Malicious programs detected on users’ computers
The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.
Position | Change in position | Name | Number of infected computers |
1 | 0 | Net-Worm.Win32.Kido.ir | 276021 |
2 | 0 | Net-Worm.Win32.Kido.iq | 197376 |
3 | 1 | Virus.Win32.Sality.aa | 169101 |
4 | -1 | Net-Worm.Win32.Kido.ih | 164421 |
5 | 0 | Worm.Win32.FlyStudio.cu | 109898 |
6 | 21 | Trojan-Downloader.JS.Zapchast.m | 65476 |
7 | 21 | Trojan-Downloader.JS.Small.oj | 64767 |
8 | 1 | Trojan-Downloader.WMA.GetCodec.s | 63266 |
9 | -1 | Trojan-Downloader.Win32.VB.eql | 61852 |
10 | 2 | Virus.Win32.Virut.ce | 51944 |
11 | -4 | not-a-virus:AdWare.Win32.Boran.z | 51868 |
12 | 1 | Virus.Win32.Induc.a | 44432 |
13 | New | Trojan.Win32.AutoRun.sj | 39530 |
14 | New | Packed.Win32.Krap.l | 38944 |
15 | New | Trojan.Win32.AutoRun.sl | 38742 |
16 | 1 | Worm.Win32.Mabezat.b | 37365 |
17 | New | Worm.Win32.AutoIt.tc | 36162 |
18 | New | Trojan.Win32.AutoRun.ws | 36149 |
19 | -5 | Trojan-Dropper.Win32.Flystud.yo | 35883 |
20 | -4 | Packed.Win32.Black.a | 35462 |
For the third month in a row the top five programs have led the rest of the rating by some distance.
January, however, did see seven new entries, which is unusual for the first Top Twenty. The two script downloaders that entered right behind the leading pack have already made an appearance in our second rating for web-borne malware, but this is the first time they have made it into this rating.
Among the newcomers are three modifications of Trojan.Win32.Autorun that help spread the notorious P2P-Worm.Win32.Palevo and Trojan-GameThief.Win32.Magania via removable devices.
AutoIt, which we have already discussed on a number of occasions, is gaining in popularity with two new malicious programs – Packed.Win32.Krap.l and Worm.Win32.AutoIt.tc – created using this script language.
Malicious programs on the Internet
The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.
Position | Change in position | Name | Number of attempted downloads |
1 | 1 | Trojan.JS.Redirector.l | 615521 |
2 | 3 | Trojan-Clicker.JS.Iframe.db | 299222 |
3 | Return | Trojan-Downloader.JS.Zapchast.m | 208056 |
4 | New | Trojan.JS.Iframe.hw | 166755 |
5 | -1 | Trojan-Downloader.HTML.IFrame.sz | 138843 |
6 | 21 | Trojan-Downloader.JS.Agent.ewo | 116110 |
7 | -1 | not-a-virus:AdWare.Win32.Boran.z | 99567 |
8 | New | Trojan-Downloader.JS.Agent.exc | 82147 |
9 | Return | Trojan-Downloader.JS.Small.oj | 77659 |
10 | New | Exploit.Win32.Pidief.cvl | 75687 |
11 | New | Trojan.JS.Popupper.t | 73028 |
12 | 2 | Trojan-Downloader.JS.Shadraem.a | 43592 |
13 | New | Trojan-Clicker.JS.Iframe.dh | 39441 |
14 | New | Packed.JS.Agent.bp | 39420 |
15 | New | Trojan.JS.Fraud.s | 38088 |
16 | -9 | Trojan.JS.Iframe.ez | 36156 |
17 | New | Trojan-Downloader.JS.Pegel.c | 35977 |
18 | New | Trojan.JS.Iframe.ef | 34700 |
19 | -2 | Trojan-Downloader.JS.Twetti.a | 32544 |
20 | -9 | Packed.Win32.Krap.ag | 31148 |
The second rating remains a kaleidoscope of the latest cybercriminal creations.
New entries include Trojan.JS.Iframe.hw (4th place), Trojan-Downloader.JS.Agent.ewo (6th), and Trojan-Downloader.JS.Pegel.c (17th) – all of them similar script downloaders that redirect users to other malicious scripts which in turn exploit vulnerabilities in popular software products.
Trojan.JS.Fraud.s in 15th place detects web pages which are cloned from a template and used to spread rogue antivirus applications.
All the other new entries are various script downloaders that infect users’ computers with malicious programs.
It’s worth pointing out that the second Gumblar epidemic fizzled out fairly quickly. We’ll have to wait and see if there is to be a third.
Overall, there has been no major change to recent trends. Malware is actively spreading via removable media with the help of script downloaders, and for the most part exploiting vulnerabilities in popular software products.
Countries where most attempts to infect via the web originated:
Monthly Malware Statistics: January 2010