Malware Miscellany, April 2007

April may be the cruellest month, but the malware has been breeding actively, mixing backdoors and BAT files, stirring users’ systems by deleting libraries…So, apologizing to T.S. Eliot in passing, let’s take a look at the latest Malware Miscellany:

1. Greediest Trojan targeting banks – this month, the award goes to Backdoor.Win32.Delf.zq. This program not only targets almost a hundred banks; it’s got other payment systems in its sights as well. Analysis of the code reveals the program’s Russian origins.
2. Greediest Trojan targeting payment cards – the prize in this category goes to Backdoor.Win32.VB.asj, which targets users of four different payment cards.
3. Greediest Trojan targeting e-payment systems – April’s statistics place Trojan-Dropper.Win32.Agent.ahp squarely in the frame. Just as Backdoor.Win32.VB.asj does, this Trojan targets users of four different e-payment systems.
4. Stealthiest malicious program – just like last month, there’s a Hupigon variant creeping up on users’ systems – this month it’s Backdoor.Win32.Hupigon.ru, which is packed with 11 different packers.
5. Smallest malicious program – this month, we’ve got a program which falls in between the previous two winners in terms of size. It’s Trojan.BAT.KillDll.b, a BAT file which is a mere 31 bytes in size. All it does is delete all DLL libraries from the Windows system directory. However, this is enough to crash the operating system.
6. Biggest malicious program – Trojan.Win32.Haradong.aa is the winner here. At 220MB, it outweighs last month’s winner by 38MB.
7. Most malicious program – an extensive malicious payload makes Backdoor.Win32.Agobot.gen a standout this month; the program combats antivirus solutions by deleting program files and terminating processes and services.
8. Most common malicious program in email traffic – Email-Worm.Win32.NetSky.t repeated its February performance and again made up 14% of all malicious code in mail traffic. A variant from the same family also won this category last month, demonstrating that the NetSky saga is set to run and run.
9. Most common Trojan family – this month, Trojan-PSW.Win32.OnLineGames made its presence felt, with 1044 modifications. The huge number of variants indicates that the demand for property and passwords stolen from online game accounts shows no signs of drying up.
10. Most common virus worm family – the Warezov family is already a regular feature in our Miscellanies and reports. It continues its dominance in this category, with 72 modifications being detected in April.

It’ll be interesting to see if the coming warm weather will have an effect on malware types and distribution. Of course, I’ll be tracking what goes into our collection, and will be back next month with the latest data.