Malware reports

Online Scanner Top Twenty for September 2006

Position Change in position Name Percentage
1. New!
New
Trojan-Downloader.Win32.Delf.awg 3.07
2. Up
+3
Backdoor.IRC.Zapchast 1.86
3. Return
Return
Trojan-Dropper.Win32.Pakes 1.70
4. Up
+7
Email-Worm.Win32.Rays 0.89
5. Up
+12
Email-Worm.Win32.Brontok.q 0.72
6. Up
+12
Virus.Win32.Parite.b 0.65
7. New!
New
Email-Worm.Win32.Warezov.aj 0.51
8. Return
Return
Email-Worm.Win32.Scano.aq 0.40
9. Up
+4
not-a-virus:RiskTool.Win32.HideWindows 0.39
10. Up
+4
Email-Worm.Win32.Bagle.fj 0.38
11. New!
New
Trojan-Clicker.Win32.Small.kj 0.37
12. New!
New
Trojan-Downloader.Win32.Small.ddp 0.36
13. Return
Return
Virus.Win32.Hidrag.a 0.36
14. Return
Return
Trojan-Downloader.Win32.INService.gen 0.35
15. New!
New
Trojan-Downloader.Win32.Delf.avj 0.34
16. New!
New
Email-Worm.Win32.Warezov.at 0.34
17. Down
-5
not-a-virus:Monitor.Win32.Perflogger.163 0.34
18. Return
Return
Backdoor.Win32.Rbot.gen 0.33
19. Return
Return
not-a-virus:PSWTool.Win32.RAS.a 0.31
20. Down
-12
Backdoor.Win32.mIRC-based 0.30
Other malicious programs 86.03

A month has passed since the end of August, when we presented an unusual online scanner Top Twenty. Since then, the malware landscape has returned to a more normal state of affairs.

The places occupied by worms last month have been taken over by malware which is traditionally present in the online scanner ratings: Trojan-Downloader and Trojan-Dropper programs.

This month’s new leader is Trojan-Downloader.Win32.Delf.awg, which appeared on 6th September, when thousands of mail.ru users received a strange email from an unknown girl who offered to share her summer photographs and tales of her holiday. In spite of the fact that none of the recipients knew the Masha/ Liza/ Lena who was the alleged sender, they still opened the message and clicked on the attachment in the hope of seeing something nice. Tried and tested social engineering, which worked as well as it always does, and which helped caused one of the biggest outbreaks of Trojan-Spy LdPinch that we’ve seen over the past few months. LdPinch was the program which Delf.awg installed on the machines of unsuspecting or careless users.

Out of all the unexpected data produced by August, only Backdoor.IRC.Zapchast managed to stand its ground, even rising to second position. This, together with Backdoor.Win32.mIRC-based (a Trojanized mIRC client) in 20th place and Backdoor.Win32.Rbot.gen in 18th place, shows that virus writers are exhibiting renewed interest in creating botnets which can be controlled via IRC.

The Rays and Brontok worms, which were pushed down the table by other malicious programs in August, have returned to the top five. Interestingly, in spite of the fact that these worms do have the ability to spread via email, they mainly propagate by copying themselves to all network resources accessible on the victim machine. The numerous questions asked about Rays and Brontok infections on the Kaspersky Lab forum shows that this approach is a successful method.

Parite.b, the classic file virus, isn’t lagging behind either. It’s been in existence for several years, and inevitably features in the reports of nearly all major antivirus companies. Parite.b is undoubtedly the leader among classic viruses, whereas it would be impossible to find an analogous leader among worms or Trojans. Another, similar virus, Hidrag.a, has also returned to the Top Twenty, making us think seriously that reports of the death of classic viruses are greatly exaggerated. File viruses aren’t able to spread as fast as worms, but once they have infected a system, they will instantly infect all executable files, rooting themselves deeply within the system. Consequently, in order to get rid of them, the user has to scan not just once, but systematically and repeatedly; after all, it may not just be your machine that’s infected, but neighbouring machines on the local network, which could then reinfect your system.

Speaking of surprises, the number of email worms, and the total absence of Trojan-Spy programs in September’s ratings was unexpected. Banker.ark, which has intermittently been among the leaders throughout the past six months, and which was in 14th place in August, has not, as we predicted, returned to a leading position this month, but has instead dropped off the bottom of the table. Worms, on the other hand, have appeared in large numbers: in addition to Rays and Brontok (mentioned above), in September users were also attacked by Scano.ag, Warezov.aj and .at, and an old acquaintance, Bagle.fj. We think that Warezov will probably disappear from the rankings in October, but Bagle and Scano seem likely to remain a fixture for some time to come.

Summary

New Trojan-Downloader.Win32.Delf.awg, Email-Worm.Win32.Warezov.aj, Trojan-Clicker.Win32.Small.kj, Trojan-Downloader.Win32.Small.ddp, Trojan-Downloader.Win32.Delf.avj, Email-Worm.Win32.Warezov.at
Moved up Backdoor.IRC.Zapchast, Email-Worm.Win32.Rays, Email-Worm.Win32.Brontok.q, Virus.Win32.Parite.b, not-a-virus:RiskTool.Win32.HideWindows, Email-Worm.Win32.Bagle.fj
Moved down not-a-virus:Monitor.Win32.Perflogger.163, Backdoor.Win32.mIRC-based
Re-entry Trojan-Dropper.Win32.Pakes, Email-Worm.Win32.Scano.aq, Virus.Win32.Hidrag.a, Trojan-Downloader.Win32.INService.gen, Backdoor.Win32.Rbot.gen, not-a-virus:PSWTool.Win32.RAS.a

Online Scanner Top Twenty for September 2006

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox