Threat Category: Windows malware | Page 30

The spring seems to be a prolific time for new ideas and proof of concept viruses. However, not all of them are a cause for concern.

Over the last few days new variants of Trojan-PSW.Win32.LdPinch have been spreading actively on the Russian internet.

We’ve received a new sample: another cross platform virus which will infect both Linux and Win32 systems. It’s therefore been given a double name: Virus.Linux.Bi.a/ Virus.Win32.Bi.a

Kaspersky Lab presents the second report covering malware evolution in 2005

At first glance, the March statistics from the online scanner shows that the Online Scanner Top Twenty ratings continue to change radically from month to month.

Over the weekend, we intercepted Trojan-PSW.Win32.LdPinch.ahe – the latest variant of LdPinch. New variant offers to teach users how to trick WebMoney service

This is the second month that we are analyzing the data we collect from our on-line scanner. We can now make preliminary comparisons with our mail traffic statistics and analyze emerging trends.

We’re raising the alert status on Nyxem.e from green to orange. This is not based on any sudden upsurge in infections.

Yesterday we came across a worm with a German (speaking) background, Email-Worm.Win32.Skowor.b.

For the past two days we’ve been tracking an increase in the number of Email-Worm.Win32.Bagle.fj samples up to the point that it is now topping our malware statistics.

More than 24 hours have passed since the Nyxem.e activation date for this month and it’s been pretty quiet.

Solving the virus naming mess – not an easy task

Inside Nyxem.e’s 100K+ body there is a dreaded block of 32 bytes. On the 3rd of every month, exactly 30 minutes after the infected system is started, Nyxem.e will use this block.

We’ve got another version of GPCode. We’re currently looking at the encryption algorithms, and we’ll get back to you with the full story in the near future.

We’re seeing Bagle deployments on a number of websites, usually a sign of increased Bagle activity to follow

Reports

Kaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.

Kaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a kernel-mode rootkit to deliver and protect a ToneShell backdoor.

Kaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with DPAPI and RC5, as well as the MgBot implant.

Kaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their signature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.

Windows malware

Avarta – an MS Publisher virus

LdPinch…again.

Crossplatform virus – the latest proof of concept

Malware Evolution: 2005, part two

On-line Scanner Top Twenty for March 2006

LdPinch again spammed via ICQ

On-line Scanner Top Twenty February 2006

Nyxem alert status raised

File encryptor moves to the west

Meanwhile, on the other side of the galaxy…

Surviving Nyxem.e

CME – the good and the not-so-good

Nyxem.e’s dreaded 32 bytes

New GPCode

An increase in the Bagle activity

Reports

HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns

The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor

Evasive Panda APT poisons DNS requests to deliver MgBot

Cloud Atlas activity in the first half of 2025: what changed

Subscribe to our weekly e-mails