Malware reports

Online Scanner Top Twenty for February 2007

Position Change in position Name Percentage
1. Return
Email-Worm.Win32.Mydoom.m 1.66
2. New!
Trojan.Win32.Agent.qt 1.50
3. No Change Email-Worm.Win32.Rays 1.30
4. Up
not-a-virus:Monitor.Win32.Perflogger.163 1.20
5. Up
Email-Worm.Win32.Brontok.q 1.11
6. Up
Trojan.Win32.Dialer.cj 0.99
7. Return
Backdoor.IRC.Zapchast 0.87
8. Up
not-a-virus:PSWTool.Win32.RAS.a 0.84
9. New!
Trojan-Downloader.Win32.Small.ddp 0.80
10. New!
New! 0.63
11. New!
New! 0.63
12. New!
not-a-virus:AdWare.Win32.Virtumonde.ha 0.55
13. Up
+4 0.54
14. New!
New! 0.52
15. New!
Trojan-Downloader.Win32.Bagle.bp 0.51
16. Up
+4 0.50
17. New!
Trojan-Clicker.Win32.Small.kj 0.48
18. New!
New! 0.47
19. Down
Trojan-Downloader.Win32.Small.edb 0.46
20. Return
Email-Worm.Win32.Mydoom.l 0.46
Other malicious programs 83.98

For the last few months, the Online Top Twenty has contained an unusually large number of Trojan dialers. They reached their peak in January, with five such programs in the rankings, and Diamin.fc in first place. The situation took a surprising turn in February: Diamin.fc dropped off the bottom of the table, and only Dialer.cj, which led the rankings in December 2006, was left.

Email worms, on the other hand, appear to be very active. In addition to Rays and Brontok, which have become something of a fixture in the online ratings, Mydoom.m has returned in first place. New worms such as and have also put in an appearance. It’s interesting that no Zhelatin variants showed up in the Online statistics, as they occupied a significant proportion of our mail traffic statistics. This may partly be due to the fact that Zhelatin epidemics were mostly cut off at mail server level, meaning that a relatively small number of infected emails actually reached end users.

The combination of old and new worms have succeeded in squeezing out Trojan Downloader programs, which previously have been extremely numerous. This month’s Top Twenty only has four Trojan downloaders, and those that remain are not in high positions.

True Trojan spy programs are continuing their decline: for the second month in a row, the only program from this category is the Brazilian However, other spy type programs are still widespread on users’ machines, as a look at fourth, eighth, and thirteenth place demonstrates. Virtumonde, an adware program, also seems to be common, with Virtumonde.ha in twelfth place, but is the only piece of adware in February’s rankings.


  • New: Trojan.Win32.Agent.qt, Trojan-Downloader.Win32.Small.ddp,,, not-a-virus:AdWare.Win32.Virtumonde.ha,, Trojan-Downloader.Win32.Bagle.bp, Trojan-Clicker.Win32.Small.kj,
  • Moved up: not-a-virus:Monitor.Win32.Perflogger.163, Email-Worm.Win32.Brontok.q, Trojan.Win32.Dialer.cj, not-a-virus:PSWTool.Win32.RAS.a,,
  • Moved down: Trojan-Downloader.Win32.Small.edb
  • Re-entry: Email-Worm.Win32.Mydoom.m, Backdoor.IRC.Zapchast, Email-Worm.Win32.Mydoom.l

Online Scanner Top Twenty for February 2007

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox