Threat Category: Windows malware | Page 32

During the past few months Kaspersky Lab analysts have observed a surge in the number of rootkits detected. What has caused this growth and what risks do rootkits pose to users?

We’ve recently detected a third modification of Email-Worm.Win32.Monikey. Our interest was piqued by the fact that Monikey incorporates modifications of Trojan-PSW.Win32.Vipgsm and Trojan-PSW.Win32.LdPinch.

We’ve decided to rename Net-Worm.Win32.Small.d to Net-Worm.Win32.Bozori.a. Infection reports are coming mostly from the USA, with some high-profile targets being hit.

We’ve received numerous reports on a new worm spreading via the PnP vulnerability. We detect it as Net-Worm.Win32.Small.d.

A quick update: over the last twenty four hours, we had eleven new Bagle variants, from Bagle.bz to Bagle.cj.

Today we’ve detected several new Bagle variants (actually old variants which have been repacked) and they are still coming in.

A few days ago we got another Trojan-Dropper. When we analyzed it, we found out that it installs 4 files to the system.

A professional malware market started to emerge at the very end of 2003, gained ground during 2004, and was well established by the beginning of 2005.

Over 2 years have gone by since we’ve seen a true virus in the wild. Most of us here had decided that they might actually be dead. And yet…

On July 13 we received the first sample of Tenga – a true blue virus. Tenga.a was followed by Tenga.b and finally Tenga.c, which arrive just…

Viruses and worms have evolved rapidly over the past few years and now pose a global threat. However, law enforcement agencies are also pooling their resources to gain a global reach.

In the last 24 hours we’ve detected five new versions of Virus.Win32.GPcode. This virus is interesting as it encrypts users’ files – with whoever is sending the virus out asking for money to decrypt the files.

Mytob became more active than Mydoom, its predecessor, and this trend looks set to continue. Mytob may come to effectively replace Mydoom.

New developments in Operation Horse Race

During the past hours, we’ve intercepted a flurry of new Bagle variants; apparently, it’s been a busy day for the author, who keeps sending them out.

Two new Bagle variants have been spotted today. Both are 36352 bytes in size and are very similar in operation.

Reports

Kaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a kernel-mode rootkit to deliver and protect a ToneShell backdoor.

Kaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with DPAPI and RC5, as well as the MgBot implant.

Kaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their signature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.

Kaspersky’s GReAT experts have uncovered a new wave of cyberattacks by the ForumTroll APT group, targeting Russian political scientists and delivering the Tuoni framework to their devices.

Windows malware

Rootkits and how to combat them

Monikey or: the continuing evolution of Bagle

60 seconds before shutdown – again

New PnP worm spreading

And the Bagles just keep on coming

Bagle’s author back at work

Downloader + file virus – a new approach?

Watershed in malicious code evolution

Classical viruses ITW – never say die

Global problem, global solution

Multiple Gpcode variants

Malware Evolution: May Roundup

New runner in Horse Race

More Bagle trouble

Fresh Bagles ahead

Reports

The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor

Evasive Panda APT poisons DNS requests to deliver MgBot

Cloud Atlas activity in the first half of 2025: what changed

Operation ForumTroll continues: Russian political scientists targeted using plagiarism reports

Subscribe to our weekly e-mails