Monthly Malware Statistics: January 2010

05 Feb 2010
Virus News

Malicious programs detected on users' computers

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralized when accessed for the first time, i.e. by the on-access scanner.


Position Change in position Name Number of infected computers
1   0 Net-Worm.Win32.Kido.ir   276021  
2   0 Net-Worm.Win32.Kido.iq   197376  
3   1 Virus.Win32.Sality.aa   169101  
4   -1 Net-Worm.Win32.Kido.ih   164421  
5   0 Worm.Win32.FlyStudio.cu   109898  
6   21 Trojan-Downloader.JS.Zapchast.m   65476  
7   21 Trojan-Downloader.JS.Small.oj   64767  
8   1 Trojan-Downloader.WMA.GetCodec.s   63266  
9   -1 Trojan-Downloader.Win32.VB.eql   61852  
10   2 Virus.Win32.Virut.ce   51944  
11   -4 not-a-virus:AdWare.Win32.Boran.z   51868  
12   1 Virus.Win32.Induc.a   44432  
13   New Trojan.Win32.AutoRun.sj   39530  
14   New Packed.Win32.Krap.l   38944  
15   New Trojan.Win32.AutoRun.sl   38742  
16   1 Worm.Win32.Mabezat.b   37365  
17   New Worm.Win32.AutoIt.tc   36162  
18   New Trojan.Win32.AutoRun.ws   36149  
19   -5 Trojan-Dropper.Win32.Flystud.yo   35883  
20   -4 Packed.Win32.Black.a   35462  

For the third month in a row the top five programs have led the rest of the rating by some distance.

January, however, did see seven new entries, which is unusual for the first Top Twenty. The two script downloaders that entered right behind the leading pack have already made an appearance in our second rating for web-borne malware, but this is the first time they have made it into this rating.

Among the newcomers are three modifications of Trojan.Win32.Autorun that help spread the notorious P2P-Worm.Win32.Palevo and Trojan-GameThief.Win32.Magania via removable devices.

AutoIt, which we have already discussed on a number of occasions, is gaining in popularity with two new malicious programs – Packed.Win32.Krap.l and Worm.Win32.AutoIt.tc – created using this script language.

Malicious programs on the Internet

The second Top Twenty presents data generated by the web antivirus component, and reflects the online threat landscape. This ranking includes malicious programs detected on web pages and malware downloaded to victim machines from web pages.


Position Change in position Name Number of attempted downloads
1   1 Trojan.JS.Redirector.l   615521  
2   3 Trojan-Clicker.JS.Iframe.db   299222  
3   Return Trojan-Downloader.JS.Zapchast.m   208056  
4   New Trojan.JS.Iframe.hw   166755  
5   -1 Trojan-Downloader.HTML.IFrame.sz   138843  
6   21 Trojan-Downloader.JS.Agent.ewo   116110  
7   -1 not-a-virus:AdWare.Win32.Boran.z   99567  
8   New Trojan-Downloader.JS.Agent.exc   82147  
9   Return Trojan-Downloader.JS.Small.oj   77659  
10   New Exploit.Win32.Pidief.cvl   75687  
11   New Trojan.JS.Popupper.t   73028  
12   2 Trojan-Downloader.JS.Shadraem.a   43592  
13   New Trojan-Clicker.JS.Iframe.dh   39441  
14   New Packed.JS.Agent.bp   39420  
15   New Trojan.JS.Fraud.s   38088  
16   -9 Trojan.JS.Iframe.ez   36156  
17   New Trojan-Downloader.JS.Pegel.c   35977  
18   New Trojan.JS.Iframe.ef   34700  
19   -2 Trojan-Downloader.JS.Twetti.a   32544  
20   -9 Packed.Win32.Krap.ag   31148  

The second rating remains a kaleidoscope of the latest cybercriminal creations.

New entries include Trojan.JS.Iframe.hw (4th place), Trojan-Downloader.JS.Agent.ewo (6th), and Trojan-Downloader.JS.Pegel.c (17th) – all of them similar script downloaders that redirect users to other malicious scripts which in turn exploit vulnerabilities in popular software products.

Trojan.JS.Fraud.s in 15th place detects web pages which are cloned from a template and used to spread rogue antivirus applications.

All the other new entries are various script downloaders that infect users' computers with malicious programs.

It's worth pointing out that the second Gumblar epidemic fizzled out fairly quickly. We'll have to wait and see if there is to be a third.

Overall, there has been no major change to recent trends. Malware is actively spreading via removable media with the help of script downloaders, and for the most part exploiting vulnerabilities in popular software products.

Countries where most attempts to infect via the web originated: