Kaspersky Lab Virus Top 20 for March 2006

Kaspersky Lab, a leading developer of secure content management solutions that protect against viruses, Trojans, worms, hacker attacks, spyware and spam, presents a combined malware Top Twenty, which includes an analysis of email traffic and online (Web based) scanner statistics.

Virus TOP 20

1 – Net-Worm.Win32.Mytob.c 32.97
2 +2 Email-Worm.Win32.NetSky.t 10.89
3 -1 Email-Worm.Win32.LovGate.w 9.07
4 +1 Email-Worm.Win32.NetSky.b 4.31
5 +2 Net-Worm.Win32.Mytob.u 3.34
6 +6 Email-Worm.Win32.Zafi.b 3.08
7 +2 Email-Worm.Win32.NetSky.q 2.68
8 – Net-Worm.Win32.Mytob.q 2.61
9 +1 Net-Worm.Win32.Mytob.t 2.54
10 +5 Email-Worm.Win32.LovGate.ae 2.40
11 – Net-Worm.Win32.Mytob.a 2.17
12 -9 Email-Worm.Win32.Zafi.d 1.95
13 New Email-Worm.Win32.LovGate.ad 1.75
14 – Email-Worm.Win32.NetSky.y 1.57
15 Return Net-Worm.Win32.Mytob.w 1.07
16 Return Net-Worm.Win32.Mytob.h 0.99
17 -1 Net-Worm.Win32.Mytob.y 0.97
18 +2 Net-Worm.Win32.Mytob.x 0.90
19 New Email-Worm.Win32.LovGate.ah 0.88
20 -1 Net-Worm.Win32.Mytob.ar 0.83
Other malicious programs 13.33

After all the changes to the rankings which took place in February, (5 re-entries and one new malicious program), March was far calmer. There were no significant outbreaks, let alone epidemics. The most interesting newcomer of February, Bagle.fj, which reached 6th place in February, dropped from view in March.

However, the names at the top of the table have changed. Although Mytob.c is still in first place, NetSky.t, which was in fourth place a month ago, is now in 2nd place. This is the highest the worm has climbed since it appeared in the rankings: in February it rose by 15 positions, an absolute record over the past few months. March’s data shows that the February jump wasn’t a one-off burst of activity, since Netsky.t continued to rise. However, it’s likely that it has reached its peak, and we predict that it will slide down the rankings in future months.

Zafi.d, which headed the Top Twenty in January this year, and took third place in February, lost 9 places in March, ending up in 12th position. Zafi’s place has been taken by LovGate.w, which was in 2nd place last month. Overall, this family of worms has behaved with a remarkable lack of predictability over the last year. This month two representatives of this family are in the Top Twenty, and over the course of the year, Zafi variants have either headed the rankings, or been on the verge of disappearing off the bottom of the table. Over the last two months, Zafi has showed a considerable amount of movement, with Zafi.d moving downwards, and Zafi.b climbing 6 places, from 12th to 6th place.

The top ten malicious programs have also shown increased activity. Eight out of the ten worms present have changed their position in one way or another. In addition to Zafi.b, LovGate.ae also climbed 5 places to 10th place, having only last month returned from oblivion.

LovGate remains one of the most puzzling worms – no LovGate variant has ever caused a major epidemic, and these worms receive little attention from the mass media. However, this month’s Top Twenty includes four LovGate variants – two from the previous month, and two new entrants. LovGate.w is a veteran of the rankings; LovGate.ae periodically appears and then disappears again, and LovGate.ad and .ah are both new this month.

Although LovGate variants are widespread in China and Korea, presumably due to their Asian origin, they do not present any real threat to American and European users.

Mytob variants occupy half of the entire Top Twenty. In January, Mytob.a gained 7 places, lost a place in February, and in March seems to have settled down in 11th place. Mytob.x, however, moves up and down the rankings, gaining 5 places in January, moving down 2 places in February, and back up again to its former position in March. This variant shows little stability, and it’s likely to disappear from the Top Twenty in April.

The tendency for worms which had already disappeared from the rankings to return was maintained in March, with Mytob.w and Mytob.h putting in a renewed appearance.

Other malicious programs made up a significant percentage (13.33%) of mail traffic, showing that a fairly large number of otherworms and Trojans are circulating on the Internet.

Summary:

New: LovGate.ad, LovGate.ah

Moved up: NetSky.t, NetSky.b, Mytob.u, Zafi.b, NetSky.q, Mytob.t, LovGate.ae, Mytob.x

Moved down: LovGate.w, Zafi.d, Mytob.y, Mytob.ar

Re-entry: Mytob.w, Mytob.h

Virus TOP 20 Online

1 New Trojan-PSW.Win32.LdPinch.air. 23.17
2 New Trojan-Downloader.Win32.Delf.ajd. 10.71
3 – Trojan-Spy.Win32.Banker.ark. 2.30
4 New Trojan-Downloader.Win32.Small.ckj. 2.26
5 New Trojan-Downloader.Win32.Small.axy. 0.93
6 -4 Trojan-Spy.Win32.Banker.anv. 0.92
7 -3 Trojan-Spy.Win32.Bancos.ha 0.88
8 -1 Email-Worm.Win32.Wukill. 0.79
9 New not-a-virus:Porn-Dialer.Win32.PluginAccess.gen 0.76
10 New Trojan-Downloader.Win32.Zlob.in 0.55
11 -1 not-a-virus:PSWTool.Win32.RAS.a 0.49
12 +8 Virus.Win32.Parite.b 0.44
13 New Trojan-PSW.Win32.LdPinch.ais. 0.42
14 New Trojan-Downloader.Win32.Agent.xz 0.40
15 New Trojan-Downloader.Win32.Small.cni. 0.40
16 New Exploit.HTML.CodeBaseExec. 0.39
17 New Trojan-Downloader.Win32.IstBar.no 0.38
18 -13 Worm.Win32.Feebs.gen 0.38
19 New Backdoor.Win32.IRCBot.nw 0.38
20 New Trojan-Dropper.Win32.Agent.aiq. 0.36

Other malicious programs 52.69

At first glance, the March statistics from the online scanner shows that the Online Scanner Top Twenty ratings continue to change radically from month to month. In February, 12 new malicious programs appeared in the rankings, and the same happened in March. However, the viruses which made up the January Top Twenty have almost entirely vanished from the rankings.

On the surface, the changes which took place at the top of the table this month seem nothing out of the ordinary. However, the leaders make up such a high percentage of traffic that they have broken all records set by their predecessors. The LdPinch.air Trojan, which steals passwords, caused a significant outbreak on Runet in the middle of March. This Trojan was mass mailed using spammer technologies, and the mass mailing was carried out in several stages – in addition to LdPinch, a Trojan-Downloader was sent out, which then downloaded LdPinch.air to the victim machine. And it is this Trojan-Downloader, Win32.Delf.ajd which takes second place in the on-line scanner rankings, with a high share of overall traffic, more than 10%. Undoubtedly the LdPinch incident was the major event of March.

Banker.ark is also high in the rankings, but in contrast to LdPinch, which steals passwords, this piece of spyware intercepts information for e-banking system accounts.

Worms have slackened their hold; the January Top Twenty was headed by Feebs.gen, which dropped to 18th place in March. February’s leader, Bagle.fj, also vanished from the rankings, just as it vanished from the email traffic statistics.

Against the background noise caused by these worms, the relatively unknown Wukill maintains a certain stability. For the third month running, Wukill is located between 7th and 10th place. Exactly why, we don’t yet know – Wukill has not caused any outbreak worth noting.

Just like a month ago, the bulk of the ratings is occupied by Trojan programs, from the most widespread and dangerous classes – Trojan-Spy and Trojan-Downloader. Banker.anv, in 6th place, and Bancos.ha keep Banker.ark company in the hunt for bank account data. LDPinch, a family with hundreds of known variants, is also represented by LdPinch.ais, in 13th place.

The main way in which these Trojans are delivered to victim machines is by Trojan-Downloaders. There are 7 Trojan-Downloaders in this month’s Online Scanner ratings; this large number highlights the rapid evolution of this type of malware. There were only four Trojan-Downloaders in the February rankings.

Nyxem.e, which caused something of a fuss in January this year, finally disappeared from the rankings, and has also been entirely absent from other statistics. However, Parite.b, a classic file virus has moved dramatically up the rankings, jumping eight positions to 12th place.

It’s also interesting that an old exploit for a Windows vulnerability, CodeBaseExec has put in an appearance this month. This exploit was used by some worms a few years ago, and has now been resurrected, even though the majority of users installed patches long ago.

Summary:

New:

New Trojan-PSW.Win32.LdPinch.air.
New Trojan-Downloader.Win32.Delf.ajd.
New Trojan-Downloader.Win32.Small.ckj.
New Trojan-Downloader.Win32.Small.axy.
New not-a-virus:Porn-Dialer.Win32.PluginAccess.gen
New Trojan-Downloader.Win32.Zlob.in
New Trojan-PSW.Win32.LdPinch.ais.
New Trojan-Downloader.Win32.Agent.xz
New Trojan-Downloader.Win32.Small.cni.
New Exploit.HTML.CodeBaseExec.
New Trojan-Downloader.Win32.IstBar.no
New Backdoor.Win32.IRCBot.nw
New Trojan-Dropper.Win32.Agent.aiq.

Moved up: Virus.Win32.Parite.b

Moved down: Trojan-Spy.Win32.Banker.anv, Trojan-Spy.Win32.Bancos.ha, Email-Worm.Win32.Wukill, not-a-virus:PSWTool.Win32.RAS.a, Worm.Win32.Feebs.gen

No change: Trojan-Spy.Win32.Banker.ark

Don't miss