Monthly Malware Statistics: November 2008

Two Top Twenties have been compiled from data provided by the Kaspersky Security Network in November 2008.

The first Top Twenty is made up of those malicious programs most frequently detected on users’ computers by the 2009 antivirus products.

Position	Change in position	Name
1	3	Virus.Win32.Sality.aa
2	0	Packed.Win32.Krap.b
3	New	Trojan-Downloader.WMA.GetCodec.c
4	-1	Worm.Win32.AutoRun.dui
5	3	Trojan-Downloader.Win32.VB.eql
6	New	Worm.Win32.AutoRun.rja
7	0	Packed.Win32.Black.a
8	New	Exploit.JS.RealPlr.nn
9	New	Trojan-Downloader.JS.Tabletka.a
10	-5	Trojan-Downloader.JS.IstBar.cx
11	-1	Trojan.Win32.Agent.abt
12	New	Trojan-Downloader.Win32.Agent.anje
13	2	Virus.Win32.VB.bu
14	New	Worm.Win32.Mabezat.b
15	New	Worm.Win32.AutoRun.eee
16	0	Email-Worm.Win32.Brontok.q
17	-8	Virus.Win32.Alman.b
18	-7	Worm.VBS.Autorun.r
19	New	Trojan-Downloader.JS.Iframe.yp
20	New	Trojan.Win32.Autoit.ci

In November, Sality.aa made it to the top of the table. There has been a sharp increase in the number of computers infected by this malicious program during the last two months, and last month’s prediction – that an epidemic was looming – has come true, with new versions of the virus appearing several times a week.

This month GetCodec.c fulfils a similar function to that of Wimad.n last month – it exploits a documented, but little known functionality in the ASF format. Given that multimedia is an inseparable part of today’s electronic world, there are good grounds to expect that other, similar malicious programs will appear.

There are two new script downloaders in the rankings – Trojan-Downloader.JS.Tabletka.a and Trojan-Downloader.JS.Iframe.yp – along with three worms, two of which are from the Autorun family which is expanding by leaps and bounds. Given the effectiveness with which Autorun worms propagate, we can only expect an increase in the number of machines infected by these programs. Incidentally, the third new worm, Mabezat.b, leads our second Top Twenty.

All the malicious, advertising and potentially unwanted programs which are included in the Top Twenty can be grouped into three broad classes. The share taken by Trojan programs has dropped another 10%, with the share of self-replicating programs growing from 30% to 45%, a fact which is both significant and alarming.

In total, 45,690 unique malicious, advertising, and potentially unwanted programs were detected on users’ computers during November. There has been a steady increase in the number of threats found in the wild, with a final figure for the month of 6,500.

The second Top Twenty presents data on which programs most often infect objects detected on users’ computers. Naturally, this rating mainly contains malicious programs which are capable of infecting files.

Position	Change in position	Name
1	0	Worm.Win32.Mabezat.b
2	1	Virus.Win32.Sality.aa
3	1	Net-Worm.Win32.Nimda
4	-2	Virus.Win32.Xorer.du
5	1	Virus.Win32.Parite.b
6	1	Virus.Win32.Virut.n
7	-2	Virus.Win32.Alman.b
8	0	Virus.Win32.Sality.z
9	1	Virus.Win32.Small.l
10	2	Email-Worm.Win32.Runouce.b
11	-2	Virus.Win32.Virut.q
12	3	Virus.Win32.Parite.a
13	4	Worm.Win32.Fujack.k
14	-1	Worm.Win32.Otwycal.g
15	-1	Virus.Win32.Hidrag.a
16	New	P2P-Worm.Win32.Bacteraloh.h
17	Return	Worm.VBS.Headtail.a
18	-2	Trojan.Win32.Obfuscated.gen
19	1	Virus.Win32.Neshta.a
20	-2	Trojan-Downloader.WMA.GetCodec.b

There have been few changes in these rankings over the course of the month; a single new program, and one which returned to the rankings. This confirms the view voiced last month that the contents of this Top Twenty are relatively stable.

The new addition, a worm called Bacteraloh.h, was first detected by Kaspersky Lab in January 2007. This extremely old worm made it into the second ranking because it is used in some modifications of the Sality virus. And that virus family, as we have already noted, is very active at the moment.

Worm.VBS.Headtail.a, which fell off the bottom of the rankings in September, has now returned. As this malicious program has appeared and vanished from the rankings several times, it seems safe to say that its volatile behaviour will continue for some time.