Malware reports

Malware Miscellany, May 2007

Virus writers didn’t take any time off over the public holidays, and the results of their labour have made their way into our May miscellany.

  1. Greediest Trojan targeting banks – in May, this title went to Trojan-Spy.Win32.Banker.aqu, a modification that targets 87 banks simultaneously.
  2. Greediest Trojan targeting e-payment systems – this month’s glutton is Trojan-PSW.Win32.VB.kq, which targets four e-payment systems.
  3. Greediest Trojan targeting payment cardsTrojan-PSW.Win32.VB.kq wins the prize in this category; it targets four payment card systems, and interestingly also targets e-payment systems (see the above category).
  4. Stealthiest malicious program – once again, it’s a Hupigon variant winning out in this category. Backdoor.Win32.Hupigon.rc is packed ten times with a whole range of packers. Nevertheless, this didn’t save the backdoor from detection.
  5. Smallest malicious program – this prize goes to a tiny little program weighing in at a mere 9 bytes. Despite its very compact size, Trojan.DOS.DiskEraser.b is smart enough to delete data from disk.
  6. Biggest malicious was the most space-hungry malicious program in May. This file-deleting Trojan weighs in at a whopping 247MB. Interestingly enough, both May’s smallest and largest programs have the same malicious payload – but the difference in size is remarkable.
  7. Most malicious program – the leader in this category in May is Backdoor.Win32.Agobot.afy, which deletes antivirus programs using a variety of methods.
  8. Most common malicious program in email traffic – this title went to Email-Worm.Win32.Netsky.t this May. Despite being an old-timer, this worm is still causing major damage, accounting for over 15% of all malicious email traffic in May 2007.
  9. Most common Trojan family – the winner of this category this month is the Backdoor.Win32.Rbot family, with 454 modifications in the course of just one month.
  10. Most common virus/worm family – the Warezov family once again took this title this month. A total of 78 different variants of the Warezov family were detected in May, up from 72 in April.

The summer holidays are coming up, and although it’s unlikely we’ll see worm epidemics on the scale of those in 2004/5, we’ll still have plenty of work to do. See you in June for the next issue of our Miscellany!

Malware Miscellany, May 2007

Your email address will not be published.



The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox