Monthly Threat Report: May 2015

Top_10_ELG_may_15_1200x627eng

The Top Ten Threats

1. Win32/Adware.MultiPlug
Previous Ranking: 1
Percentage Detected: 3.39%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it gets a foothold on the users system might cause applications to display pop-up advertising windows during internet browsing.

2. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 2.03%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP is used for communication with the C&C to receive new commands. The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

3. JS/Kryptik.I
Previous Ranking: 3
Percentage Detected: 1.97%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

4. LNK/Agent.AV
Previous Ranking: 5
Percentage Detected: 1.45%

LNK/Agent.AV is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

5. Win32/AdWare.ConvertAd
Previous Ranking: 9
Percentage Detected: 1.36%

Win32/Adware.ConvertAd is an adware used for delivery of unsolicited advertisements. The adware is usually a part of other malware.

6. Win32/Sality
Previous Ranking: 6
Percentage Detected: 1.33%

Sality is a polymorphic file infector. When executed registry keys are created or deleted related to security applications in the system and to ensure that the malicious process restarts each time the operating system is rebooted.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.

More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

7. Win32/Ramnit
Previous Ranking: 7
Percentage Detected: 1.26%

This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe executable files and also searches htm and html files so as to insert malicious instructions into them. It exploits a vulnerability (CVE-2010-2568) found on the system that allows it to execute arbitrary code. It can be controlled remotely to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

8. INF/Autorun
Previous Ranking: N/A
Percentage Detected: 1.18%

INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to auto-execute a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.

9. Win32/Packed.VMProtect.AAA
Previous Ranking: N/A
Percentage Detected: 1.17%

Win32/Packed.VMProtect.AAA is a generic detection of malware protected with AntiVM code.

10. LNK/Agent.AK
Previous Ranking: N/A
Percentage Detected: 1.16%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.

Monthly Threat Report: April 2015

Top_10_ELG_abr_15_1200x627eng-01

The Top Ten Threats

1. Win32/Adware.MultiPlug
Previous Ranking: 1
Percentage Detected: 3.57%
Win32/Adware.Multiplug is a Possible Unwanted Application that once it gets a foothold on the users system might cause applications to display pop-up advertising windows during internet browsing.

2. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 1.81%
Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP is used for communication with the C&C to receive new commands. The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

3. JS/Kryptik.I
Previous Ranking: 7
Percentage Detected: 1.70%
JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

4. Win32/TrojanDownloader.Waski
Previous Ranking: 3
Percentage Detected: 1.67%
Win32/TrojanDownloader.Waski is a Trojan that uses HTTP to try to download other malware. It contains a list of two URLs and tries to download a file from the addresses. The file is stored in the location %temp%\¬miy.exe, and is then executed.

5. LNK/Agent.AV
Previous Ranking: 6
Percentage Detected: 1.35%
LNK/Agent.AV is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

6. Win32/Sality
Previous Ranking: 4
Percentage Detected: 1.27%
Sality is a polymorphic file infector. When executed registry keys are created or deleted related to security applications in the system and to ensure that the malicious process restarts each time the operating system is rebooted.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

7. Win32/Ramnit
Previous Ranking: 9
Percentage Detected: 1.20%
This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe executable files and also searches htm and html files so as to insert malicious instructions into them. It exploits a vulnerability (CVE-2010-2568) found on the system that allows it to execute arbitrary code. It can be controlled remotely to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

8. HTML/ScrInject
Previous Ranking: N/A
Percentage Detected: 1.19%
Generic detection of HTML web pages containing obfuscated scripts or iframe tags that automatically redirect to the malware download.

9. Win32/AdWare.ConvertAd
Previous Ranking: N/A
Percentage Detected: 1.17%
Win32/Adware.ConvertAd is an adware used for delivery of unsolicited advertisements. The adware is usually a part of other malware.

10. HTML/Refresh
Previous Ranking: 5
Percentage Detected: 1.14%
HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

Monthly Threat Report: March 2015

Top_10_ELG_mar_15_1200x627eng

The Top Ten Threats of March 2015

1. Win32/Adware.MultiPlug
Previous Ranking: 1
Percentage Detected: 3.55%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it gets a foothold on the users system might cause applications to display pop-up advertising windows during internet browsing.

2. Win32/Bundpil
Previous Ranking: 3
Percentage Detected: 2.27%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP is used for communication with the C&C to receive new commands. The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

3. Win32/TrojanDownloader.Waski
Previous Ranking: 5
Percentage Detected: 1.95%

Win32/TrojanDownloader.Waski is a Trojan that uses HTTP to try to download other malware. It contains a list of two URLs and tries to download a file from the addresses. The file is stored in the location %temp%\¬miy.exe, and is then executed.

4. Win32/Sality
Previous Ranking: 7
Percentage Detected: 1.41%

Sality is a polymorphic file infector. When executed registry keys are created or deleted related to security applications in the system and to ensure that the malicious process restarts each time the operating system is rebooted.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

5. HTML/Refresh
Previous Ranking: 2
Percentage Detected: 1.39%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

6. LNK/Agent.AV
Previous Ranking: 8
Percentage Detected: 1.38%

LNK/Agent.AV is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

7. JS/Kryptik.I
Previous Ranking: 4
Percentage Detected: 1.36%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

8. LNK/Agent.AK
Previous Ranking: N/A
Percentage Detected: 1.30%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.

9. Win32/Ramnit
Previous Ranking: 9
Percentage Detected: 1.29%

This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe executable files and also searches htm and html files so as to insert malicious instructions into them. It exploits a vulnerability (CVE-2010-2568) found on the system that allows it to execute arbitrary code. It can be controlled remotely to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

10. INF/Autorun
Previous Ranking: 10
Percentage Detected: 1.24%

INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to auto-execute a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.

Monthly Threat Report: December 2014

Top_10_ELG_dic_14_1200x627eng

The Top Ten Threats

1. HTML/Refresh
Previous Ranking: 1
Percentage Detected: 2.82%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

2. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 2.54%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP protocol is used for comunication with the C&C to receive new commands. The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

3. Win32/Adware.MultiPlug
Previous Ranking: 3
Percentage Detected: 2.39%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

4. Win32/TrojanDownloader.Wauchos
Previous Ranking: 4
Percentage Detected: 1.87%

It is a trojan which tries to download other malware from the Internet. It collects information about the operating system, settings and the computer IP address. Then, attempts to send gathered information to a remote machine. It can download files from a remote computer and/or the Internet, run executable files, create Registry entries and remove itself from the infected computer.

5. Win32/Sality
Previous Ranking: 5
Percentage Detected: 1.39%

Sality is a polymorphic file infector. When executed it starts a service and created/deleted registry keys related to security applications activite in the system and to ensure that the malicious process restarts at each reboot of operating system.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah.

6. LNK/Agent.AK
Previous Ranking: 6
Percentage Detected: 1.31%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.

7. INF/Autorun
Previous Ranking: 8
Percentage Detected: 1.22%

INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.

8. LNK/Agent.AV
Previous Ranking: N/A
Percentage Detected: 1.21%

LNK/Agent.AV is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat.

9. JS/Kryptik.ATB
Previous Ranking: N/A
Percentage Detected: 1.19%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

10. Win32/Ramnit
Previous Ranking: 9
Percentage Detected: 1.18%

This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe executable files and also searches htm and html files so as to insert malicious instructions into them. It exploits a vulnerability found on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remoteley to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

Monthly Threat Report: November 2014

Top_10_ELG_nov_14_1200x627eng
The Top Ten Threats

1. HTML/Refresh
Previous Ranking: 1
Percentage Detected: 3.13%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

2. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 2.33%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP protocol is used for comunication with the C&C to receive new commands. The worm may delete the following folders:
*.exe
*.vbs
*.pif
*.cmd
*Backup.

3. Win32/Adware.MultiPlug
Previous Ranking: 5
Percentage Detected: 1.93%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

4. Win32/TrojanDownloader.Wauchos
Previous Ranking: N/A
Percentage Detected: 1.48%

It is a trojan which tries to download other malware from the Internet. It collects information about the operating system, settings and the computer IP address. Then, attempts to send gathered information to a remote machine. It can download files from a remote computer and/or the Internet, run executable files, create Registry entries and remove itself from the infected computer.

5. Win32/Sality
Previous Ranking: 8
Percentage Detected: 1.41%

Sality is a polymorphic file infector. When executed it starts a service and created/deleted registry keys related to security applications activite in the system and to ensure that the malicious process restarts at each reboot of operating system.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.

More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah.

6. LNK/Agent.AK
Previous Ranking: 7
Percentage Detected: 1.35%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.

7. JS/Kryptik.I
Previous Ranking: 3
Percentage Detected: 1.29%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

8. INF/Autorun
Previous Ranking: 10
Percentage Detected: 1.22%

INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.

9. Win32/Ramnit
Previous Ranking: N/A
Percentage Detected: 1.17%

This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe executable files and also searches htm and html files so as to insert malicious instructions into them. It exploits a vulnerability found on the system (CVE-2010-2568) that allows it to execute arbitrary code. It can be controlled remoteley to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

10. HTML/ScrInject
Previous Ranking: 6
Percentage Detected: 1.08%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

Monthly Threat Report: October 2014

Top_10_ELG_oct_14_1200x627eng-01

The Top Ten Threats

 

1. HTML/Refresh
Previous Ranking: 1
Percentage Detected: 3.66%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

 

2. Win32/Bundpil
Previous Ranking: 2
Percentage Detected: 2.24%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP protocol is used for comunication with the C&C to receive new commands. The worm may delete the following folders:

*.exe
*.vbs
*.pif
*.cmd
*Backup.

 

3. JS/Kryptik.I
Previous Ranking: 3
Percentage Detected: 2.17%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

 

4. Win32/RiskWare.NetFilter
Previous Ranking: 5
Percentage Detected: 1.49%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infected computers to allow an attacker to remotely connect to the infected system and control it, in order to steal sensitive information or install other malware.

 

5. Win32/Adware.MultiPlug
Previous Ranking: 4
Percentage Detected: 1.47%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

 

6. HTML/ScrInject
Previous Ranking: n/a
Percentage Detected: 1.45%

Generic detection of HTML web pages containing script obfuscated or iframe tags that that automatically redirect to the malware download.

 

7. LNK/Agent.AK
Previous Ranking: 6
Percentage Detected: 1.40%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.

 

8. Win32/Sality
Previous Ranking: 7
Percentage Detected: 1.34%

Sality is a polymorphic file infector. When executed it starts a service and created/deleted registry keys related to security applications activite in the system and to ensure that the malicious process restarts at each reboot of operating system. It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.
More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

 

9. HTML/Iframe
Previous Ranking: 8
Percentage Detected: 1.24%

Type of infiltration: Virus
HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

 

10. INF/Autorun
Previous Ranking: 10
Percentage Detected: 1.22%
INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.

 

Monthly Threat Report: September 2014

Top_10_ELG_sep_14_1200x627eng

The Top Ten Threats

 

1. HTML/Refresh
Previous Ranking: N/A
Percentage Detected: 3.89%

HTML/Refresh is a Trojan that redirects the browser to a specific URL location with malicious software. The program code of the malware is usually embedded in HTML pages.

 

2. Win32/Bundpil
Previous Ranking: 1
Percentage Detected: 2.29%

Win32/Bundpil.A is a worm that spreads via removable media. The worm contains an URL address from which it tries to download several files. The files are then executed and HTTP protocol is used for comunication with the C&C to receive new commands. The worm may delete the following folders:

*.exe
*.vbs
*.pif
*.cmd
*Backup.

 

3. JS/Kryptik.I
Previous Ranking: 2
Percentage Detected: 2.03%

JS/Kryptik is a generic detection of malicious obfuscated JavaScript code embedded in HTML pages; it usually redirects the browser to a malicious URL or implements a specific exploit.

 

4. Win32/Adware.MultiPlug
Previous Ranking: 3
Percentage Detected: 1.88%

Win32/Adware.Multiplug is a Possible Unwanted Application that once it’s present into the users system might cause applications to displays advertising popup windows during internet browsing.

 

5. Win32/RiskWare.NetFilter
Previous Ranking: 4
Percentage Detected: 1.52%

Win32/RiskWare.NetFilter is an application that includes malicious code designed to force infected computers to allow an attacker to remotely connect to the infected system and control it, in order to steal sensitive information or install other malware.

 

6. LNK/Agent.AK
Previous Ranking: 5
Percentage Detected: 1.46%

LNK/Agent.AK is a link that concatenates commands to execute legitimate code while running the threat code in the background. It is similar in its effect to the older autorun.inf type of threat. This vulnerability became known at the time of discovery of Stuxnet, as it was one of four vulnerabilities that were executed by Stuxnet variants.

 

7. Win32/Sality
Previous Ranking: 6
Percentage Detected: 1.36%

Sality is a polymorphic file infector. When executed it starts a service and created/deleted registry keys related to security applications activite in the system and to ensure that the malicious process restarts at each reboot of operating system.

It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.

More information relating to a specific signature: http://www.eset.eu/encyclopaedia/sality_nar_virus__sality_aa_sality_am_sality_ah

 

8. HTML/Iframe
Previous Ranking: N/A
Percentage Detected: 1.34%

Type of infiltration: Virus

HTML/Iframe.B is generic detection of malicious IFRAME tags embedded in HTML pages, which redirect the browser to a specific URL location with malicious software.

 

9. Win32/Danger.DoubleExtension
Previous Ranking: N/A
Percentage Detected: 1.26%

Win32/Danger.DoubleExtension is the name for generic detection of file using two or more extensions in filename (to appear to be document/picture file etc.) while the real file format is PE32. The last file extension has executable form.

 

10. INF/Autorun
Previous Ranking: 7
Percentage Detected: 1.2%

INF/Autorun is a generic detection of versions of the autorun.inf configuration file created by malware. The malicious AUTORUN.INF file contains the path to the malware executable. This file is usually dropped into the root folder of all the available drives in an attempt to autorun a malware executable when the infected drive is mounted. The AUTORUN.INF file(s) may have the System (S) and Hidden (H) attributes present in an attempt to hide the file from Windows Explorer.

 

Follow

Get every new post delivered to your Inbox.

Join 101 other followers