Malware reports

Online Scanner Top Twenty for April 2007

Position Change in position Name Percentage
1. New!
Trojan-Proxy.Win32.Dlena.cb 3,23
2. New!
Packed.Win32.PolyCrypt.b 2,87
3. New!
Trojan-Spy.Win32.ProAgent.21 1,88
4. Down
Email-Worm.Win32.Brontok.q 1,52
5. New!
not-a-virus:AdWare.Win32.Virtumonde.if 1,43
6. Up
Trojan.Win32.Agent.qt 1,26
7. New!
New! 1,17
8. New!
Virus.VBS.Small.a 1,17
9. Return
Trojan-Clicker.Win32.Small.kj 1,08
10. New!
Trojan-Downloader.Win32.Small.dge 1,08
11. New!
Packed.Win32.Tibs.r 1,08
12. New!
IM-Worm.Win32.Sohanad.t 0,99
13. New!
Trojan-Downloader.Win32.Small.edb 0,99
14. Down
Email-Worm.Win32.Rays 0,90
15. Down
not-a-virus:Monitor.Win32.Perflogger.163 0,90
16. New!
not-a-virus:Porn-Dialer.Win32.GBDialer.i 0,81
17. New!
Trojan-Downloader.Win32.Small.ddx 0,81
18. New!
New! 0,72
19. New!
New! 0,63
20. Return
Trojan.Win32.Obfuscated.ev 0,63
Other malicious programs 74,85


It’s usual for the leader in our online rankings to change, but this month’s leader is very unusual. There’s nothing extraordinary about Trojan-Proxy programs, but one thing is peculiar: Dlena.cb is a program from a large family of Trojans with approximately 90 variants, and we’ve been detecting programs from this family for over a year. In all this time, there’s never been a single user complaint about any program from this family, so obviously it’s never made it to our rankings. These Trojans seemed to be quite rare. But now, one variant is leading our April Online Scanner Top Twenty. As a rule, if a malicious program is actively spreading or seems likely to become a continuing threat, such as the Warezov worms, even the first variant will usually be highly visible and make it into our rankings. In this case, however, it seems to have taken the unknown authors a year and dozens of draft programs for a variant to come to our attention.

Overall, there’s nothing really new in Dlena.cb – it is a typical Trojan proxy which can be used to send spam. There are dozens of similar families, and up until now, the best known was the Horst family. However, Dlena may cause serious problems in the near future.

The number of Trojan spy programs has dropped significantly. There is only one such program, ProAgent, in the April Top Twenty; it is however in 3rd place. We’ve known about this program for many years. It will record all data entered via the keyboard, and although it’s not as sophisticated as the Trojans that steal only bank account data, it is still relatively efficient and is popular among script kiddies.

Virtumonde, an adware program, is continuing to evolve. This piece of malicious code has figured in our rankings for several months now. This is due to the fact that not only have the authors of this program begun using rootkit technologies to give the program a better chance of remaining undetected in the system, but they are also distributing it using real Trojans. For example,, which is in 7th place, installs Virtumonde in addition to other programs.

Small.a, a script virus which is in 8th place, is also of some interest. It might seem that such viruses have long since had their day: the last notable representative from this group was the Redlof virus a couple of years ago. However, Small.a has managed to spread to a large number of computers, especially in Russia, as a component of other malicious programs.

Other malicious programs worth noting are IM-Worm.Win32.Sohanad.t and not-a-virus:Porn-Dialer.Win32.GBDialer.i.

The first program belongs to the rapidly developing class of worms that spread via instant messaging. This is the first time a worm of this class has been included in our statistics, but it is likely that in future we will see these worms make it into our Top Twenties more often.

Unlike IM-Worms, Porn Dialer programs have been in the Top Twenty before. Moreover, a short time ago, Trojan dialers accounted for almost one half of our table. We wondered what had caused this burst of activity and whether it would become a steady trend. The dialer programs have remained a significant presence, seeming to indicate that a trend has been established after all.

And, finally, a few words about the Rays and Brontok worms. Very few malicious programs have been so tenacious or have caused so many problems in recent years. Luckily, these worms propagate poorly via email, but tend to infect local area networks through accessible network resources.


  • New: Trojan-Proxy.Win32.Dlena.cb, Packed.Win32.PolyCrypt.b, Trojan-Spy.Win32.ProAgent.21, not-a-virus:AdWare.Win32.Virtumonde.if,, Virus.VBS.Small.a, Trojan-Downloader.Win32.Small.dge, Packed.Win32.Tibs.r, IM-Worm.Win32.Sohanad.t, Trojan-Downloader.Win32.Small.edb, not-a-virus:Porn-Dialer.Win32.GBDialer.i, Trojan-Downloader.Win32.Small.ddx,,
  • Moved up: Trojan.Win32.Agent.qt
  • Moved down: Email-Worm.Win32.Brontok.q, Email-Worm.Win32.Rays, not-a-virus:Monitor.Win32.Perflogger.163
  • Re-entry: Trojan-Clicker.Win32.Small.kj, Trojan.Win32.Obfuscated.ev

Online Scanner Top Twenty for April 2007

Your email address will not be published. Required fields are marked *


Subscribe to our weekly e-mails

The hottest research right in your inbox