May MSRT by the numbers - Microsoft Malware Protection Center - Site Home

In May, we added Win32/Ramnit to the Microsoft Removal Tool (MSRT) detection capability, as my colleague Scott Molenkamp blogged. As of May 20th, MSRT disinfected 52,549 computers from the Win32/Ramnit infection. Ramnit is one of the four parasitic viruses out of the top 10 detected threat families.

Top 25 detections by MSRT, May 10 – May 20

Family	Machine Count	Note
Sality	202,351	Classic parasitic virus
Taterf	77,236	Worm
Rimecud	65,149	Worm
Vobfus	59,918	Worm
Alureon	58,884	Evolved parasitic virus
Parite	53,778	Evolved parasitic virus
Ramnit	52,549	Evolved parasitic virus
Brontok	50,392	Worm
Cycbot	50,209	Trojan
Conficker	49,173	Worm
Renocide	48,395	Worm
Bubnix	45,712	Trojan
FakeRean	40,695	Rogue
Zbot	40,087	Trojan
Bancos	39,452	Trojan
Frethog	33,100	Evolved parasitic virus
Banker	31,675	Trojan
Jeefo	22,396	Classic parasitic virus
Renos	21,858	Trojan
Lethic	21,521	Trojan
Cutwail	21,222	Trojan
Virut	20,963	Classic parasitic virus
Hamweq	17,102	Worm
FakeVimes	14,899	Rogue
Hupigon	14,553	Trojan

You may have noticed that Ramnit, like several of the other viruses mentioned in the above chart, is classified as an “evolved” virus – as described in Scott’s previous Ramnit post, one that combines earlier and later generations of malicious infection techniques.

Allow me to go ‘back to the book’ for the definition of a parasitic virus. A parasitic virus, or a file infector, is a type of ‘old school’ malware that attaches, modifies or resides in a host file on the file system. Due to its invasive spreading technique, one may wonder why malware are still in love with this old method, particularly when file infectors tend to leave the computer in an unstable state, slow and crashing often, while some even render the infected computer useless.

With today’s malware authors aiming to make profit from their victims, one would expect the malware authors are motivated to create stealth threats with the least overhead to the machine as to keep the windows of time open long enough to harvest data (or perform other payloads).

There are several possible explanations:

Malware authors know that anti-malware industry is targeting them; viruses can sometimes require more effort to detect and clean properly, possibly causing security companies to invest more resources in the remediation of the threat.
Current threats tend to have multiple components. For example, Ramnit authors wrote worm modules to help propagate via USB and network drives, using Autorun
While some file infector viruses such as Sality, Jeefo and Virut are traditional, many other file infectors are not. For example Alureon and Cutwail will only infect system files or system drivers (e.g. “atapi.sys” or “agp440.sys”). If a system file is infected and becomes hidden, the job of the file infecting component is done, while the other malicious components may continue to execute the payload.

Parasite viruses are not going away, they are still relevant and evolving. Our newly published Microsoft Security Intelligence Report shows the steady presence of viruses as a threat category.

Detections by Threat Category

Image 1 - Detections by Threat Category

For more information about SIR, refer to http://www.microsoft.com/sir.

Special thanks to Patrick Nolan for his assistance in this post.

-- Scott Wu, MMPC