In the week since its release on December 8, MSRT has cleaned over 2.5 million machines of malware. The new family for December was Win32/Hamweq, an IRC controlled backdoor which spreads via removable drives. Hamweq was removed from 638,491 machines, making it the most prevalent family for the month, with around double the number of removals of Win32/Taterf, the next most prevalent family. Taterf, which is perennially one of the highest reported families by MSRT, also had more than twice the number of removals of the third most prevalent family.

Listed below are some of the families with high numbers of removals for this month.

Machines Cleaned

Family Name

Notes

638491

Hamweq

Worm targeting removable drives,  and IRC controlled backdoor

319998

Taterf

Worm targeting network/removable drives, and online game PWS

156549

Conficker

Network worm and malware downloader

104577

Renos

Rogue antivirus downloader

100050

FakeXPA

Rogue antivirus

98725

Cutwail

Multiple component downloader and spammer

90472

Alureon

Data stealing malware that changes DNS settings

72231

Frethog

Online game password stealer related to Taterf

62394

Bancos

Password Stealer targeting predominantly Brazilian banks

60109

FakeSpypro

Rogue antivirus

57645

Yektel

Rogue antivirus component related to FakeXPA

54908

Brontok

Mass emailing worm

51150

Koobface

Multiple component worm targeting social networking sites

43035

Bredolab

Downloader of numerous malware components

34029

Parite

File infecting virus

31441

IRCbot

IRC controlled backdoor

30400

Jeefo

File infecting virus

27964

Virut

File infecting virus with IRC controlled backdoor

24361

Zlob

Multiple component malware family that downloads arbitrary files

24057

RJump

Worm targeting removable drives

23950

Banker

Password Stealer targeting predominantly Brazilian banks

23377

Banload

Downloader of bank password stealers

22462

FakeVimes

Rogue antivirus

20564

Rustock

Rootkit enabled backdoor used to assist with sending of spam

19294

Vundo

Adware downloader

15814

Winwebsec

Rogue antivirus

Hamweq was prevalent across a wide range of locales worldwide – of the 199 locales where MSRT reported cleaning at least one system, 185 of them reported cleaning a Hamweq infection. Wherever a locale reported high numbers of machines cleaned of malware, reports of Hamweq were also generally high. The main exception to this was Chinese speaking countries, where reports were dominated by online game password stealing malware such as Taterf, Frethog, and Lolyda.

Locale

Machines cleaned (All Malware)

Locale

Machines Cleaned (Hamweq)

United States

644025

United States

155142

Brazil

171414

Spain

94888

Korea

156985

Brazil

41692

Spain

167575

Mexico

37771

France

79493

Korea

35874

Mexico

66904

Poland

25985

United Kingdom

63557

Portugal

23323

Taiwan

62616

France

18607

Poland

61817

Russia

15505

Turkey

57972

United Kingdom

13414

China

50730

Italy

9520

Russia

47467

Chile

8104

Italy

45362

Turkey

6818

Portugal

45210

South Africa

6554

Japan

43274

Australia

5979

Germany

39498

Germany

5853

Australia

19124

Colombia

5707

Netherlands

17830

Japan

5351

Chile

13710

Israel

4326

Canada

12678

Argentina

3622

December’s MSRT release also saw a significant drop in the number of reports for Win32/FakeScanti, a rogue antivirus that was added to MSRT in October. At the corresponding period in October, FakeScanti was the 12th most prevalent family, with removals from 56,700 machines. Shortly afterwards, FakeScanti’s authors stopped modifying the rogue to avoid detection by antivirus products, and as a result, we have not needed to add a signature for FakeScanti since October 26. In November, FakeScanti was the 23rd most prevalent family with 20,222 removals, whilst by December it had dropped to 49th with 1595 removals.

While FakeScanti’s authors may have moved their focus to developing other malware, the rogue can still be downloaded, and we have since seen other malware that installs FakeScanti on to affected systems. Similarly, Win32/FakeSecSen, which was the very first rogue we added to MSRT in November 2008, can still be downloaded even though it has not been updated since later that month, and is still being cleaned in small numbers by MSRT over a year later. This month FakeSecSen was the 54th most prevalent family with 1031 removals.

The fact that these rogues’ distributors find it worthwhile to continue to host malware that would be detected by most antivirus products shows that unprotected systems are still a rich target for those who would use them for profit, or for other nefarious activities. As usual, we recommend protecting yourself by running Microsoft Security Essentials, or any other reputable antivirus solution.

David Wood
MMPC Melbourne