Malware reports

Online Scanner Top Twenty for February 2008

Position Change in position Name Percentage
1 Return
Return
not-a-virus:AdWare.Win32.Virtumonde.gen 2.86
2 New!
New
Email-Worm.Win32.Bagle.of 1.32
3 Down
-2
Trojan.Win32.Dialer.yz 1.27
4 New!
New
Trojan-Downloader.Win32.Small.ieg 1.21
5 Up
+4
not-a-virus:PSWTool.Win32.RAS.a 1.01
6 Up
+1
Email-Worm.Win32.Brontok.q 0.75
7 New!
New
Trojan-Downloader.Win32.Zlob.fjb 0.72
8 Up
+4
Trojan-Spy.Win32.Ardamax.n 0.53
9 Return
Return
Email-Worm.Win32.Rays 0.46
10 New!
New
Trojan-Dropper.Win32.Agent.dnu 0.44
11 New!
New
Trojan-Downloader.Win32.AutoIt.aa 0.41
12 New!
New
Worm.Win32.AutoIt.i 0.39
13 New!
New
not-a-virus:AdWare.Win32.BHO.xq 0.36
14 New!
New
Trojan-Downloader.Win32.Agent.ggt 0.36
15 New!
New
Trojan.Win32.Disabler.i 0.36
16 Down
-8
Virus.Win32.Virut.n 0.33
17 New!
New
Trojan-Downloader.Win32.Bagle.jo 0.32
18 Down
-4
not-a-virus:Monitor.Win32.Perflogger.ca 0.29
19 Return
Return
Trojan.Win32.Delf.aam 0.29
20 New!
New
Trojan-Downloader.Win32.Agent.hzo 0.29
Other malicious programs 86.03

It’s been some time since we’ve seen an adware program at the top of our online rankings. February, however, saw the adware program Virtumonde or, to be more precise, an entire family, which we detect as Virtumonde.gen, claim top place.

Detailed analysis shows that over the last few months there’s been activity leading up to this. Our reports have tracked several Trojan-Downloaders that have installed Virtumonde on victims’ computers. In January and February they even started appearing in mail traffic, which has never happened before.

Of course, we’ll have to wait and see if anything changes in March, but if the activity of Virtumonde’s authors is anything to go by, this program looks set to remain among the leaders.

The leader for the last two months, Trojan.Win32.Dialer.yz, slipped to third place, though the sheer number of modifications ensures this program remains near the top of the rankings.

The Virut epidemic has subsided slightly. Virut.av, previously the most widespread variant of the family, which made it into the top three last month, fell off the bottom of the rankings altogether. The only Virut survivor from January’s rankings was Virut.n, and even this program fell eight places, to sixteenth place.

BHO Trojans exhibited a similar pattern – the three December entries fell to two in January and only BHO.xq remained in February, which incidentally is a new variant.

The various components of the malicious Bagle family, consisting of email worms and Trojan-Downloaders, continue to multiply – one of them even ended up in second place in the rankings, with another at seventeenth.

The veteran worm Brontok.q continues its travels up and down the rankings. After falling four places in January it rose one place in February. The Rays worm has experienced even more marked fluctuations recently – in December it ranked tenth before falling off the bottom of the rankings the following month, only to make a re-entry at ninth place in February.

The overall dominance of keylogging programs in the January Top Twenty was broken by a surge in new malicious programs that included various Trojan-Droppers and Trojan-Downloaders. In total, there were eleven new programs in the ratings in February.

    Summary

  1. New: Email-Worm.Win32.Bagle.of, Trojan-Downloader.Win32.Small.ieg, Trojan-Downloader.Win32.Zlob.fjb, Trojan-Dropper.Win32.Agent.dnu, Trojan-Downloader.Win32.AutoIt.aa, Worm.Win32.AutoIt.i, not-a-virus:AdWare.Win32.BHO.xq, Trojan-Downloader.Win32.Agent.ggt, Trojan.Win32.Disabler.i, Trojan-Downloader.Win32.Bagle.jo, Trojan-Downloader.Win32.Agent.hzo
  2. Went up: not-a-virus:PSWTool.Win32.RAS.a, Email-Worm.Win32.Brontok.q, Trojan-Spy.Win32.Ardamax.n
  3. Went down: Trojan.Win32.Dialer.yz, Virus.Win32.Virut.n, not-a-virus:Monitor.Win32.Perflogger.ca
  4. Re-entry: not-a-virus:AdWare.Win32.Virtumonde.gen, Email-Worm.Win32.Rays, Trojan.Win32.Delf.aam.

Online Scanner Top Twenty for February 2008

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox