Online Scanner Top Twenty for October 2007

Our online virus scanner’s October rankings are a bit unusual. What makes them stand out from previous months is a stability that we have not seen before. Three malicious programs managed to retain the same positions as they had last month. Most of the other malicious programs showed insignificant changes and what’s more, only five malicious programs are new to the rankings: this is an unprecedentedly low figure for our most volatile statistics.

Yet again, the leader has changed. October’s top position was taken by Packed.Win32.NSAnti.r, a whole family of different Trojans packed using the “hacker” protector NSAnti. The first variants appeared as long ago as last October, and since then we have detected over 8,000 modifications! It seems that this family has now reached a peak.

The Rays and Brontok worms have taken residence in the top quarter of the ranking, marking a triumphant comeback from beyond the Top Twenty. They spent July and August in the outer darkness beyond the bottom of the rankings. It’s likely that users will continue to experience problems with these worms, which for the most part spread via removable media (flash memory cards), for a long time to come.

The adware program BHO.cc, which was first detected in early July and which is distributed together with the BitAccelerator program, has gone up five positions. Interestingly, Google finds over 2,700,000 links for this word. If this program is so popular, fourth place, which is currently occupies, is clearly not the limit.

The script virus VBS.Small.a is September’s leader in terms of growth. Although it remains in 8th place, as it uses the same method as Rays and Brontok to spread it is likely to remain in our rankings and may even go up a few places.

The Sohanad IM worms are becoming increasingly widespread: the .t and .as variants have gone up two positions each, with Sohanad.t reaching 10th place.

The number of programs in the not-a-virus class is slightly smaller than last month. Five such programs made it into the Online Top Twenty in October, down from seven in September.

There are no other significant changes in the rankings. Even the return of Backdoor.IRC.Zapchast to sixth place can’t be regarded as significant: the program has been present in our statistics for so long that a single disappearance followed by a subsequent comeback can only be viewed as a one-off event rather than a stable trend.

As before, Trojan spies are represented by one program, a modified variant of the legitimate keylogging program Perflogger.

New: Packed.Win32.NSAnti.r, Trojan-Downloader.VBS.Psyme.ga, Trojan.Win32.VB.atg, Trojan-Downloader.Win32.AutoIt.q, not-a-virus:Porn-Dialer.Win32.AdultBrowser.

Moved up: not-a-virus:AdWare.Win32.BHO.cc, Email-Worm.Win32.Rays, IM-Worm.Win32.Sohanad.t, IM-Worm.Win32.Sohanad.as, Worm.Win32.AutoIt.c

Moved down: Trojan.Win32.Dialer.qn, Trojan-Downloader.Win32.Small.ddp, not-a-virus:Monitor.Win32.Perflogger.ca, not-a-virus:PSWTool.Win32.RAS.a, not-a-virus:Monitor.Win32.Perflogger.ad, Trojan-Spy.Win32.Perfloger.ab

No change: Email-Worm.Win32.Brontok.q, Virus.VBS.Small.a, Trojan.Win32.Obfuscated.en