Threat Category: Windows malware | Page 31

The spring seems to be a prolific time for new ideas and proof of concept viruses. However, not all of them are a cause for concern.

Over the last few days new variants of Trojan-PSW.Win32.LdPinch have been spreading actively on the Russian internet.

We’ve received a new sample: another cross platform virus which will infect both Linux and Win32 systems. It’s therefore been given a double name: Virus.Linux.Bi.a/ Virus.Win32.Bi.a

Kaspersky Lab presents the second report covering malware evolution in 2005

At first glance, the March statistics from the online scanner shows that the Online Scanner Top Twenty ratings continue to change radically from month to month.

Over the weekend, we intercepted Trojan-PSW.Win32.LdPinch.ahe – the latest variant of LdPinch. New variant offers to teach users how to trick WebMoney service

This is the second month that we are analyzing the data we collect from our on-line scanner. We can now make preliminary comparisons with our mail traffic statistics and analyze emerging trends.

We’re raising the alert status on Nyxem.e from green to orange. This is not based on any sudden upsurge in infections.

Yesterday we came across a worm with a German (speaking) background, Email-Worm.Win32.Skowor.b.

For the past two days we’ve been tracking an increase in the number of Email-Worm.Win32.Bagle.fj samples up to the point that it is now topping our malware statistics.

More than 24 hours have passed since the Nyxem.e activation date for this month and it’s been pretty quiet.

Solving the virus naming mess – not an easy task

Inside Nyxem.e’s 100K+ body there is a dreaded block of 32 bytes. On the 3rd of every month, exactly 30 minutes after the infected system is started, Nyxem.e will use this block.

We’ve got another version of GPCode. We’re currently looking at the encryption algorithms, and we’ll get back to you with the full story in the near future.

We’re seeing Bagle deployments on a number of websites, usually a sign of increased Bagle activity to follow

Reports

An in-depth analysis of Umbrij, a new tool used by the ToddyCat APT group to compromise corporate email communications in Gmail. The attack targeted OAuth authorization tokens, allowing threat actors to gain access to Google services.

Cloud Atlas attacks the public sector and diplomatic structures of Russia and Belarus, using ReverseSocks, SSH, and Tor for persistence in infected systems and its new tool, PowerCloud.

Kaspersky researchers analyze a range of new PebbleDash-based tools used in recent Kimsuky campaigns and reveal their connection to the AppleSeed malware cluster.

Kaspersky researchers uncovered malicious wheel packages in PyPI that targeted both Windows and Linux and contained a dropper delivering malware dubbed ZiChatBot. We attribute this activity to OceanLotus APT.

Windows malware

Avarta – an MS Publisher virus

LdPinch…again.

Crossplatform virus – the latest proof of concept

Malware Evolution: 2005, part two

On-line Scanner Top Twenty for March 2006

LdPinch again spammed via ICQ

On-line Scanner Top Twenty February 2006

Nyxem alert status raised

File encryptor moves to the west

Meanwhile, on the other side of the galaxy…

Surviving Nyxem.e

CME – the good and the not-so-good

Nyxem.e’s dreaded 32 bytes

New GPCode

An increase in the Bagle activity

Reports

ToddyCat: your hidden email assistant. Part 2

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Kimsuky targets organizations with PebbleDash-based tools

OceanLotus suspected of using PyPI to deliver ZiChatBot malware

Subscribe to our weekly e-mails