A month has passed since the end of August, when we presented an unusual on-line scanner Top Twenty. Since then, the malware landscape has returned to a more normal state of affairs.
The places occupied by worms last month have been taken over by malware which is traditionally present in the online scanner ratings: Trojan-Downloader and Trojan-Dropper programs. This month’s new leader is Trojan-Downloader.Win32.Delf.awg, which appeared on 6th September, when thousands of mail.ru users received a strange email from an unknown girl who offered to share her summer photographs and tales of her holiday. In spite of the fact that none of the recipients knew the Masha/ Liza/ Lena who was the alleged sender, they still opened the message and clicked on the attachment in the hope of seeing something nice. Tried and tested social engineering, which worked as well as it always does, and which helped caused one of the biggest outbreaks of Trojan-Spy LdPinch that we've seen over the past few months. LdPinch was the program which Delf.awg installed on the machines of unsuspecting or careless.
Out of all the unexpected data produced by August, only Backdoor.IRC.Zapchast managed to stand its ground, even rising to second position. This, together with Backdoor.Win32.mIRC-based (a Trojanized mIRC client) in 20th place and Backdoor.Win32.Rbot.gen in 18th place, shows that virus writers are exhibiting renewed interest in creating botnets which can be controlled via IRC.
The Rays and Brontok worms, which were pushed down the table by other malicious programs in August, have returned to the top five. Interestingly, in spite of the fact that these worms do have the ability to spread via email, they mainly propagate by copying themselves to all network resources accessible on the victim machine. The numerous questions asked about Rays and Brontok infections on the Kaspersky Lab forum shows that this approach is a successful method.
Parite.b, the classic file virus, isn’t lagging behind either. It’s been in existence for several years, and inevitably features in the reports of nearly all major antivirus companies. Parite.b is undoubtedly the leader among classic viruses, whereas it would be impossible to find an analogous leader among worms or Trojans. Another, similar virus, Hidrag.a, has also returned to the Top Twenty, making us think seriously that reports of the death of classic viruses are greatly exaggerated. File viruses aren’t able to spread as fast as worms, but once they have infected a system, they will instantly infect all executable files, rooting themselves deeply within the system. Consequently, in order to get rid of them, the user has to scan not just once, but systematically and repeatedly; after all, it may not just be your machine that’s infected, but neighbouring machines on the local network, which could then reinfect your system.
Speaking of surprises, the number of email worms, and the total absence of Trojan-Spy programs in September's ratings was unexpected. Banker.ark, which has intermittently been among the leaders throughout the past six months, and which was in 14th place in August, has not, as we predicted, returned to a leading position this month, but has instead dropped off the bottom of the table. Worms, on the other hand, have appeared in large numbers: in addition to Rays and Brontok (mentioned above), in September users were also attacked by Scano.ag, Warezov.aj and .at, and an old acquaintance, Bagle.fj. We think that Warezov will probably disappear from the rankings in October, but Bagle and Scano seem likely to remain.
||Trojan-Downloader.Win32.Delf.awg, Email-Worm.Win32.Warezov.aj, Trojan-Clicker.Win32.Small.kj, Trojan-Downloader.Win32.Small.ddp, Trojan-Downloader.Win32.Delf.avj, Email-Worm.Win32.Warezov.at
| Moved up
||Backdoor.IRC.Zapchast, Email-Worm.Win32.Rays, Email-Worm.Win32.Brontok.q, Virus.Win32.Parite.b, not-a-virus:RiskTool.Win32.HideWindows, Email-Worm.Win32.Bagle.fj
| Moved down
||Trojan-Dropper.Win32.Pakes, Email-Worm.Win32.Scano.aq, Virus.Win32.Hidrag.a, Trojan-Downloader.Win32.INService.gen, Backdoor.Win32.Rbot.gen, not-a-virus:PSWTool.Win32.RAS.a