Kaspersky Lab Publishes Virus Top Twenty, May 2006

June 2, 2006; 03:52 AM

Kaspersky Lab, a leading developer of secure content management solutions for protection against viruses, hacker attacks and spam has published its Virus Top Twenty for May 2006. The overall ratings are calculated based on figures for malicious programs, detected from email traffic and statistics compiled from the Kaspersky(r) Online Scanner system.

Our statistics for May are not very different from the statistics for April. In fact, the difference between the May and March or even April Top Twenties is also minimal. This is not a temporary phenomenon, but a feature of today's malware landscape: global email worm epidemics are already a thing of the past.

Let’s take a look at the statistics. Mytob.c, which in February firmly settled in top position with about 30% of all traffic, remains at the top, keeping its competitors at a safe distance. A fight for second position is still going on: Mydoom, NetSky, Bagle and Mytob have remained in the top five over the past few months and even years.  But by the summer of 2006 it turned out that they have been outlasted and overtaken on the way to the top - by South Korean worms that most Europeans are not very familiar with and which have rarely been mentioned by the mass media. Two variants of LovGate have made their way to the second and fourth positions in the rating, leaving the remaining two top-five positions to NetSky.  Apparently, this result is due to NetSky.t going down from the second position to the fifth, reducing its presence in mail traffic almost by half. This is just what we anticipated in previous months.

In previous months we predicted that new Mytob variants would strengthen their presence, and/ or that old variants would return to top positions. Our forecasts were correct: two old Mytob variants, .u and .a have somewhat improved their position and the family now accounts for exactly one half of the top ten, including the top position. In addition, a new-generation Mytob, the .eg variant, has made its way into Top Twenty.  Although two hackers suspected of being the authors of these worms were arrested last August, new variants keep appearing at a frightening rate. This must be due to the fact that the source code for this worm is publicly available. But the Mytobs are not just climbing higher and spawning new variants: they even return to the Top Twenty once in a while. The variants to make a comeback in May were .x and .bx, making the number of Mytob clones in our rating almost half of the total: 9 positions out of 20.

In the rest of the ratings, two other newcomers are of some interest: the Scano email worm, in the form of variants .ag and .ab.

Scano is relatively new on the virus scene. In April we saw Scano.e reach the 14^th position. This malicious program builds on the ideas implemented in the Feebs worm, which first appeared in the winter of 2005. Scano, however, differs from Feebs in that it includes a polymorphic JavaScript dropper, which delivers the worm to its victims. Polymorphic technologies are becoming increasingly popular among virus writers, because the previous methods used to conceal malicious code from antivirus programs have become almost totally ineffective.

Now Scano.e has left the stage and has been replaced by two newcomers, which took the 15^th and 19^th positions. In all probability, they will follow the older variant into oblivion in June, but it is doubtful that Scano will leave the Top Twenty completely: the author of this worm is highly productive and releases several new variants a week.

Other malicious programs in the Top Twenty accounted for a significant percentage (18.79%) of all those intercepted, which means that there are also numerous worms and Trojans belonging to other families still circulating in mail traffic.

New : Mytob.eg, Scano.ag, Scano,ab
Moved up: LovGate.w, NetSky.q, LovGate.ad, Mytob.u, Mytob.a, NetSky.y
Moved down: NetSky.t, NetSky.aa
Re-entry: lovGate.ah, NetSky.x, Mytob.x, Mytob.bx

In our fifth month of analysing the statistics collected by the online scanner the two most common Trojans are clearly identified.  Banker.anv has been in the Top Ten since January, Banker.ark since February.  In May both reached the top of the ratings. Compared to the rest of the Top Twenty, where almost half the malicious programs are replaced every month, these two Trojans are real old-timers.

The two Trojans are near-identical twins. Both are written in Delphi and designed to steal data from users of a number of Brazilian banks. Brazilian hackers use all possible methods for delivering Trojans to users’ computers, including spam, Trojans embedded in the installation files of some programs, exploitation of browser vulnerabilities etc.

We have recorded over 3,000 minor modifications of Banker.anv alone! For variant .ark the figure is even greater: over 4,000.

In contrast to previous months, in May we did not detect a large number of Trojan-Downloader programs. Only two achieved positions in the ratings. One of them is new (Agent.td, 6^th position) and the other, Delf.aif, dropped 15 positions in the space of a month. At the same time, there is an unusually large number of email worms, and it is interesting that the ones in the online ratings are not the same as those which made it to the email Top Twenty.

Rays got as high as 4^th place, a very impressive result for a primitive email worm. Scano.v is a new name in our rating (two other worms of the same family are in the email Top Twenty). The interesting thing about the third worm, Brontok.a, is that it first appeared as far back as last October, but it somehow remained inconspicuous until it caused local outbreaks in a number of major European companies.

As regards classic file viruses, they are playing musical chairs again. Redlof.a and Hidrag.a, which nearly reached the middle of the ratings in April, have disappeared, while Parite.b is back. It successfully increased its presence in February and March and then in April it suddenly disappeared from the Top Twenty. This must have been due to a slight error in our calculations rather than a sign of a Parite.b outbreak coming to a close.  This is a very persistent virus that is very hard to remove from the system.

As usual, this month’s Top Twenty includes exploits, backdoors, adware and “greyware” programs. We reported on practically all of them in the past months, so here we will only mention the two newcomers: Ardamax.k, a commercial keylogger, and AdvertMen.a, an adware program.

Ardamax is not considered a Trojan because it was developed by a legitimate software company and is sold as a legal program. However, authors of many malicious programs are happy to regard it as a ready-made spyware module they can use instead of bothering to write their own. Commercial keyloggers are one of the biggest gray areas in the relations between antivirus companies and software developers. Even though they can be used as Trojans, these programs do have legal and genuinely legitimate applications.

AdvertMen.a is a typical adware program.  It is distributed with a number of shareware programs. After being installed on a computer, it connects to the developer’s site and shows advertising in the browser window once in a while. This is how practically any adware works, but AdvertMen.a was apparently the most successful such program in May.

Summary:

New:
Trojan.Win32.VB.ami.
Trojan-Downloader.Win32.Agent.td
Trojan-Dropper.Win32.Agent.tz
VirTool.Win32.Patcher.a
Trojan-Spy.Win32.Delf.jp
not-a-virus:Monitor.Win32.Ardamax.k
Email-Worm.Win32.Scano.v
Email-Worm.Win32.Brontok.a
not-a-virus:AdWare.Win32.AdvertMen.a

Moved up: Trojan-Spy.Win32.Banker.anv, Banker.ark, Trojan.Win32.Agent.qt, Email-Worm.Win32.Rays, Packed.Win32.Tibs, not-a-virus:PSWTool.Win32.RAS.a, Backdoor.Win32.Rbot.gen,
Exploit.HTML.CodeBaseExec.

Moved down: Trojan-Downloader.Win32.Delf.alf, not-a-virus:Porn-Dialer.Win32.PluginAccess.gen
Re-entry: Virus.Win32.Parite.b