Online Scanner Top Twenty for April 2006

02 May 2006
Virus News

PositionChange in positionNamePersentage
1. New! New Trojan-Downloader.Win32.Delf.alf 3.84
2. New! New! Trojan-PSW.Win32.LdPinch.akv 3.43
3. No Change - Trojan-Spy.Win32.Banker.ark 2.67
4. Up +1 Trojan-Downloader.Win32.Small.axy 1.71
5. Up +9 Trojan-Downloader.Win32.Agent.xz 1.63
6. No Change - Trojan-Spy.Win32.Banker.anv 1.30
7. New! New! Trojan-Downloader.Win32.Delf.ake 1.16
8. New! New! Email-Worm.Win32.Rays 0.77
9. Down -2 Trojan-Spy.Win32.Bancos.ha 0.66
10. New! New! Packed.Win32.Tibs 0.57
11. New! New! Trojan.Win32.Agent.qt 0.57
12. New! New! Virus.VBS.Redlof.a 0.55
13. Return Return Virus.Win32.Hidrag.a 0.54
14. Down -5 not-a-virus:Porn-Dialer.Win32.PluginAccess.gen 0.54
15. New! New! 0.53
16. Down -4 not-a-virus:PSWTool.Win32.RAS.a 0.53
17. New! New! 0.52
18. Down -2 Exploit.HTML.CodeBaseExec 0.52
19. New! New! 0.50
20. Return Return Backdoor.Win32.Rbot.gen 0.50
Other malicious programs 76.96

The online scanner statistics provide a real snapshot of threats that are actually on end user machines at any given point in time, while the email ratings provide information about threats that were detected and blocked before they reached end users.

The April Online Scanner Top Twenty clearly shows that Trojan-spy programs and adware have been the dominant type of threat on end user machines during the past month.

The appearance of a new leader is typical for this type of ratings. There is a large number of different viruses and most have very short life spans. The result is that the ratings are very dynamic and that no one threat stands out from the pack, unlike in the email ratings. For instance, the leader, Trojan-Downloader.Win32.Delf.alf is only 3% ahead of Backdoor.Win32.Rbot.gen, which is in last place.

The Trojan LdPinch constitutes a serious threat for the second month running. We have followed the evolution of this family for several years: the first versions were primitive password stealers, while the latest versions are multi-functional bots. The large number of versions is due to the fact that the creator of LdPinch have organized an illegal business where they create and sell new versions to anyone who pays. Crowds of script-kiddies who are incapable of writing even two lines of useful code have seized this opportunity to own on a Trojan produced especially for them. The second place LdPinch has is directly related to the fact that Trojan-Downloader.Win32.Delf.alf is the leader: Delf.alf was emailed using spammer technologies. Once Delf.alf infected a machine it then downloaded LdPinch.akv from the Internet. In fact, downloaders are probably the most widespread threat at this point in time – we have 3 of them in the top 5 places in the ratings. Once they infiltrate a machine they are mostly used to download adware.

Banker.ark and Banker.anv, two Trojan-spies that are used to steal online banking information are in third and sixth place respectively. These two Trojans have been in all of the Online Scanner Top Twenty ratings so far, due to the fact that they are being downloaded by widespread Trojan-downloaders.

What is more interesting is the presence of two classic viruses in the ratings – Hidrag.a and Redlof.a. Neither are new and both are certainly among the more widespread viruses in the world. Once again, we have more evidence that classic viruses are still out there and constitute a real threat. Even though classic viruses spread significantly more slowly than worms, they make up for it with large numbers of infected machines and difficult removal procedures.

VBS.Redlof.a is a classic Visual Basic virus. However, in addition to the traditional method of infecting HTML files, Redlof also uses a very interesting technique for spreading within infected machines. It infects the folder.htt file, which is located by default in most Windows folders. It is thus accessed every time you use Windows Explorer to open a folder, even if you don’t’ access the infected file, since folder.htt is executed automatically every time folders are opened in Windows. In other words, Redlof activates every time a folder is accessed. Redlof then uses the infected HTML files to spread in the Internet, since the infected files could be used to build websites. Everyone who visits a site that includes infected HTML files is then infected in turn.

Hidrag.a is also a classic virus that infects executable files. However, this was enough for Hidrag to infiltrate a significant number of pirated CD’s, which has lead to the virus spreading worldwide.

In conclusion, it is important to note that Polip, a virus that a number of vendors were concerned about in April is not in the April ratings. Despite the claims that Polip was purportedly widespread in P2P networks, it turned out that Trojans like LdPinch and Banker were a much more real threat this month than Polip. Moreover, P2P networks are themselves no longer a major infection vector; something to evaluate in future articles.


NewTrojan-Downloader.Win32.Delf.alf, Trojan-PSW.Win32.LdPinch.akv, Trojan-Downloader.Win32.Delf.ake, Email-Worm.Win32.Rays, Packed.Win32.Tibs, Trojan.Win32.Agent.qt, Virus.VBS.Redlof.a,,,
Moved upTrojan-Downloader.Win32.Small.axy, Trojan-Downloader.Win32.Agent.xz
Moved downTrojan-Spy.Win32.Bancos.ha, not-a-virus:Porn-Dialer.Win32.PluginAccess.gen, not-a-virus:PSWTool.Win32.RAS.a, Exploit.HTML.CodeBaseExec
No changeTrojan-Spy.Win32.Banker.ark, Trojan-Spy.Win32.Banker.anv
Re-entryVirus.Win32.Hidrag.a, Backdoor.Win32.Rbot.gen