Monthly Malware Statistics: May 2009

Two Top Twenties have been compiled from data generated by the Kaspersky Security Network (KSN) throughout May 2009.

The first Top Twenty is based on data collected by Kaspersky Lab’s version 2009 antivirus product. The ranking is made up of the malicious programs, adware and potentially unwanted programs most frequently detected on users’ computers.

Position	Change in position	Name
1	0	Net-Worm.Win32.Kido.ih
2	0	Virus.Win32.Sality.aa
3	0	Trojan-Dropper.Win32.Flystud.ko
4	1	Trojan.Win32.Autoit.ci
5	8	Trojan.JS.Agent.xy
6	3	Exploit.HTML.CodeBaseExec
7	-1	Trojan-Downloader.Win32.VB.eql
8	-4	Trojan.Win32.Chifrax.a
9	3	Virus.Win32.Virut.ce
10	1	Virus.Win32.Sality.z
11	-3	Worm.Win32.AutoRun.dui
12	-5	Packed.Win32.Krap.b
13	-3	Packed.Win32.Black.a
14	0	Worm.Win32.Mabezat.b
15	0	Virus.Win32.Alman.b
16	1	Packed.Win32.Klone.bj
17	New	P2P-Worm.Win32.Palevo.ddm
18	New	Trojan.Win32.Swizzor.a
19	0	Exploit.JS.Agent.agc
20	0	Email-Worm.Win32.Brontok.q

There were no significant changes to this Top Twenty in May.

There are only two newcomers: Palevo.ddm, a P2P worm and Swizzor.a, a Trojan.

The former, in addition to spreading via a range of public peer-to-peer networks, infects removable media. This helps it spread more widely.

The latter utilizes some interesting and sophisticated tricks to obfuscate its code and mask its presence on the system. Since hundreds of new variants of this malicious program are created every day and placed on cybercriminal servers, this Trojan has made it into both our Top Twenty rankings.

All malicious, advertising and potentially unwanted programs in the first Top Twenty can be grouped according to the main classes of threat which we detect. In the past few months, the changes in the balance between these classes have not exceeded 5%.

A total of 42,520 unique malicious, advertising, and potentially unwanted programs were detected on users’ computers in April. This figure is almost exactly the same as last month’s.

The second Top Twenty presents data on which malicious programs most commonly infected objects detected on users’ computers. Malicious programs capable of infecting files make up the majority of this ranking.

Position	Change in position	Name
1	0	Virus.Win32.Sality.aa
2	0	Worm.Win32.Mabezat.b
3	New	Trojan-Clicker.HTML.IFrame.aga
4	-1	Virus.Win32.Virut.ce
5	-1	Net-Worm.Win32.Nimda
6	-1	Virus.Win32.Xorer.du
7	-1	Virus.Win32.Sality.z
8	-1	Virus.Win32.Parite.b
9	0	Virus.Win32.Alman.b
10	-2	Virus.Win32.Virut.q
11	1	Net-Worm.Win32.Kido.ih
12	-2	Virus.Win32.Small.l
13	-2	Email-Worm.Win32.Runouce.b
14	3	Worm.Win32.Fujack.k
15	0	Virus.Win32.Parite.a
16	-2	Virus.Win32.Virut.n
17	-1	Virus.Win32.Hidrag.a
18	New	Virus.Win32.Sality.ae
19	Return	Worm.Win32.Otwycal.g
20	New	Trojan.Win32.Swizzor.a

Contrary to the trend demonstrated in the past few months, May saw more changes to the second ranking than the first.

The most interesting changes were: Trojan-Clicker.HTML.IFrame.aga, going straight in to third place, and the appearance, albeit towards the bottom of the ranking, of Virus.Win32.Sality.ae.

IFrame.aga is one more version of the iframe that the now widespread Virus.Win32.Virut.ce uses to infect web pages. And Sality.ae is the latest version of the well-known Sality virus. The new variant replaces Sality.y after it dropped out of our ranking in January. As a result, there are three members of this family on our ranking again. Even though this new variant is towards the bottom of the table, if previous versions of this malware are anything to go by, we can expect this newcomer to begin climbing.