Malware reports

Online Scanner Top Twenty for June 2007

Position Change in position Name Percentage
1. New!
New!
not-a-virus:AdWare.Win32.Virtumonde.jp 3.20
2. Up
+7
Trojan.Win32.Dialer.qn 2.70
3. Up
+2
Trojan-Downloader.Win32.LoadAdv.gen 2.14
4. Return
Return
Backdoor.IRC.Zapchast 2.12
5. New!
New!
Trojan-Downloader.Win32.Agent.brf 1.89
6. New!
New!
Trojan-Dropper.Win32.Sramler.c 1.52
7. New!
New!
Trojan-Downloader.Win32.Tiny.fl 1.25
8. New!
New!
Trojan-Downloader.Win32.Nurech.ak 1.00
9. New!
New!
Email-Worm.Win32.Zhelatin.ew 0.88
10. Return
Return
Email-Worm.Win32.Mydoom.m 0.82
11. Up
+4
Trojan.Win32.Obfuscated.en 0.77
12. New!
New!
Virus.Win32.Grum.a 0.75
13. Up
+4
Trojan-Downloader.Win32.Small.ddp 0.72
14. New!
New!
Trojan-Clicker.Win32.Small.kj 0.71
15. New!
New!
Trojan-Proxy.Win32.Jaber.c 0.67
16. New!
New!
Trojan.Win32.Small.nt 0.63
17. New!
New!
Worm.Win32.Viking.bb 0.61
18. Down
-7
Email-Worm.Win32.Brontok.q 0.58
19. Return
Return
not-a-virus:Monitor.Win32.Perflogger.163 0.56
20. New!
New!
Trojan-Downloader.Win32.Agent.bnz 0.54
Other malicious programs 75.94

A strange thing has happened. The program that takes first place as the most widespread malicious program is not a malicious program at all. Different variants of the Virtumonde adware program have been bombarding computer users for several months in a row, bundling their modules with free programs, and having no qualms about spreading themselves via Trojans and hiding themselves in the system using rootkits. We have covered the details in previous reports. Only the variants have changed. In June, Virtumonde.jp has the dubious honor of first place, ahead of last month’s leader, the Trojan downloader Agent.bjo,

A Trojan dialer has also managed to jump up the rankings. In just one month Dialer.qn climbed seven positions, reminding us of the recent past when this type of program made up more than 25% of the rankings. Perhaps Dialer.qn is just the first in a new wave of dialer attacks.

June’s top ten features six new malicious programs, half of which are new versions of Trojan downloaders. That means that they will be installing new, updated modifications of all sorts of malware on infected computers. For example, the new variants of the Zhelatin worm appear to have no intention of leaving the Online Top Twenty, although this family hasn’t been present for a while in our Email Top Twenty. Clearly, the authors of this family have chosen Trojan downloaders as their main vehicle for spreading the worms, leaving mass mailings as a back-up option.

There are a few interesting new arrivals, including two classic viruses which are able to infect other files: Grum.a and Viking.bb. Grum has been a regular feature in our Email Top Twenty over the past couple of months, and this marks its debut in the online rankings. This is doubtless related to the fact that the virus spreads by piggy-backing on email worms, infecting their files and traveling the globe together with them. Viking.bb is interesting primarily because different variants of this worm have infected numerous computers in China, something we covered in our first quarterly report this year. Until now, Viking has not managed to break out beyond China’s borders. Its appearance in these statistics indicate that maybe the worm has finally made a move. Or perhaps we’re are just really big in China (which is, of course, true).

Other top twenty events this month include the departure of one old-timer – the worm Rays – and the further decline of the Brontok worm, which has fallen seven places in the last two months. These worms bear a striking resemblance to each other in the way they function and spread on approximately the same scale. They have been a regular feature in our reports from the very beginning. We’ll see what happens next month – maybe we have been able to put a stop to their slow-moving yet far-reaching epidemics after all.

Summary

  • New:
    not-a-virus:AdWare.Win32.Virtumonde.jp, Trojan-Downloader.Win32.Agent.brf, Trojan-Dropper.Win32.Sramler.c, Trojan-Downloader.Win32.Tiny.fl, Trojan-Downloader.Win32.Nurech.ak, Email-Worm.Win32.Zhelatin.ew, Virus.Win32.Grum.a. Trojan-Clicker.Win32.Small.kj, Trojan-Proxy.Win32.Jaber.c, Trojan.Win32.Small.nt, Worm.Win32.Viking.bb, Trojan-Downloader.Win32.Agent.bnz
  • Moved up: Trojan.Win32.Dialer.qn, Trojan-Downloader.Win32.LoadAdv.gen, Trojan.Win32.Obfuscated.en,Trojan-Downloader.Win32.Small.ddp
  • Moved down: Email-Worm.Win32.Brontok.q
  • Re-entry: Email-Worm.Win32.Mydoom.m, not-a-virus:Monitor.Win32.Perflogger.163

Online Scanner Top Twenty for June 2007

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Subscribe to our weekly e-mails

The hottest research right in your inbox