Malware reports

Online Scanner Top Twenty for February 2007

Position Change in position Name Percentage
1. Return
Email-Worm.Win32.Mydoom.m 1.66
2. New!
Trojan.Win32.Agent.qt 1.50
3. No Change Email-Worm.Win32.Rays 1.30
4. Up
not-a-virus:Monitor.Win32.Perflogger.163 1.20
5. Up
Email-Worm.Win32.Brontok.q 1.11
6. Up
Trojan.Win32.Dialer.cj 0.99
7. Return
Backdoor.IRC.Zapchast 0.87
8. Up
not-a-virus:PSWTool.Win32.RAS.a 0.84
9. New!
Trojan-Downloader.Win32.Small.ddp 0.80
10. New!
New! 0.63
11. New!
New! 0.63
12. New!
not-a-virus:AdWare.Win32.Virtumonde.ha 0.55
13. Up
+4 0.54
14. New!
New! 0.52
15. New!
Trojan-Downloader.Win32.Bagle.bp 0.51
16. Up
+4 0.50
17. New!
Trojan-Clicker.Win32.Small.kj 0.48
18. New!
New! 0.47
19. Down
Trojan-Downloader.Win32.Small.edb 0.46
20. Return
Email-Worm.Win32.Mydoom.l 0.46
Other malicious programs 83.98

For the last few months, the Online Top Twenty has contained an unusually large number of Trojan dialers. They reached their peak in January, with five such programs in the rankings, and Diamin.fc in first place. The situation took a surprising turn in February: Diamin.fc dropped off the bottom of the table, and only Dialer.cj, which led the rankings in December 2006, was left.

Email worms, on the other hand, appear to be very active. In addition to Rays and Brontok, which have become something of a fixture in the online ratings, Mydoom.m has returned in first place. New worms such as and have also put in an appearance. It’s interesting that no Zhelatin variants showed up in the Online statistics, as they occupied a significant proportion of our mail traffic statistics. This may partly be due to the fact that Zhelatin epidemics were mostly cut off at mail server level, meaning that a relatively small number of infected emails actually reached end users.

The combination of old and new worms have succeeded in squeezing out Trojan Downloader programs, which previously have been extremely numerous. This month’s Top Twenty only has four Trojan downloaders, and those that remain are not in high positions.

True Trojan spy programs are continuing their decline: for the second month in a row, the only program from this category is the Brazilian However, other spy type programs are still widespread on users’ machines, as a look at fourth, eighth, and thirteenth place demonstrates. Virtumonde, an adware program, also seems to be common, with Virtumonde.ha in twelfth place, but is the only piece of adware in February’s rankings.


  • New: Trojan.Win32.Agent.qt, Trojan-Downloader.Win32.Small.ddp,,, not-a-virus:AdWare.Win32.Virtumonde.ha,, Trojan-Downloader.Win32.Bagle.bp, Trojan-Clicker.Win32.Small.kj,
  • Moved up: not-a-virus:Monitor.Win32.Perflogger.163, Email-Worm.Win32.Brontok.q, Trojan.Win32.Dialer.cj, not-a-virus:PSWTool.Win32.RAS.a,,
  • Moved down: Trojan-Downloader.Win32.Small.edb
  • Re-entry: Email-Worm.Win32.Mydoom.m, Backdoor.IRC.Zapchast, Email-Worm.Win32.Mydoom.l

Online Scanner Top Twenty for February 2007

Your email address will not be published.



The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox