Malware reports

Online Scanner Top Twenty for August 2007

Position Change in position Name Percentage
1. Up
Packed.Win32.PolyCrypt.b 2.05
2. Up
Trojan.Win32.Dialer.qn 1.65
3. Up
Trojan-Downloader.Win32.LoadAdv.gen 1.42
4. Return
Email-Worm.Win32.Brontok.q 1.11
5. Down
Backdoor.Win32.IRCBot.acd 0.96
6. Down
Trojan-Downloader.Win32.Small.eqn 0.95
7. Return
Trojan-Spy.Win32.Bancos.aam 0.94
8. Return
Trojan-Downloader.Win32.Small.ddp 0.90
9. Up
not-a-virus:PSWTool.Win32.RAS.a 0.90
10. Up
Email-Worm.Win32.Rays 0.84
11. No Change
0 0.81
12. New!
New! 0.72
13. New!
Backdoor.Win32.Bifrose.aci 0.57
14. New!
Trojan.Win32.Agent.asu 0.55
15. Return
Trojan-Spy.Win32.Delf.uv 0.53
16. New!
Trojan-Spy.Win32.Ardamax.e 0.53
17. Return
IM-Worm.Win32.Sohanad.t 0.52
18. Return
Return 0.52
19. Down
Virus.VBS.Small.a 0.51
20. Return
Trojan.Win32.Obfuscated.en 0.50
Other malicious programs 82.52%


It seemed as though we had almost completely got rid of the Rays and Brontok worms. In June, Rays did not make the Top Twenty, but it was back again hanging onto twentieth place in July. Brontok’s position dropped over the same period by seven places each month, and the worm didn’t even make the Top Twenty in July. The two both made a comeback in August, however. Brontok returned with a bang in fourth place, and Rays climbed ten positions, making it into the Top Ten.

In general, the changes in online statistics are much less than significant than they have been over the past few months. Only 4 new malicious and potentially unwanted programs have emerged. The percentages of all of the programs that made the top twenty are extremely small – Packed.Win32.PolyCrypt.b, the leader in August, garnered just 2%. This is striking compared to Dialer.cj’s chart-topping 9% in July (which nevertheless did not prevent it from disappearing without a trace in August).

Malicious programs such as Bancos.aam and Trojan-Downloader.Win32.Small.ddp also managed to make a comeback in August. The former covers several hundred spyware programs which target both user bank accounts and the clients used to access certain stock exchange trading systems. What distinguishes Bancos.aam is its special ‘interface’: the Trojan can be used as a botnet component, making it possible for a malicious user to send individual instructions to each infected machine about which payment system accounts to target. Small.ddp is also designed to install several malicious botnet components on infected systems.

Overall, there are more Trojan Spies in the Top Twenty this month than there were in June or July. Newcomers include Trojan-Spy.Win32. Ardamax.e, a keylogger, and, which has similar functionality but is a legitimate program. In addition to,, another potentially unwanted program also made the Top Twenty this month (18th place).

The leader in June, a piece of adware called, was able to stop its decline after a ten-position plummet in July, and placed 11th in August. Expect to see more of this program, since its main carrier, Trojan-Downloader.Win32.LoadAdv.gen, has once again been ranked in the top three most common malicious programs, up from sixth place. This means more new variants of Virtumonde can be expected in the future.

  • New:, Backdoor.Win32.Bifrose.aci, Trojan.Win32.Agent.asu, Trojan-Spy.Win32.Ardamax.e
  • Moved up: Packed.Win32.PolyCrypt.b, Trojan.Win32.Dialer.qn, not-a-virus:PSWTool.Win32.RAS.a, Email-Worm.Win32.Rays.
  • Moved down: Backdoor.Win32.IRCBot.acd, Trojan-Downloader.Win32.Small.eqn, Virus.VBS.Small.a
  • Re-entry: Email-Worm.Win32.Brontok.q, Trojan-Spy.Win32.Bancos.aam, Trojan-Spy.Win32.Delf.uv, IM-Worm.Win32.Sohanad.t,, Trojan.Win32.Obfuscated.en

Online Scanner Top Twenty for August 2007

Your email address will not be published. Required fields are marked *



APT trends report Q3 2021

The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021.

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

Subscribe to our weekly e-mails

The hottest research right in your inbox