1. Greediest Trojan targeting banks
   This month, the winner is a modification of Trojan-Spy.Win32.Bzub.bvq – it's quite modest in its ambitions, targeting a mere 36 banks, a relatively low number for malware in this category.
   
2. Greediest Trojan targeting payment systems
   Trojan-Banker.Win32.Banker.qhq targets three payment systems simulaneously
   
3. Greediest Trojan targeting payment cards
   Trojan-Spy.Win32.Banker.qdo targets three payment card systems – exactly the same number as its close relative in the previous category
   
4. Stealthiest malicious program
   July's nomination in this category was taken by Backdoor.Win32.Hupigon.cqzq – notwithstanding the program being packed seven times, it still got added to our antivirus databases
   
5. Smallest malicious program
   In July, Trojan.BAT.KillWin.vx demonstrated its dislike of Windows by using its 36 bytes to delete winlogon.exe, a system file.
   
6. Largest malicious program
   The 203MB of Trojan-Win32.Haradon.ga, this month's winner, were spread in the guise of a screensaver.
   
7. Most common vulnerability on the Internet
   The category 'Most malicious program', a fixture in previous Miscellanies, is no longer particularly indicative of the malware landscape. So this month we've introduct a new category – 'Most cmmon vulnerability on the Internet', i.e. the one most exploited by malicious users. This month the victory goes to Trojan.Clicker.HTML.Iframe.sy, which makes up more than 12% of all vulnerabilites found on web pages used by malicious users to infect victim machines.
   
8. Most common malicious program on the Internet
   The category 'Most common malicious program in email traffic' has also changed. Readers of this column may remember that the winner of that nomination remained unchanged over several months. In order to give a more representative picture, this cateogory is now called 'Most common malicious program on the Internet. Trojan.Win32.Agent.sav wins out in July, as it was involved in 5.52% of all attempts to infect users.
   
9. Most common Trojan family
   Trojan-Downloader.Win32.Zlob makes an appearance this month, with a relatively low 1217 modifications.
   
10. Most common virus/ worm family
    This category again features Worm.Win32.AutoRun with another 126 new modifications in July.
    

The latest Gpcode variant, which we wrote about here, is much less of a threat than its predecessors. The claims made by the author about the use of AES-256 and the enormous number of unique keys were a bluff. The author even didn’t use a public key in encryption, so all the information needed to decrypt files is right there in the body of the malicious program.

Our analysis shows that the Trojan uses the 3DES algorithm but the author dug up an off-the-peg Delphi component rather than going to the trouble of creating his own encryption routine. The Trojan's code is pretty messy throughout – and very different in style to previous versions of Gpcode – which indicates that the author isn't much of a programmer.

We've called this new variant Trojan-Ransom.Win32.Gpcode.am. Our antivirus updates include procedures for restoring encrypted files – so if you've fallen victim to Gpcode.am, just update your av databases and run a full scan of your machine. And because Gpcode was spread by another malicious program, P2P-Worm.Win32.Socks.fe, don't be surprised if your antivirus brings some other nasties to light.

Today we heard a disturbing rumor about a new version of Gpcode. We immediately began talking to victims and trawling the Internet for samples.

After some digging, we found a sample that answers the descriptions victims have given us. The program's currently being spread via a botnet (name withheld for security purposes).

Gpcode leaves a text file named crypted.txt which includes a ransom demand of $10. The file also contains the author's contact details: an email address, an ICQ number and a URL. The web page page contains the following text in Russian:

We came across some interesting mobile phone software yesterday. It's designed for the J2ME platform for mobiles and it's a midlet with a Kaspersky Anti-Virus icon. The application mimics the behavior of our antivirus software; it deliberately simulates the detection of a virus and then shows an error message.

At first, we thought it was a new fraudware program designed to steal money from mobile users' accounts, but after checking its behavior, we came to the conclusion that it's just a demonstration – looks like somebody was having a bit of fun. The program doesn't modify the system or try to steal any money.

Although the program isn't malicious in itself, we detect it as FraudTool – even though the program's safe to run, we think that users should be notified about it. Because it's not malicious, we've added the prefix not-a-virus. If we see another modification of this application which attempts to trick the user in some way and steal money from his/ her account, we'll remove the prefix and the program will be detected as true malware.

Here's a video clip showing how the program works (in Russian only – but even if you don't speak Russian, you might still find it interesting!):

Detected for this program was added on 7th August. We decided to call it not-a-virus:FraudTool.J2ME.KaspAV.a, because it mimics the behavior of our antivirus product for mobiles.

Let’s start with a few facts. Last week the Dutch police arrested a 19 year old Dutch man for selling a botnet to a Brazilian, who was also arrested. The ‘Shadow’ botnet is made up of around 100 000 infected machines.

However, the arrest isn’t the end of the story. The Dutch police are working to help the victims. One of the steps they’re taking is informing users that Kaspersky Lab websites include removal instructions (created at the request of the Dutch High Tech Crime Team) on how to get rid of the malware which transformed machines into bots.

The case raises a number of security questions which need to be discussed once the botnet has been dismantled. But in the meantime, if you think your computer might be part of the Shadow botnet, check it with an online scanner such as Kaspersky Online Scanner, and read the removal instructions we’ve posted here. The botnet does include machines from around the world, so you’re not automatically safe just because you don’t live in the Netherlands.

Do remember that the removal instructions only apply to the malware which has been used to create the botnet. These programs may have downloaded additonal malware to your machine, so make sure you also scan your computer with an up-to-date antivirus solution.

This week it’s Twitter’s turn to host an attack - one that is targeting both Twitter users and the Internet community at large. In this case it's a malicious Twitter profile twitter.com/[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising a video with girls posted.

This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video.

If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular.

If you read the IT media, you may have seen reports about the new worm we detected yesterday - Net-Worm.Win32.Koobface, which attacks Facebook and MySpace accounts. We've got four variants so far, and there may well be more to come.

The worm uses a pretty simple approach - a link to a 'video', and then, when the user tries to watch it, s/he gets a message saying they need to update their Flash Player. It's an approach we're seeing a lot at the moment; download the 'Flash Player' file and there's new malware on your machine.

Of course, this isn't the first malware for Facebook or MySpace. We've been checking our collections, and we've found earlier variants of this worm which attack MySpace, but not Facebook. The virus writers behind Koobface are clearly trying to maximize the number of victims - the more there are, the bigger the botnet is going to be.

The guys behind Koobface are also linked to the 'fake antivirus' programs XP Antivirus and Antivirus2009 which are actually spyware. We've detected installers for these spyware programs which also contain the worm code. And Trojan-Downloader.Win32.Fraudload, which was being used to download XP Antivirus etc. is now being used to download the worm files.

The result is a double whammy: in addition to being infected by the worm and herded into a botnet, victim machines are also going to get hit by one of these nasty pieces of spyware.