Malware reports

Online Scanner Top Twenty for August 2007

Position Change in position Name Percentage
1. Up
Packed.Win32.PolyCrypt.b 2.05
2. Up
Trojan.Win32.Dialer.qn 1.65
3. Up
Trojan-Downloader.Win32.LoadAdv.gen 1.42
4. Return
Email-Worm.Win32.Brontok.q 1.11
5. Down
Backdoor.Win32.IRCBot.acd 0.96
6. Down
Trojan-Downloader.Win32.Small.eqn 0.95
7. Return
Trojan-Spy.Win32.Bancos.aam 0.94
8. Return
Trojan-Downloader.Win32.Small.ddp 0.90
9. Up
not-a-virus:PSWTool.Win32.RAS.a 0.90
10. Up
Email-Worm.Win32.Rays 0.84
11. No Change
0 0.81
12. New!
New! 0.72
13. New!
Backdoor.Win32.Bifrose.aci 0.57
14. New!
Trojan.Win32.Agent.asu 0.55
15. Return
Trojan-Spy.Win32.Delf.uv 0.53
16. New!
Trojan-Spy.Win32.Ardamax.e 0.53
17. Return
IM-Worm.Win32.Sohanad.t 0.52
18. Return
Return 0.52
19. Down
Virus.VBS.Small.a 0.51
20. Return
Trojan.Win32.Obfuscated.en 0.50
Other malicious programs 82.52%


It seemed as though we had almost completely got rid of the Rays and Brontok worms. In June, Rays did not make the Top Twenty, but it was back again hanging onto twentieth place in July. Brontok’s position dropped over the same period by seven places each month, and the worm didn’t even make the Top Twenty in July. The two both made a comeback in August, however. Brontok returned with a bang in fourth place, and Rays climbed ten positions, making it into the Top Ten.

In general, the changes in online statistics are much less than significant than they have been over the past few months. Only 4 new malicious and potentially unwanted programs have emerged. The percentages of all of the programs that made the top twenty are extremely small – Packed.Win32.PolyCrypt.b, the leader in August, garnered just 2%. This is striking compared to Dialer.cj’s chart-topping 9% in July (which nevertheless did not prevent it from disappearing without a trace in August).

Malicious programs such as Bancos.aam and Trojan-Downloader.Win32.Small.ddp also managed to make a comeback in August. The former covers several hundred spyware programs which target both user bank accounts and the clients used to access certain stock exchange trading systems. What distinguishes Bancos.aam is its special ‘interface’: the Trojan can be used as a botnet component, making it possible for a malicious user to send individual instructions to each infected machine about which payment system accounts to target. Small.ddp is also designed to install several malicious botnet components on infected systems.

Overall, there are more Trojan Spies in the Top Twenty this month than there were in June or July. Newcomers include Trojan-Spy.Win32. Ardamax.e, a keylogger, and, which has similar functionality but is a legitimate program. In addition to,, another potentially unwanted program also made the Top Twenty this month (18th place).

The leader in June, a piece of adware called, was able to stop its decline after a ten-position plummet in July, and placed 11th in August. Expect to see more of this program, since its main carrier, Trojan-Downloader.Win32.LoadAdv.gen, has once again been ranked in the top three most common malicious programs, up from sixth place. This means more new variants of Virtumonde can be expected in the future.

  • New:, Backdoor.Win32.Bifrose.aci, Trojan.Win32.Agent.asu, Trojan-Spy.Win32.Ardamax.e
  • Moved up: Packed.Win32.PolyCrypt.b, Trojan.Win32.Dialer.qn, not-a-virus:PSWTool.Win32.RAS.a, Email-Worm.Win32.Rays.
  • Moved down: Backdoor.Win32.IRCBot.acd, Trojan-Downloader.Win32.Small.eqn, Virus.VBS.Small.a
  • Re-entry: Email-Worm.Win32.Brontok.q, Trojan-Spy.Win32.Bancos.aam, Trojan-Spy.Win32.Delf.uv, IM-Worm.Win32.Sohanad.t,, Trojan.Win32.Obfuscated.en

Online Scanner Top Twenty for August 2007

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox