Conficker/Downadup Dominates BitDefender's Top Ten Threats For August

Conficker re-emerges after eight months as top e-threat, while the second spot goes to an unusual suspect

August 31, 2009

3 Min Read


BUCHAREST, Romania " August 31, 2009 " The Conficker (aka. Downadup or Kido) worm has re-emerged as the top e-threat on BitDefender's Top Ten E-Threats for August, a countdown of the month's most popular pieces of malware. After more than eight months since it first entered the BitDefender Top 10 E-Threats list, Conficker ranks first with a show-stopping 43 percent of the total amount of infected machines. The worm restricts access to websites associated with IT security vendors. More than that, the latest variant of the worm installs rogue security software on the compromised machines.

Second place belongs to Win32.Induc.A, an unusual piece of malware infecting applications built with Borland (now Embarcadero) Delphi versions 4 through 7. The virus does not infect binary file but rather modifies the SYSCONST.PAS file, injects its malicious code and then compiles the file back. Every application built with the compromised compiler would be infected with the virus. Win32.Induc.A has no malicious payload but its abrupt escalation on the BitDefender Top 10 E-Threats list shows that only few Delphi developers are aware of the widespread infection.

Ranking third on August's Top 10 E-Threats is Win32.Sality.OG, a polymorphic file infector that appends its encrypted code to executable files (.exe and .scr binaries). In order to hide its presence on the infected machine, it deploys a rootkit and attempts to kill antivirus applications installed locally.

In fourth place is Worm.Autorun.VHG, an Internet/network worm that exploits the Windows MS08-067 vulnerability in order to execute itself remotely by using a specially crafted RPC (remote procedure call) package (an approach also used by Win32.Worm.Downadup). The increasing presence of the worm in BitDefender's Top 10 E-Threats reveals that users are still ignoring Microsoft's security advisories and avoid deploying security patches.

Ranking fifth is Win32.Virtob.Gen, a file infector written in assembly language. This piece of malware hides its presence by injecting hooks into other Windows processes, but avoids compromising system files. It also opens a backdoor that can be exploited by a remote attacker to seize control over the infected machine. This is a high-risk infection. For more details on how to remove this threat, visit

Packer.Malware.NSAnti.1 lands at sixth place on BitDefender's Top Ten E-Threats for August. This threat is a generic class that unites different families of malware packed/protected with the NSAnti protection scheme. The NSAnti packing technology allows files to be executed on-the-fly rather than being decompressed on the hard drive, which minimizes the probability of an antivirus scanner to intercept them. NSAnti is also making heavy use of polymorphism (the capacity to modify its code to deter signature-based detection) and is extremely resilient to emulation by crashing the virtual machine it runs into.

Seventh position belongs to Win32.Worm.AutoIT.AC which is an executable file that comes with a folder icon in order to trick users into clicking it. The worm drops a keylogger and starts collecting any sensitive details the user may type in, such as e-banking accounts, e-mail and website passwords and so on. Win32.Worm.AutoIT.AC also creates a file named setup.ini in %System%, which allows it to spread using removable drives. Ranking number eight on the list is Win32.Sality.2.OE, one of the files dropped by Win32.Sality.OG, explained above.

The ninth position is held by GEN:TDSS.Patched.1, a generic routine that deals with Trojan.TDss.AT infections. This e-threat drops other malicious files and injects them into in spoolsv.exe under the name dll.dll. Once infected, the computer's DNS settings are changed in order to redirect legitimate traffic to specific phishing websites.

Win32.Worm.Downadup.Gen lands at number ten on BitDefender'a Top 10 E-Threats for August. It is a worm that relies on the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-67) in order to spread to other computers on a local network. The worm is able to send itself from a computer on the network that has already been infected to infect flash drives or a mapped, network-attached storage device, or to launch brute-force attacks against clean computers on a local network.

BitDefender's August 2009 Top 10 E-Threat list includes: Pos name %

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights