Malware reports

Monthly Malware Statistics: June 2010

Malicious programs detected on users’ computers

The first Top Twenty list below shows malware, adware and potentially unwanted programs that were detected and neutralized by the on-access scanner when they were accessed for the first time.

Position Change in position Name Number of infected computers
1   0   304259  
2   0 Virus.Win32.Sality.aa   193081  
3   0 Net-Worm.Win32.Kido.ih   175811  
4   0   141243  
5   new Exploit.JS.Agent.bab   134868  
6   -1 Trojan.JS.Agent.bhr   130424  
7   -1   102143  
8   -1 Virus.Win32.Virut.ce   69078  
9   -1 Trojan-Downloader.Win32.VB.eql   57578  
10   -1 Worm.Win32.Mabezat.b   47548  
11   new P2P-Worm.Win32.Palevo.fuc   44130  
12   -2 Trojan-Dropper.Win32.Flystud.yo   40081  
13   new Worm.Win32.VBNA.b   33235  
14   0   32214  
15   2 Trojan-Downloader.Win32.Geral.cnh   31525  
16   -5   30585  
17   -5 Packed.Win32.Krap.l   29149  
18   new Trojan.Win32.AutoRun.aje   25890  
19   return Email-Worm.Win32.Brontok.q   25183  
20   new   24809  

The first ten places on the above list remain virtually unchanged from last month, with the Kido network worm and the Sality virus continuing to occupy the top four places. Fifth place saw the appearance of Exploit.JS.Agent.bab, which shunted the next five programs down one place, but we’ll talk more about that exploit a little later.

The new variant of the popular P2P-Worm.Palevo claimed eleventh spot in the list. Palevo.fuc actively seeks out any confidential data entered into a user’s browser window. Peer-to-Peer file sharing using programs such as BearShare, iMesh, Shareaza and eMule is the main method by which this worm propagates. It makes multiple copies of itself in folders used to store files that are commonly downloaded and uploaded, giving catchy names to those copies in the hope that they will attract the attention of potential victims. Other means by which P2P-Worm.Win32.Palevo.fuc propagates include multiple copying to network folders and other network resources, sending links via instant messengers and by teaming up with Trojan.Win32.Autorun to infect any kind of removable device that it may come into contact with.

At least 50,000 removable devices fell victim to infection by the two new variants of Trojan.Win32.Autorun that currently occupy eighteenth and twentieth place in our first Top 20. Both malware samples are autorun.inf files that launch a worm on the same infected device that they themselves reside on as soon as the device is connected to a computer.

Last but not least for this section, there is Worm.Win32.VBNA.b in thirteenth place, a program written in Visual Basic and classified as a malicious packer.

Malicious programs on the Internet

The second Top Twenty list below shows data generated by the web antivirus component and reflects the online threat landscape. This table includes malware detected on web pages and malware downloaded to victim machines from web pages.

Position Change in position Name Number of attempted downloads
1   0   490331  
2   new Exploit.JS.Agent.bab   341085  
3   return Trojan-Downloader.JS.Pegel.b   220359  
4   -2 Exploit.Java.CVE-2010-0886.a   214968  
5   0 Trojan.JS.Agent.bhr   77837  
6   new Exploit.JS.Pdfka.clk   74592  
7   0 not-a-virus:AdWare.Win32.FunWeb.q   65550  
8   new Exploit.JS.Pdfka.ckp   59680  
9   new Worm.Win32.VBNA.b   57442  
10   1   54728  
11   new Hoax.HTML.FakeAntivirus.f   50651  
12   new not-a-virus:AdWare.Win32.FunWeb.ds   49720  
13   -5 Exploit.JS.CVE-2010-0806.i   48089  
14   new Exploit.JS.Pdfka.clm   45489  
15   0 not-a-virus:AdWare.Win32.Shopper.l   44913  
16   0 Trojan.JS.Redirector.l   43787  
17   -8 Exploit.JS.CVE-2010-0806.b   39143  
18   new Trojan.JS.Agent.bky   36481  
19   new   35410  
20   -17 Trojan.JS.Redirector.cq   35375  

Despite some significant changes to this Top 20, five entries, including the number one slot, were non-movers.

This month’s real surprise was the re-entry of Trojan-Downloader.JS.Pegel.b in third place, which is a repeat of the situation we wrote about in April regarding Trojan-Downloader.JS.Gumblar.x. The last time Pegel was highly active was back in February of this year when there were six variants of the family in our list of the most widespread malware on the Internet, with Pegel.b leading the way. Various PDF exploits and the Java CVE-2010-0886 exploit, which we described last month, were used in conjunction with Pegel.b. As well as Pegel and Gumblar, there are some very straightforward but widespread scripts about that are used by cybercriminals to infect legitimate sites. One of them is Trojan.JS.Agent.bky, currently in eighteenth place and on average 0x3B bytes, or a mere 59 symbols in length. Its sole function is to download the main piece of malicious code from a fixed URL.

The second most prevalent web antivirus component on the list, Exploit.JS.Agent.bab, was detected more than 340,000 times. It exploits the old CVE-2010-0806 vulnerability, downloading different malicious programs to victim machines. This is reminiscent of the more familiar scenario whereby Trojan-Downloader.Win32.Geral is downloaded, followed by Rootkit.Win32.Agent, Backdoor.Win32.Hupigon and then Trojan-GameTheif.Win32.Maganiz, Trojan-GameTheif.Win32.WOW etc.

Three new variants of Exploit.JS.Pdfka also made an appearance at sixth, eighth and fourteenth places. It looks like the representatives of this family could be around for a very long time in our second Top 20 as we witness a battle royal between Adobe updates and the latest variants of this exploit, each vying for supremacy over the other. All three modifications downloaded a wide variety of malicious programs.

Internet pages informing users that their computer is infected have become the norm in recent months. Users are offered the chance to scan their machines by browser windows that resemble My Computer. After these ‘scans’ are performed, any click of the mouse, even if the user wants to close the page, downloads an ‘antivirus’ program which in most cases turns out to be a representative of the Trojan-Ransom family or Trojan.Win32.FraudPack. These pages are known to Kaspersky Lab’s users as Hoax.HTML.FakeAntivirus.f and

Potentially unwanted software has also made it into our list this month, with the new variant of AdWare.Win32.FunWeb.ds occupying twelfth place. The raison d’être of this program is to gather data about users’ search requests and more often than not, this data is then used by a system for displaying the banners that frequently pop up during online surfing sessions.

For the majority of cybercriminals, confidential data offers rich pickings. By perfecting the packaging and propagation techniques of malware, seeking out new vulnerabilities and making sly use of phishing and social engineering, the malware writers are trying to harvest as much of this type of data as they can. Despite the fact that antivirus companies are constantly on the alert for this kind of thing, users also need to do their bit and remain vigilant. Remember, how and what you search for on the Internet can potentially reveal a whole lot more about you than you might want anyone to know!

Countries launching the most web-borne infections:

Monthly Malware Statistics: June 2010

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox