.vg

Online Scanner Top Twenty for October 2006

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox