Monthly Malware Statistics: February 2009

Two Top Twenties have been compiled from data generated by the Kaspersky Security Network (KSN) throughout February 2009.

The first Top Twenty is based on data collected by Kaspersky Lab’s version 2009 antivirus product. The ranking is made up of the malicious programs, adware and potentially unwanted programs most frequently detected on users’ computers.

Position	Change in position	Name
1	0	Virus.Win32.Sality.aa
2	14	Net-Worm.Win32.Kido.ih
3	-1	Packed.Win32.Krap.b
4	3	Packed.Win32.Black.a
5	0	Trojan.Win32.Autoit.ci
6	-3	Worm.Win32.AutoRun.dui
7	New	Packed.Win32.Krap.g
8	-4	Trojan-Downloader.Win32.VB.eql
9	New	Packed.Win32.Klone.bj
10	-2	Virus.Win32.Alman.b
11	-5	Trojan-Downloader.WMA.GetCodec.c
12	0	Worm.Win32.Mabezat.b
13	New	Trojan-Downloader.JS.SWFlash.ak
14	-1	Worm.Win32.AutoIt.ar
15	0	Virus.Win32.Sality.z
16	New	Trojan-Downloader.JS.SWFlash.aj
17	-3	Email-Worm.Win32.Brontok.q
18	New	Packed.Win32.Tdss.c
19	New	Worm.Win32.AutoIt.i
20	New	Trojan-Downloader.WMA.GetCodec.u

February’s Top Twenty features a number of important changes compared to our previous rankings.

First of all, the network worm Kido, which caused an epidemic that started in January and is still going strong, has gained impressive ground. Detection routines for this worm were added to antivirus databases in mid-January, and therefore the bulk of infected files were detected in February.

Secondly, there are three interesting newcomers to the ranking: Packed.Win32.Krap.g, Packed.Win32.Klone.bj and Packed.Win32.Tdss.c. These are associated, respectively, with detections for:

• a variant of a compression utility (packer) for Magania Trojans – a very common family which steals passwords to online games.
• a certain type of obfuscation for AutoIt scripts. Notably, the functionality of the original scripts is limited only by the constraints of the script language itself.
• an entire class of programs encrypted using the new malicious packer TDSS.

The last of the three pieces of malware is interesting in that the original, unencrypted malicious programs can be of any type, including but not limited to Trojans, worms and rootkits.

Trojan-Downloader.WMA.GetCodec.r, which gained 10 positions in January, was replaced in February by a similar multimedia downloader, GetCodec.u, while last month’s newcomer, Exploit.JS.Agent.aak, was superseded by two script downloaders, SWFlash.aj è SWFlash.ak, which take advantage of various Flash Player vulnerabilities.

All malicious, advertising and potentially unwanted programs in the first Top Twenty can be grouped according to the main classes of threats which we detect. There has been almost no shift in the balance between these classes since January. Statistics for the past several months show that the number of self-replicating programs has remained uniformly high.

In total, 45396 unique malicious, advertising, and potentially unwanted programs were detected on users’ computers in February. This is not significantly different from last month’s figure.

The second Top Twenty presents data on which malicious programs most commonly infected objects detected on users’ computers. Malicious programs capable of infecting files make up the majority of this ranking.

Position	Change in position	Name
1	0	Virus.Win32.Sality.aa
2	0	Worm.Win32.Mabezat.b
3	2	Net-Worm.Win32.Nimda
4	New	Virus.Win32.Virut.ce
5	-1	Virus.Win32.Xorer.du
6	0	Virus.Win32.Sality.z
7	-2	Virus.Win32.Alman.b
8	-1	Virus.Win32.Parite.b
9	New	Trojan-Clicker.HTML.IFrame.acy
10	-1	Trojan-Downloader.HTML.Agent.ml
11	-1	Virus.Win32.Virut.n
12	-4	Virus.Win32.Virut.q
13	3	Virus.Win32.Parite.a
14	-3	Email-Worm.Win32.Runouce.b
15	-2	P2P-Worm.Win32.Bacteraloh.h
16	-2	Virus.Win32.Hidrag.a
17	Return	Worm.Win32.Fujack.k
18	Return	Virus.Win32.Neshta.a
19	-4	Virus.Win32.Small.l
20	-2	P2P-Worm.Win32.Deecee.a

The second Top Twenty includes an important newcomer – Virus.Win32.Virut.ce, a new variant of the sophisticated polymorphic virus Virut. This modification features, among other things, infection of HTML files on the user’s computer with a malicious iframe block. Such pages are detected by our antivirus product as Trojan-Clicker.HTML.IFrame.acy. In February, the number of files infected using this method was quite large. The symbiosis between Virus.Win32.Virut.ce and Trojan-Clicker.HTML.IFrame.acy has resulted in the two malicious programs ranking 4th and 9th respectively.

It should also be noted that, although the Sality family is still prominent in the ranking, no new variants of this dangerous malicious program have been detected. This, of course, is not the case with the Virut family mentioned above.