Malware reports

Online Scanner Top Twenty for January 2008

Position Change in position Name Percentage
1 No Change
Trojan.Win32.Dialer.yz 2.56
2 New!
Trojan-Clicker.Win32.Small.kj 1.39
3 Down
Virus.Win32.Virut.av 1.31
4 Up
+3 1.30
5 No Change
Trojan.Win32.BHO.abo 1.18
6 New!
Trojan-Downloader.Win32.Small.hlr 1.10
7 Down
Email-Worm.Win32.Brontok.q 1.08
8 New!
Virus.Win32.Virut.n 1.04
9 Down
not-a-virus:PSWTool.Win32.RAS.a 1.00
10 New!
Trojan-Downloader.Win32.Bagle.hj 0.80
11 New!
Trojan-Dropper.Win32.Agent.dgo 0.78
12 Up
Trojan-Spy.Win32.Ardamax.n 0.73
13 New!
Trojan.Win32.BHO.agz 0.71
14 Down
-5 0.62
15 New!
New 0.62
16 New!
Trojan-Downloader.Win32.Bagle.hi 0.61
17 Down
-1 0.56
18 Up
not-a-virus:Monitor.Win32.Perflogger.cb 0.53
19 New!
not-a-virus:PSWTool.Win32.Messen.g 0.50
20 Return
Worm.Win32.AutoIt.c 0.46
Other malicious programs 81.12

There’s no such thing as New Year in the virus world. And it’s definitely not a time for seeing out the old and bringing in the new. Statistics for January show that the malware and potential malicious programs in circulation are remarkably similar to those in last month’s rankings.

Trojan dialers continue to dominate the top of the online chart for yet another month with Dialer.yz holding on to first place for the second month in a row. Trojan-Clicker.Win32.Small.kj – detected way back in March 2006 – was the surprise entrant in second place.

More importantly, the Virut virus epidemic continues unabated. The principal and most widespread variant of the family – Virut.av – is still in the top three. Those keeping it company in December – Virut.q and .p – were replaced in January by a new version – Virut.n.

Browser Helper Objects suffered a slight downturn, with only two of the three December entries remaining. However, this did not affect the showing of Trojan.Win32.BHO.abo, which held on to fifth place.

At the same time a wave of Bagle Trojan-Downloaders has suddenly burst into the Top Twenty. They may not rank very high at the moment – tenth, fifteenth and sixteenth places – but this type of activity threatens to pose an ever-greater risk to PC users. Incidentally, this trend was not reflected in the mail traffic statistics.

The veteran Brontok.q once again slipped down the rankings, falling four places in January. Its constant companion, the Rays worm, fared even worse: after slipping to tenth place last month it has now fallen off the bottom of the rankings. These two worms, however, have been such a familiar feature of our Top Twenty for so long and have bounced back before that it may be too premature to write them off completely.

Overall, keyloggers proved the dominant force in the Top Twenty with six entries; PSWTool.Win32.RAS.a, Ardamax.n,, Perflogger.cb, and were joined by a new entry for January, PSWTool.Win32.Messen.g.


  • New: Trojan-Clicker.Win32.Small.kj, Trojan-Downloader.Win32.Small.hlr, Virus.Win32.Virut.n, Trojan-Downloader.Win32.Bagle.hj, Trojan-Dropper.Win32.Agent.dgo, Trojan.Win32.BHO.agz,, Trojan-Downloader.Win32.Bagle.hi, not-a-virus:PSWTool.Win32.Messen.g.
  • Went up:, Trojan-Spy.Win32.Ardamax.n, not-a-virus:Monitor.Win32.Perflogger.cb.
  • Went down: Virus.Win32.Virut.av, Email-Worm.Win32.Brontok.q, not-a-virus:PSWTool.Win32.RAS.a,,
  • Re-entry: Worm.Win32.AutoIt.c.

Online Scanner Top Twenty for January 2008

Your email address will not be published. Required fields are marked *



Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox