Online Scanner Top Twenty for July 2007

01 Aug 2007
Virus News

Position Change in position Name Percentage
1. Return Return Trojan.Win32.Dialer.cj 8.82
2. New! New Backdoor.Win32.IRCBot.acd 4.21
3. Down -1 Trojan.Win32.Dialer.qn 2.37
4. New! New Trojan-Downloader.Win32.Small.eqn 2.31
5. Down -1 Backdoor.IRC.Zapchast 2.16
6. Down -3 Trojan-Downloader.Win32.LoadAdv.gen 1.68
7. Return Return Backdoor.Win32.mIRC-based 1.55
8. New! New Packed.Win32.PolyCrypt.b 1.42
9. New! New Trojan-Downloader.Win32.Tibs.mq 1.09
10. New! New Trojan-Downloader.Win32.Nurech.bs 1.08
11. Down -10 not-a-virus:AdWare.Win32.Virtumonde.jp 1.04
12. Return Return Virus.VBS.Small.a 0.88
13. New! New Backdoor.IRC.Cloner.ae 0.87
14. New! New Trojan.Win32.Agent.abe 0.64
15. New! New Trojan-Downloader.Win32.BHO.l 0.62
16. New! New Trojan-Proxy.Win32.Small.du 0.62
17. Return Return not-a-virus:PSWTool.Win32.RAS.a 0.60
18. New! New Trojan-Downloader.Win32.Alphabet.gen 0.59
19. New! New Trojan.Win32.Dialer.fn 0.55
20. Return Return Email-Worm.Win32.Rays 0.52
Other malicious programs 66.38
After a short break, Trojan Dialers are again at the top of the rankings based on the results of our July online scanner activity. In June, as we noted the rise of Dialer.qn, we predicted a new attack of such programs. This month the first position, and a respectable 9%, is taken by Dialer.cj. This Trojan is by no means new on the charts, and it actually topped the rankings in December 2006. Now, seven months later, we are witnessing its comeback. On the whole, a look at this month’s Top Twenty produces a déjà vu effect: in addition to the two Trojan Dialers among the top three malicious programs, the ranking includes a number of backdoors that enable remote control of a system via IRC channels. These are IRCBot.acd (2nd place), Zapchast (5th), mIRC-based (7th), Cloner.ae (13th). All of them have pushed down various adware programs, which had steadily increased their standing in the rankings in May and June, primarily due to the rise of Virtumonde variants. For the June leader, Virtumonde.jp, this onslaught was too much and it dropped by 10 positions in a single month. However, this does not mean that adware will give up easily. Althought Trojan-Downloader.Win32.LoadAdv.gen has moved down by three places (from the 3rd to the 6th), in terms of percentage points it has not lost much ground: it accounted for 1.68% of the malware detected in July, compared to 2.14% in June. Since this Trojan downloads various adware programs onto an infected system, it is likely to continue spreading. The newcomers to the Top Twenty are relatively numerous – 11 malicious programs. As before, almost half of these are new Trojan Downloader variants. Trojan-Downloader.Win32.Nurech and Alphabet.gen, which are used to create botnets, are particularly dangerous.

Classic viruses Virus.VBS.Small.a and Email-Worm.Win32.Rays are back in the ranking. Rays left the Top Twenty ranking a month ago, but in July it somehow managed to make it back to the bottom position. As for its “twin brother”, the Brontok worm, which fell 7 places in the past two months, it did not make it into our latest statistics.

Summary

  1. New: Backdoor.Win32.IRCBot.acd, Trojan-Downloader.Win32.Small.eqn, Packed.Win32.PolyCrypt.b, Trojan-Downloader.Win32.Tibs.mq, Trojan-Downloader.Win32.Nurech.bs, Backdoor.IRC.Cloner.ae, Trojan.Win32.Agent.abe, Trojan-Downloader.Win32.BHO.l, Trojan-Proxy.Win32.Small.du, Trojan-Downloader.Win32.Alphabet.gen, Trojan.Win32.Dialer.fn
  2. Moved down: Trojan.Win32.Dialer.qn, Backdoor.IRC.Zapchast, Trojan-Downloader.Win32.LoadAdv.gen, not-a-virus:AdWare.Win32.Virtumonde.jp
  3. Re-entry: Trojan.Win32.Dialer.cj, Backdoor.Win32.mIRC-based, Virus.VBS.Small.a, not-a-virus:PSWTool.Win32.RAS.a, Email-Worm.Win32.Rays.