|
|
 |
 |
|
03 March 2008
Virus & Online Scanner Top 20 for February 2008
|
Virus Top 20 for February 2008
The statistics resulting from our scanning of mail traffic in February 2008 were slightly different to data from the first month of the year.
Although the Trojan-Downloader program, Diehard, is continuing to cause significant outbreaks, this isn't reflected in the rankings.
There were four variants of this program in the January Top Twenty. In February, these four were replaced by a single new version which occupies twelfth place; however, this does not mean that the battle against Diehard is over. The number of programs in this family continued to rise rapidly in February, with approximately 50 new modifications being detected over the course of the month. In comparison, only 100 new modifications were detected during the previous four months (from October 2007 onwards).
The series of mass flash mailings which contain Diehard continue to disrupt mail traffic at least once a day, and it's always a new variant of the program which is sent out. If the percentages for all variants of this Trojan are added together, in percentage terms Diehard ranks higher than the actual leader of the Top Twenty, NetSky.q.
In general, the rankings have remained relatively stable. The second new entrant to this month's Top Twenty is another downloader program, Trojan-Downloader.Win32.Small.hsl. This program made it into fifth place straight away, and this may indicate that another dangerous new family will start figuring in our statistics in the near future.
Interestingly, of the four families of malicious code which are currently causing epidemics, only Diehard and Bagle are present in the rankings. Their two competitors, Zhelatin and Warezov, appear to be taking something of a break. However, Zhelatin did take advantage of Valentine's Day when the latest versions of this malicious program were mass mailed.
Other malicious programs made up a moderate percentage (5.12%) of all malicious code found in mail traffic, indicating that a number of other worms and Trojans are currently in active circulation.
The total percentage of infected messages in mail traffic detected by Kaspersky Lab scanning and analysis methods was 0.61%.
The twenty top countries which act as sources for infected messages in February are shown in the table below:
| Position |
Country |
Percentage |
| 1 |
UNITED STATES |
13,30 |
| 2 |
S.KOREA |
7.88 |
| 3 |
INDIA |
6.05 |
| 4 |
CHINA |
5.75 |
| 5 |
UNITED KINGDOM |
4.66 |
| 6 |
GERMANY |
4.58 |
| 7 |
SPAIN |
3.18 |
| 8 |
POLAND |
2.50 |
| 9 |
BRAZIL |
2.45 |
| 10 |
JAPAN |
2.29 |
| 11 |
FRANCE |
2.19 |
| 12 |
TURKEY |
2.12 |
| 13 |
ITALY |
2.07 |
| 14 |
RUSSIAN FEDERATION |
2.00 |
| 15 |
PAKISTAN |
1.94 |
| 16 |
AUSTRALIA |
1.82 |
| 17 |
CANADA |
1.46 |
| 18 |
NETHERLANDS |
1.38 |
| 19 |
ROMANIA |
1.37 |
| 20 |
UNITED ARAB EMIRATES |
1.34 |
| Other countries |
29.67 |
- New: Trojan-Downloader.Win32.Diehard.ez, Trojan-Downloader.Win32.Small.hsl
- Went up: Email-Worm.Win32.Bagle.gt, NetSky.d, Email-Worm.Win32.Mytob.q, Email-Worm.Win32.Mydoom.l, Net-Worm.Win32.Mytob.t
- Went down: Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.NetSky.y, Net-Worm.Win32.Mytob.w, Email-Worm.Win32.Bagle.gen, Email-Worm.Win32.Scano.bn
- Re-entry: Email-Worm.Win32.NetSky.x, Email-Worm.Win32.Mydoom.m, Email-Worm.Win32.Mydoom.m, Net-Worm.Win32.Mytob.bi, Net-Worm.Win32.Mytob.c, Email-Worm.Win32.NetSky.c
Online Scanner Top Twenty for February 2008
|
| Position |
Change in position |
Name |
Percentage |
| 1 |
 0 |
Trojan.Win32.Dialer.yz |
2,56 |
| 2 |
 New |
Trojan-Clicker.Win32.Small.kj |
1,39 |
| 3 |
 -1 |
Virus.Win32.Virut.av |
1,31 |
| 4 |
 +3 |
Trojan.Win32.Inject.mt |
1,30 |
| 5 |
0 |
Trojan.Win32.BHO.abo |
1,18 |
| 6 |
New |
Trojan-Downloader.Win32.Small.hlr |
1,10 |
| 7 |
-4 |
Email-Worm.Win32.Brontok.q |
1,08 |
| 8 |
New |
Virus.Win32.Virut.n |
1,04 |
| 9 |
-5 |
not-a-virus:PSWTool.Win32.RAS.a |
1,00 |
| 10 |
New |
Trojan-Downloader.Win32.Bagle.hj |
0,80 |
| 11 |
New |
Trojan-Dropper.Win32.Agent.dgo |
0,78 |
| 12 |
+2 |
Trojan-Spy.Win32.Ardamax.n |
0,73 |
| 13 |
New |
Trojan.Win32.BHO.agz |
0,71 |
| 14 |
-5 |
not-a-virus:Monitor.Win32.Perflogger.ca |
0,62 |
| 15 |
New |
Trojan-Downloader.Win32.Bagle.hk |
0,62 |
| 16 |
New |
Trojan-Downloader.Win32.Bagle.hi |
0,61 |
| 17 |
-1 |
not-a-virus:Monitor.Win32.Perflogger.ad |
0,56 |
| 18 |
+2 |
not-a-virus:Monitor.Win32.Perflogger.cb |
0,53 |
| 19 |
New |
not-a-virus:PSWTool.Win32.Messen.g |
0,50 |
| 20 |
 Return |
Worm.Win32.AutoIt.c |
0,46 |
| Other malicious programs |
81,12 |
It's been some time since we've seen an adware program at the top of our online rankings. February, however, saw the adware program Virtumonde or, to be more precise, an entire family, which we detect as Virtumonde.gen, claim top place.
Detailed analysis shows that over the last few months there's been activity leading up to this. Our reports have tracked several Trojan-Downloaders that have installed Virtumonde on victims’ computers. In January and February they even started appearing in mail traffic, which has never happened before.
Of course, we'll have to wait and see if anything changes in March, but if the activity of Virtumonde’s authors is anything to go by, this program looks set to remain among the leaders.
The leader for the last two months, Trojan.Win32.Dialer.yz, slipped to third place, though the sheer number of modifications ensures this program remains near the top of the rankings.
The Virut epidemic has subsided slightly. Virut.av, previously the most widespread variant of the family, which made it into the top three last month, fell off the bottom of the rankings altogether. The only Virut survivor from January’s rankings was Virut.n, and even this program fell eight places, to sixteenth place.
BHO Trojans exhibited a similar pattern – the three December entries fell to two in January and only BHO.xq remained in February, which incidentally is a new variant.
The various components of the malicious Bagle family, consisting of email worms and Trojan-Downloaders, continue to multiply – one of them even ended up in second place in the rankings, with another at seventeenth.
The veteran worm Brontok.q continues its travels up and down the rankings. After falling four places in January it rose one place in February. The Rays worm has experienced even more marked fluctuations recently – in December it ranked tenth before falling off the bottom of the rankings the following month, only to make a re-entry at ninth place in February.
The overall dominance of keylogging programs in the January Top Twenty was broken by a surge in new malicious programs that included various Trojan-Droppers and Trojan-Downloaders. In total, there were eleven new programs in the ratings in February.
Summary
- New: Email-Worm.Win32.Bagle.of, Trojan-Downloader.Win32.Small.ieg, Trojan-Downloader.Win32.Zlob.fjb, Trojan-Dropper.Win32.Agent.dnu, Trojan-Downloader.Win32.AutoIt.aa, Worm.Win32.AutoIt.i, not-a-virus:AdWare.Win32.BHO.xq, Trojan-Downloader.Win32.Agent.ggt, Trojan.Win32.Disabler.i, Trojan-Downloader.Win32.Bagle.jo, Trojan-Downloader.Win32.Agent.hzo
- Went up: not-a-virus:PSWTool.Win32.RAS.a, Email-Worm.Win32.Brontok.q, Trojan-Spy.Win32.Ardamax.n
- Went down: Trojan.Win32.Dialer.yz, Virus.Win32.Virut.n, not-a-virus:Monitor.Win32.Perflogger.ca
- Re-entry: not-a-virus:AdWare.Win32.Virtumonde.gen, Email-Worm.Win32.Rays, Trojan.Win32.Delf.aam.
| |
|
|
|
|
 |
24 July 2008Trend Micro Licenses Host Intrusion Defence Technology 08 July 2008Frequently Asked Questions About The Celestix MSA Appliance02 July 2008Juniper Remote Access Technical Demonstration Day
|
|
|