Malware reports

Online Scanner Top Twenty for August 2007

Position Change in position Name Percentage
1. Up
Packed.Win32.PolyCrypt.b 2.05
2. Up
Trojan.Win32.Dialer.qn 1.65
3. Up
Trojan-Downloader.Win32.LoadAdv.gen 1.42
4. Return
Email-Worm.Win32.Brontok.q 1.11
5. Down
Backdoor.Win32.IRCBot.acd 0.96
6. Down
Trojan-Downloader.Win32.Small.eqn 0.95
7. Return
Trojan-Spy.Win32.Bancos.aam 0.94
8. Return
Trojan-Downloader.Win32.Small.ddp 0.90
9. Up
not-a-virus:PSWTool.Win32.RAS.a 0.90
10. Up
Email-Worm.Win32.Rays 0.84
11. No Change
0 0.81
12. New!
New! 0.72
13. New!
Backdoor.Win32.Bifrose.aci 0.57
14. New!
Trojan.Win32.Agent.asu 0.55
15. Return
Trojan-Spy.Win32.Delf.uv 0.53
16. New!
Trojan-Spy.Win32.Ardamax.e 0.53
17. Return
IM-Worm.Win32.Sohanad.t 0.52
18. Return
Return 0.52
19. Down
Virus.VBS.Small.a 0.51
20. Return
Trojan.Win32.Obfuscated.en 0.50
Other malicious programs 82.52%


It seemed as though we had almost completely got rid of the Rays and Brontok worms. In June, Rays did not make the Top Twenty, but it was back again hanging onto twentieth place in July. Brontok’s position dropped over the same period by seven places each month, and the worm didn’t even make the Top Twenty in July. The two both made a comeback in August, however. Brontok returned with a bang in fourth place, and Rays climbed ten positions, making it into the Top Ten.

In general, the changes in online statistics are much less than significant than they have been over the past few months. Only 4 new malicious and potentially unwanted programs have emerged. The percentages of all of the programs that made the top twenty are extremely small – Packed.Win32.PolyCrypt.b, the leader in August, garnered just 2%. This is striking compared to Dialer.cj’s chart-topping 9% in July (which nevertheless did not prevent it from disappearing without a trace in August).

Malicious programs such as Bancos.aam and Trojan-Downloader.Win32.Small.ddp also managed to make a comeback in August. The former covers several hundred spyware programs which target both user bank accounts and the clients used to access certain stock exchange trading systems. What distinguishes Bancos.aam is its special ‘interface’: the Trojan can be used as a botnet component, making it possible for a malicious user to send individual instructions to each infected machine about which payment system accounts to target. Small.ddp is also designed to install several malicious botnet components on infected systems.

Overall, there are more Trojan Spies in the Top Twenty this month than there were in June or July. Newcomers include Trojan-Spy.Win32. Ardamax.e, a keylogger, and, which has similar functionality but is a legitimate program. In addition to,, another potentially unwanted program also made the Top Twenty this month (18th place).

The leader in June, a piece of adware called, was able to stop its decline after a ten-position plummet in July, and placed 11th in August. Expect to see more of this program, since its main carrier, Trojan-Downloader.Win32.LoadAdv.gen, has once again been ranked in the top three most common malicious programs, up from sixth place. This means more new variants of Virtumonde can be expected in the future.

  • New:, Backdoor.Win32.Bifrose.aci, Trojan.Win32.Agent.asu, Trojan-Spy.Win32.Ardamax.e
  • Moved up: Packed.Win32.PolyCrypt.b, Trojan.Win32.Dialer.qn, not-a-virus:PSWTool.Win32.RAS.a, Email-Worm.Win32.Rays.
  • Moved down: Backdoor.Win32.IRCBot.acd, Trojan-Downloader.Win32.Small.eqn, Virus.VBS.Small.a
  • Re-entry: Email-Worm.Win32.Brontok.q, Trojan-Spy.Win32.Bancos.aam, Trojan-Spy.Win32.Delf.uv, IM-Worm.Win32.Sohanad.t,, Trojan.Win32.Obfuscated.en

Online Scanner Top Twenty for August 2007

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox