The first Top 20 is based on data collected by Kaspersky Lab’s version 2009 antivirus product. The ranking is made up of the malicious programs, adware and potentially unwanted programs most frequently detected on users’ computers.
1. Net-Worm.Win32.Kido.ih
2. Virus.Win32.Sality.aa
3. Trojan.Win32.Autoit.ci
4. Trojan-Downloade.Win32.VB.eql
5. Packed.Win32.Krap.g
6. Worm.Win32.AutoRun.dui
7. Packed.Win32.Krap.b
8. Packed.Win32.Black.a
9. Trojan-Dropper.Win32.Flystud.ko
10. Virus.Win32.Sality.z
11. Worm.Win32.Mabezat.b
12. Virus.Win32.Alman.b
13. Worm.Win32.Autoit.ar
14. Trojan.JS.Agent.ty
15. e-mailWorm.Win32.Brontok.q
16. Worm.Win32.Autoit.i
17. Virus.Win32.VB.bu
18. Packed.Win32.Katusha.a
19. Trojan.Win32.RaMag.a
20. Trojan.Win32.Autoit.xp
Explanation of the statistics
Not surprisingly, the network worm Net-Worm.Win32.Kido.ih – also known as Conficker and Downadup – topped the list. However, Kaspersky Lab doesn’t expect to see the latest version of this now infamous malicious program among the leaders in the following months.
It’s now detected by Kaspersky Lab as Trojan-Downloader.Win32.Kido.a and, unlike previous variants, this one is unable to spread independently across networks.
The highest new entry (Trojan-Dropper.Win32.Flystud.ko) is also the highest ranking new entry. It came straight in at number nine and is a typical Trojan designed to stealthily install other Trojans. It’s written in the FlyStudio script language that, along with AutoIt, is one of the most popular languages among malware writers.
Both FlyStudio and the programs written in it originate in China.
Speaking of AutoIt, March’s ranking sees the Autoit.ci Trojan joined by a similar program called Autoit.xp.
At the lower end of the ranking there are two other new entries: Packed.Win32.Katusha.a and Trojan.Win32.Ramag.a. The former detects a compression utility used to pack both certain modifications of the fraudware program FraudTool and the malware which downloads these modifications. The Ramag.a Trojan, meanwhile, is a modified WinRAR archive which has no malicious payload apart from carrying other malware.
There were fewer script downloader programs – only Trojan.JS.Agent.ty, with its traditional iframe, is present in the first Top 20.
Main classes of threat detected
All malicious, advertising and potentially unwanted programs in that Top 20 can be grouped according to the main classes of threats detected by Kaspersky Lab. There has been no significant change in the balance between these classes for the last three months. The number of self-replicating programs also remains relatively high.
In total, 45,857 unique malicious, advertising and potentially unwanted programs were detected on users’ computers in March. This figure is almost exactly the same as that posted for February.
The second Top 20 presents data on which malicious programs most commonly infected objects detected on users’ computers. Malicious programs capable of infecting files make up the majority of this ranking.
1. Virus.Win32.Sality.aa
2. Worm.Win32.Mabezat.b
3. Virus.Win32.Virut.ce
4. Net-Worm.Win32.Nimda
5. Virus.Win32.Xorer.du
6. Virus.Win32.Sality.z
7. Virus.Win32.Alman.b
8. Virus.Win32.Parite.b
9. Virus.Win32.Virut.q
10. Trojan-Downloader.HTML.Agent.ml
11. Virus.Win32.Small.l
12. Worm.Win32.Runouce.b
13. Net-Worm.Win32.Kido.ih
14. Virus.Win32.Virut.n
15. Virus.Win32.Parite.a
16. Virus.Win32.Hidrag.a
17. Trojan-Clicker.HTML.IFrame.acy
18. P2P-Worm.Win32.Bacteraloh.h
19. Worm.Win32.Otwycal.g
20. Worm.Win32.Fujack.k
A player in both league tables
Net-Worm.Win32.Kido.ih also made its mark in the second set of Kaspersky Lab rankings, holding its own among the more common types of self-replicating programs.
This is most probably due to the fact that not all users installed the necessary security updates to their operating system in March.
