Monthly Malware Statistics: January 2010

Malicious programs detected on users’ computers

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.

Position	Change in position	Name	Number of infected computers
1	0	Net-Worm.Win32.Kido.ir	276021
2	0	Net-Worm.Win32.Kido.iq	197376
3	1	Virus.Win32.Sality.aa	169101
4	-1	Net-Worm.Win32.Kido.ih	164421
5	0	Worm.Win32.FlyStudio.cu	109898
6	21	Trojan-Downloader.JS.Zapchast.m	65476
7	21	Trojan-Downloader.JS.Small.oj	64767
8	1	Trojan-Downloader.WMA.GetCodec.s	63266
9	-1	Trojan-Downloader.Win32.VB.eql	61852
10	2	Virus.Win32.Virut.ce	51944
11	-4	not-a-virus:AdWare.Win32.Boran.z	51868
12	1	Virus.Win32.Induc.a	44432
13	New	Trojan.Win32.AutoRun.sj	39530
14	New	Packed.Win32.Krap.l	38944
15	New	Trojan.Win32.AutoRun.sl	38742
16	1	Worm.Win32.Mabezat.b	37365
17	New	Worm.Win32.AutoIt.tc	36162
18	New	Trojan.Win32.AutoRun.ws	36149
19	-5	Trojan-Dropper.Win32.Flystud.yo	35883
20	-4	Packed.Win32.Black.a	35462

For the third month in a row the top five programs have led the rest of the rating by some distance.

January, however, did see seven new entries, which is unusual for the first Top Twenty. The two script downloaders that entered right behind the leading pack have already made an appearance in our second rating for web-borne malware, but this is the first time they have made it into this rating.

Among the newcomers are three modifications of Trojan.Win32.Autorun that help spread the notorious P2P-Worm.Win32.Palevo and Trojan-GameThief.Win32.Magania via removable devices.

AutoIt, which we have already discussed on a number of occasions, is gaining in popularity with two new malicious programs – Packed.Win32.Krap.l and Worm.Win32.AutoIt.tc – created using this script language.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.

Position	Change in position	Name	Number of attempted downloads
1	1	Trojan.JS.Redirector.l	615521
2	3	Trojan-Clicker.JS.Iframe.db	299222
3	Return	Trojan-Downloader.JS.Zapchast.m	208056
4	New	Trojan.JS.Iframe.hw	166755
5	-1	Trojan-Downloader.HTML.IFrame.sz	138843
6	21	Trojan-Downloader.JS.Agent.ewo	116110
7	-1	not-a-virus:AdWare.Win32.Boran.z	99567
8	New	Trojan-Downloader.JS.Agent.exc	82147
9	Return	Trojan-Downloader.JS.Small.oj	77659
10	New	Exploit.Win32.Pidief.cvl	75687
11	New	Trojan.JS.Popupper.t	73028
12	2	Trojan-Downloader.JS.Shadraem.a	43592
13	New	Trojan-Clicker.JS.Iframe.dh	39441
14	New	Packed.JS.Agent.bp	39420
15	New	Trojan.JS.Fraud.s	38088
16	-9	Trojan.JS.Iframe.ez	36156
17	New	Trojan-Downloader.JS.Pegel.c	35977
18	New	Trojan.JS.Iframe.ef	34700
19	-2	Trojan-Downloader.JS.Twetti.a	32544
20	-9	Packed.Win32.Krap.ag	31148

The second rating remains a kaleidoscope of the latest cybercriminal creations.

New entries include Trojan.JS.Iframe.hw (4th place), Trojan-Downloader.JS.Agent.ewo (6th), and Trojan-Downloader.JS.Pegel.c (17th) – all of them similar script downloaders that redirect users to other malicious scripts which in turn exploit vulnerabilities in popular software products.

Trojan.JS.Fraud.s in 15th place detects web pages which are cloned from a template and used to spread rogue antivirus applications.

All the other new entries are various script downloaders that infect users’ computers with malicious programs.

It’s worth pointing out that the second Gumblar epidemic fizzled out fairly quickly. We’ll have to wait and see if there is to be a third.

Overall, there has been no major change to recent trends. Malware is actively spreading via removable media with the help of script downloaders, and for the most part exploiting vulnerabilities in popular software products.

Countries where most attempts to infect via the web originated: