Total percentage of the top 10: 26.0 %

Rank Name Percentage Malware distribution by percentage within the top 10
1 Adware.Relevant.CC 8.84 % Top10 Chart Top10 Chart

Adware.Relevant.CC is the detection of software named „Relevant Knowledge“. It analyses the user’s computer usage activity, which may include monitoring the web surfing activities or data filled into web forms. The software also may present the user with surveys, occasionally. The software is often unknowingly installed as part of a software bundle. This software is declared as potentially unwanted.

This detection belongs to the category of potentially unwanted programs (PUP). The program is unusually large (45MB in 30 files) and is signed by a company named "Beijing AmazGame Age Internet Technology".
It installs itself on the system in a persistent manner - in this way, it is executed again with each system reboot, even if the user ends the process. The program also manipulates the system's firewall settings to allow every data traffic. It monitors the browser use, protocols user date and displays unwanted ads.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Gen:Variant.Graftor.739 is the detection of potentially unwanted programs (PUP) which changes the browser's settings to generate monetary profit for the attackers. They change the browser's start page as well as the custom set search engine. Furthermore, they display additional ad banners and pop-ups within the browser. The software blocks the browser, so the user can hardly reset the settings the PUP made.
The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Gen:Adware.Plush.1 is a potentially unwanted browser extension named "Plus HD", available for Google Chrome, Microsoft Internet Explorer and Mozilla Firefox. The extension lures with the promise that it increases the quality of YouTube videos, which is at odds with the truth.
The extension changes the browser start page as well as the default search engine and also prepares the browser to show targeted ads. It also redirects the user to unwanted websites, e.g. discount coupons or price comparison sites.

Gen:Variant.Adware.Graftor.125313 is the detection of potentially unwanted programs (PUP) which changes the browser's settings to generate monetary profit for the attackers. They change the browser's start page as well as the custom set search engine. Furthermore, they display additional ad banners and pop-ups within the browser. The software blocks the browser, so the user can hardly reset the settings the PUP made.
The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Iframes are commonly used in HTML code. Attackers commonly misuse iframes to hide malicious content within a legitimate website. Script.Packed.IFrame.K@gen detects a packer that is used to pack (malicious) iframe code within the HTML code, with the intention to make the code invisible for AV protection.

Gen:Variant.Graftor.82095 is the detection of potentially unwanted programs (PUP) which changes the browser's settings to generate monetary profit for the attackers. They change the browser's start page as well as the custom set search engine. Furthermore, they display additional ad banners and pop-ups within the browser. The software blocks the browser, so the user can hardly reset the settings the PUP made.
The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Win32.Application.Somoto.C is the detection of an installer for potentially unwanted programs (PUP) and adware. Third party providers take popular software like, in this case, the FLV Player, bundle it with potentially unwanted extras and offer it on third party websites. In many cases, the third party software packet providers earn money for each install (pay per install).
This PUP changes the browser's start page as well as the custom set search engine to somoto.com. Furthermore, it displays additional ad banners and pop-ups within the browser. Even after uninstallation, the adware and its settings remain active, because it has planted itself deeply into the system.

NSIS.Adware.OneClickDownloader.B is a potentially unwanted browser extension named One-Click Downloader or 1Click Downloader, available for Google Chrome, Microsoft Internet Explorer and Mozilla Firefox. The extension changes the browser start page as well as the default search engine and also prepares the browser to show targeted ads. Ad banners and pop-ups show unwanted offers.

2 Adware.NewNextMe.A 4.13 % Top10 Chart
3 Win32.Application.SearchProtect.O 2.46 % Top10 Chart
4 Gen:Variant.Graftor.739 2.14 % Top10 Chart
5 Gen:Adware.Plush.1 2.10 % Top10 Chart
6 Gen:Variant.Adware.Graftor.125313 2.04 % Top10 Chart
7 Script.Packed.IFrame.K@gen 1.12 % Top10 Chart
8 Gen:Variant.Graftor.82095 1.10 % Top10 Chart
9 Win32.Application.Somoto.C 1.06 % Top10 Chart
10 NSIS.Adware.OneClickDownloader.B 1.01 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G Data program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. The data about the malware is collected and statistically assessed by G Data SecurityLabs.

Total percentage of the top 10: 23.78 %

Rank Name Percentage Malware distribution by percentage within the top 10
1 Adware.Relevant.CC 8.06 % Top10 Chart Top10 Chart

Adware.Relevant.CC is the detection of software named „Relevant Knowledge“. It analyses the user’s computer usage activity, which may include monitoring the web surfing activities or data filled into web forms. The software also may present the user with surveys, occasionally. The software is often unknowingly installed as part of a software bundle. This software is declared as potentially unwanted.

Gen:Variant.Adware.Graftor.125313 is the detection of potentially unwanted programs (PUP) which changes the browser's settings to generate monetary profit for the attackers. They change the browser's start page as well as the custom set search engine. Furthermore, they display additional ad banners and pop-ups within the browser. The software blocks the browser, so the user can hardly reset the settings the PUP made.
The Software is often part of software packages that users load from third party websites and not directly from the original provider.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Win32.Trojan.WProtect.A is the detection of potentially unwanted programs (PUP) which changes the browser's settings to generate monetary profit for the attackers. They change the browser's start page as well as the custom set search engine. Furthermore, they display additional ad banners and pop-ups within the browser. The software blocks the browser, so the user can hardly reset the settings the PUP made.
The Software is often part of software packages that users load from third party websites and not directly from the original provider. To appear trustworthy, the software is signed by a company named "Cherished Technology Limited".

This detection belongs to the category of potentially unwanted programs (PUP). The program is unusually large (45MB in 30 files) and is signed by a company named "Beijing AmazGame Age Internet Technology".
It installs itself on the system in a persistent manner - in this way, it is executed again with each system reboot, even if the user ends the process. The program also manipulates the system's firewall settings to allow every data traffic. It monitors the browser use, protocols user date and displays unwanted ads.

Win32.Application.Somoto.C is the detection of an installer for potentially unwanted programs (PUP) and adware. Third party providers take popular software like, in this case, the FLV Player, bundle it with potentially unwanted extras and offer it on third party websites. In many cases, the third party software packet providers earn money for each install (pay per install).
This PUP changes the browser's start page as well as the custom set search engine to somoto.com. Furthermore, it displays additional ad banners and pop-ups within the browser. Even after uninstallation, the adware and its settings remain active, because it has planted itself deeply into the system.

This detection belongs to the category of potentially unwanted programs (PUP). The program is unusually large (45MB in 30 files) and is signed by a company named "Beijing AmazGame Age Internet Technology".
It installs itself on the system in a persistent manner - in this way, it is executed again with each system reboot, even if the user ends the process. The program also manipulates the system's firewall settings to allow every data traffic. It monitors the browser use, protocols user date and displays unwanted ads.

Script.Trojan-Ransom.Browlock.A is the detection of a ransom Trojan which uses JavaScript to seemingly lock the victim's screen and therefore suggests that the whole computer has been locked down. The attackers demand ransom, but victims should never pay the money! Especially in this case, in which a browser/PC restart can solve the lock down already.

This detection belongs to the category of potentially unwanted programs (PUP). It describes software that often comes bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install).
In the current case, the potentially unwanted extra is a toolbar. The toolbar changes the browser start page and the default search engine and also prepare the browser to show targeted ads in Mozilla Firefox, Microsoft Internet Explorer and Google Chrome. It monitors the browser use, protocols user date and displays unwanted ads.
The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Script.Trojan.ExtendedProtection.B is an unwanted Google Chrome extension which injects advertising functionality into the browser and monitors its user. It changes the browser's start page as well as the custom set search engine. It monitors the browser use and protocols user activity data.
The extension cannot be removed by using the uninstall functionality in Google Chrome.

2 Gen:Variant.Adware.Graftor.125313 3.16 % Top10 Chart
3 Win32.Application.SearchProtect.O 2.41 % Top10 Chart
4 Win32.Trojan.WProtect.A 2.21 % Top10 Chart
5 Win32.Adware.NextLive.A 1.79 % Top10 Chart
6 Win32.Application.Somoto.C 1.78 % Top10 Chart
7 Adware.NewNextMe.A 1.55 % Top10 Chart
8 Script.Trojan-Ransom.Browlock.A 1.11 % Top10 Chart
9 Win32.Application.Amonetize.A 0.86 % Top10 Chart
10 Script.Trojan.ExtendedProtection.B 0.85 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G Data program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. The data about the malware is collected and statistically assessed by G Data SecurityLabs.

Total percentage of the top 10: 20.84 %

Rank Name Percentage Malware distribution by percentage within the top 10
1 Adware.Relevant.CC 6.13 % Top10 Chart Top10 Chart

Adware.Relevant.CC is the detection of software named „Relevant Knowledge“. It analyses the user’s computer usage activity, which may include monitoring the web surfing activities or data filled into web forms. The software also may present the user with surveys, occasionally. The software is often unknowingly installed as part of a software bundle. This software is declared as potentially unwanted.

Script.Trojan-Ransom.Browlock.A is the detection of a ransom Trojan which uses JavaScript to seemingly lock the victim's screen and therefore suggests that the whole computer has been locked down. The attackers demand ransom, but victims should never pay the money! Especially in this case, in which a browser/PC restart can solve the lock down already.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Gen:Variant.Adware.Graftor.125313 is the detection of potentially unwanted programs (PUP) which changes the browser's settings to generate monetary profit for the attackers. They change the browser's start page as well as the custom set search engine. Furthermore, they display additional ad banners and pop-ups within the browser. The software blocks the browser, so the user can hardly reset the settings the PUP made.
The Software is often part of software packages that users load from third party websites and not directly from the original provider.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Win32.Application.Somoto.C is the detection of an installer for potentially unwanted programs (PUP) and adware. Third party providers take popular software like, in this case, the FLV Player, bundle it with potentially unwanted extras and offer it on third party websites. In many cases, the third party software packet providers earn money for each install (pay per install).
This PUP changes the browser's start page as well as the custom set search engine to somoto.com. Furthermore, it displays additional ad banners and pop-ups within the browser. Even after uninstallation, the adware and its settings remain active, because it has planted itself deeply into the system.

This detection belongs to the category of potentially unwanted programs (PUP). It describes the alleged system helper RegClean Pro which is considered to be scareware. The Software is often part of software packages that users load from third party websites and not directly from the original provider.
RegClean Pro allegedly performs system scans and displays the results, several critical errors, to the user who then needs to buy the software to repair the imaginary errors. We do not recommend the usage or purchase of this software. Further information can be found in our G Data SecurityBlog: http://goo.gl/UafSeQ

Win32.Application.InstalleRex.D is the detection of potentially unwanted programs (PUP) which changes the browser's settings to generate monetary profit for the attackers. They change the browser's start page as well as the custom set search engine. Furthermore, they display additional ad banners and pop-ups within the browser.
This software has the ability to load and install other programs without requesting the user's permission.
The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Win32.Application.Wajam.A is the detection of potentially unwanted programs (PUP) which changes the browser's settings to generate monetary profit for the attackers. They change the browser's start page as well as the custom set search engine to wajam.com. Furthermore, they display additional ad banners and pop-ups within the browser.
The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Adware.Agent.NZU is a Google Chrome extension which injects DealPly advertising functionality into the browser.
DealPly belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby possibly unintentionally installed by the user (Potentially Unwanted Program). The tool installs itself as browser helper object (BHO)/extension/add-on to the popular browsers if any of these is installed. DealPly monitors browsed pages for displaying advertisements of deals for various products and businesses, like discount coupons, on every page the user visits.

2 Script.Trojan-Ransom.Browlock.A 2.88 % Top10 Chart
3 Win32.Application.ConduitBrothersoftTB.B 2.25 % Top10 Chart
4 Gen:Variant.Adware.Graftor.125313 1.89 % Top10 Chart
5 Win32.Application.SearchProtect.O 1.71 % Top10 Chart
6 Win32.Application.Somoto.C 1.50 % Top10 Chart
7 Win32.Application.RegCleanPro.A 1.34 % Top10 Chart
8 Win32.Application.InstalleRex.D 1.32 % Top10 Chart
9 Win32.Application.Wajam.A 1.02 % Top10 Chart
10 Adware.Agent.NUZ 0.80 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G Data program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. The data about the malware is collected and statistically assessed by G Data SecurityLabs.

Total percentage of the top 10: 11.68 %

Rank Name Percentage Malware distribution by percentage within the top 10
1 Adware.Relevant.CC 3.12 % Top10 Chart Top10 Chart

Adware.Relevant.CC is the detection of software named „Relevant Knowledge“. It analyses the user’s computer usage activity, which may include monitoring the web surfing activities or data filled into web forms. The software also may present the user with surveys, occasionally. The software is often unknowingly installed as part of a software bundle. This software is declared as potentially unwanted.

This detection belongs to the category of potentially unwanted programs (PUP). It describes software that often comes bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install).
In the current case, the potentially unwanted extra is the 'Babylon Toolbar'. The toolbar changes the browser start page and the default search engine and also prepare the browser to show targeted ads. It disguises as Browser Helper Object (BHO) or add-on in Mozilla's Firefox and Microsoft's Internet Explorer. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

This detection refers to parts of the program AddLyrics, which belongs to the category Adware. It is a browser plugin, which adds sub titles to music videos watched on youtube. Besides this official functionality the plugin also displays advertisements on different websites like Google, Bing or Facebook. The browser settings are changed to achieve this functionality.

The malware family DealPly belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby possibly unintentionally installed by the user (Potentially Unwanted Program). The tool installs itself as browser helper object (BHO)/extension/add-on to the popular browsers if any of these is installed. DealPly monitors browsed pages for displaying advertisements of deals for various products and businesses, like discount coupons, on every page the user visits.

This detection refers to parts of the program AddLyrics, which belongs to the category Adware. It is a browser plugin, which adds sub titles to music videos watched on youtube. Besides this official functionality the plugin also displays advertisements on different websites like Google, Bing or Facebook. The browser settings are changed to achieve this functionality.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

The malware family DealPly belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby possibly unintentionally installed by the user (Potentially Unwanted Program). The tool installs itself as browser helper object (BHO)/extension/add-on to the popular browsers if any of these is installed. DealPly monitors browsed pages for displaying advertisements of deals for various products and businesses, like discount coupons, on every page the user visits.

This detection belongs to the category of potentially unwanted programs (PUP). It describes a variety of software (e.g. Zoomex, wxDfast, conTinuEtosave, etc.) which is starts as process after the installation and/or functions as browser plugin/BHO. This software comes with potentially unwanted functions, such as e.g. links to unknown websites within the folder “C:\Documents and Settings\All Users\Start Menu\Programs\{ApplicationName}”. The Software is often part of software packages that users load from thrid party websites and not directly from the original provider.

Adware.Agent. NTM is the detection of a browser extension named “Wajam“ which is often (unwillingly) installed through software bundles. The self-proclaimed “social search” spreads the user’s search requests to friends in the common social networks. But, besides the publicly explained functions, the software extracts and processes further user data as well. This software is declared as potentially unwanted.

This detection refers to parts of the program AddLyrics and belongs to the category Adware. It is a browser plugin which adds subtitles to music videos streamed on Youtube. Besides this official functionality, the plugin also displays advertisements on different websites which can hinder the user to surf the web properly. Some of the browser's settings are changed to achieve this functionality.

2 Gen:Variant.Adware.BHO.Bprotector.1 1.62 % Top10 Chart
3 JS:AddLyrics-B [Adw] 1.38 % Top10 Chart
4 Adware.DealPly.F 0.87 % Top10 Chart
5 JS:AddLyrics-D [Adw] 0.86 % Top10 Chart
6 Win32:SearchProtect-C [Adw] 0.84 % Top10 Chart
7 Adware.DealPly.B 0.83 % Top10 Chart
8 Gen:Adware.MPlug.1 0.74 % Top10 Chart
9 Adware.Agent.NTM 0.73 % Top10 Chart
10 Gen:Variant.Adware.AddLyrics.5 0.69 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G Data program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. The data about the malware is collected and statistically assessed by G Data SecurityLabs.

Total percentage of the top 10: 11.79 %

Rank Name Percentage Malware distribution by percentage within the top 10
1 Gen:Variant.Adware.BHO.Bprotector.1 2.57 % Top10 Chart Top10 Chart

This detection belongs to the category of potentially unwanted programs (PUP). It describes software that often comes bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install).
In the current case, the potentially unwanted extra is the 'Babylon Toolbar'. The toolbar changes the browser start page and the default search engine and also prepare the browser to show targeted ads. It disguises as Browser Helper Object (BHO) or add-on in Mozilla's Firefox and Microsoft's Internet Explorer. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

This detection refers to parts of the program AddLyrics, which belongs to the category Adware. It is a browser plugin, which adds sub titles to music videos watched on youtube. Besides this official functionality the plugin also displays advertisements on different websites like Google, Bing or Facebook. The browser settings are changed to achieve this functionality.

This detection refers to parts of the program AddLyrics, which belongs to the category Adware. It is a browser plugin, which adds sub titles to music videos watched on youtube. Besides this official functionality the plugin also displays advertisements on different websites like Google, Bing or Facebook. The browser settings are changed to achieve this functionality.

The malware family DealPly belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby possibly unintentionally installed by the user (Potentially Unwanted Program). The tool installs itself as browser helper object (BHO)/extension/add-on to the popular browsers if any of these is installed. DealPly monitors browsed pages for displaying advertisements of deals for various products and businesses, like discount coupons, on every page the user visits.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtect, BrowserProtector, Search Protect, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). The toolbars, signed by Conduit, change the browser start page and the default search engine permanently and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the category of potentially unwanted programs (PUP). It describes a variety of software (e.g. Zoomex, wxDfast, conTinuEtosave, etc.) which is starts as process after the installation and/or functions as browser plugin/BHO. This software comes with potentially unwanted functions, such as e.g. links to unknown websites within the folder “C:\Documents and Settings\All Users\Start Menu\Programs\{ApplicationName}”. The Software is often part of software packages that users load from thrid party websites and not directly from the original provider.

Adware.DomaIQ.I is the detection of an installer for potentially unwanted programs (PUP) and adware. Third party providers take popular software like, in this case, Adobe Flash Player or Oracle Java, bundle it with potentially unwanted extras and offer it on third party websites. In many cases, the third party software packet providers earn money for each install (pay per install).
The installer’s dialogs are layouted to trick the user into installing the third party software, e.g. a simple, light gray “decline” link is shown in a corner barely noticeable, but a prominent “next” button dominates the dialog.

2 Win32:SearchProtect-C [Adw] 1.58 % Top10 Chart
3 JS:AddLyrics-B [Adw] 1.54 % Top10 Chart
4 JS:AddLyrics-D [Adw] 1.00 % Top10 Chart
5 Adware.DealPly.B 0.99 % Top10 Chart
6 Win32:DNSChanger-VJ [Trj] 0.98 % Top10 Chart
7 Application.BProtector.A 0.89 % Top10 Chart
8 Win64:Sirefef-A [Trj] 0.77 % Top10 Chart
9 Gen:Adware.MPlug.1 0.76 % Top10 Chart
10 Adware.DomaIQ.I 0.71 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G Data program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. The data about the malware is collected and statistically assessed by G Data SecurityLabs.

Total percentage of the top 10: 15.27 %

Rank Name Percentage Malware distribution by percentage within the top 10
1 Gen:Variant.Adware.BHO.Bprotector.1 3.88 % Top10 Chart Top10 Chart

This detection belongs to the category of potentially unwanted programs (PUP). It describes software that often comes bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install).
In the current case, the potentially unwanted extra is the 'Babylon Toolbar'. The toolbar changes the browser start page and the default search engine and also prepare the browser to show targeted ads. It disguises as Browser Helper Object (BHO) or add-on in Mozilla's Firefox and Microsoft's Internet Explorer. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

This detection refers to parts of the program AddLyrics, which belongs to the category Adware. It is a browser plugin, which adds sub titles to music videos watched on youtube. Besides this official functionality the plugin also displays advertisements on different websites like Google, Bing or Facebook. The browser settings are changed to achieve this functionality.

This detection belongs to the category of potentially unwanted programs (PUP). It describes an installation manager named Ibryte Optimum Installer. Its advertisment suggsts that users should use this manager to load and install updates for existing software (such as e.g. Adobe PDF Reader). Actually such updates can be and should be loaded from the original provider.
The manager offers to install some other software besides the updates, such as alleged system helpers which are classified as PUP. In many cases, the third party software packet providers earn money for each install (pay per install).

This detection refers to parts of the program AddLyrics, which belongs to the category Adware. It is a browser plugin, which adds sub titles to music videos watched on youtube. Besides this official functionality the plugin also displays advertisements on different websites like Google, Bing or Facebook. The browser settings are changed to achieve this functionality.

The malware pretends to install the program "File Scout" on the computer. Besides this intended installation, another component is also installed, which belongs to the malware class Downloader. This downloader is capable of downloading and installing further malicious software from the internet. To hide it self, Trojan.Downloader.JQAC uses the name of the Macromedia Flash update mechanism. Possible installation paths on the infected system are for example System\FlashPlayerUpdateService.exe or System\Macromed\Flash\FlashPlayerUpdateService.exe.

Exploit.IFrame.Gen describes an IFrame which points to a remote server. Attackers insert this IFrame at the end of HTML documents, mostly automated. The remote server can be prepared by the attackers to perform malicious activities.

The malware family DealPly belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby possibly unintentionally installed by the user (Potentially Unwanted Program). The tool installs itself as browser helper object (BHO)/extension/add-on to the popular browsers if any of these is installed. DealPly monitors browsed pages for displaying advertisements of deals for various products and businesses, like discount coupons, on every page the user visits.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the category of potentially unwanted programs (PUP). It describes a variety of software (e.g. Zoomex, wxDfast, conTinuEtosave, etc.) which is starts as process after the installation and/or functions as browser plugin/BHO. This software comes with potentially unwanted functions, such as e.g. links to unknown websites within the folder “C:\Documents and Settings\All Users\Start Menu\Programs\{ApplicationName}”. The Software is often part of software packages that users load from thrid party websites and not directly from the original provider.

Trojan.Agent.BALB is the detection of a batch file which manipulates registry keys and services. Its main tasks are to deactivate user account control (UAC); to deactivate services of Windows Defender, Windows Updates and the Security Center; to remove the start entry for Windows Defender; to deactivate warning messages for the Security Center; to add a Run key for malware and to modify the winlogon entry.

2 JS:AddLyrics-B [Adw] 2.45 % Top10 Chart
3 Gen:Variant.Graftor.10487 1.54 % Top10 Chart
4 JS:AddLyrics-D [Adw] 1.32 % Top10 Chart
5 Trojan.Downloader.JQAC 1.24 % Top10 Chart
6 Exploit.IFrame.Gen 1.17 % Top10 Chart
7 Adware.DealPly.B 1.12 % Top10 Chart
8 Win64:Sirefef-A [Trj] 0.87 % Top10 Chart
9 Gen:Adware.MPlug.1 0.85 % Top10 Chart
10 Trojan.Agent.BALB 0.83 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G Data program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. The data about the malware is collected and statistically assessed by G Data SecurityLabs.

Total percentage of the top 10: 19.63 %

Rank Name Percentage Malware distribution by percentage within the top 10
1 Gen:Variant.Adware.BHO.Bprotector.1 4.32 % Top10 Chart Top10 Chart

This detection belongs to the category of potentially unwanted programs (PUP). It describes software that often comes bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install).
In the current case, the potentially unwanted extra is the 'Babylon Toolbar'. The toolbar changes the browser start page and the default search engine and also prepare the browser to show targeted ads. It disguises as Browser Helper Object (BHO) or add-on in Mozilla's Firefox and Microsoft's Internet Explorer. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

The malware pretends to install the program "File Scout" on the computer. Besides this intended installation, another component is also installed, which belongs to the malware class Downloader. This downloader is capable of downloading and installing further malicious software from the internet. To hide it self, Trojan.Downloader.JQAC uses the name of the Macromedia Flash update mechanism. Possible installation paths on the infected system are for example System\FlashPlayerUpdateService.exe or System\Macromed\Flash\FlashPlayerUpdateService.exe.

This detection refers to parts of the program AddLyrics, which belongs to the category Adware. It is a browser plugin, which adds sub titles to music videos watched on youtube. Besides this official functionality the plugin also displays advertisements on different websites like Google, Bing or Facebook. The browser settings are changed to achieve this functionality.

This detection belongs to the category of potentially unwanted programs (PUP). It describes an installation manager named Ibryte Optimum Installer. Its advertisment suggsts that users should use this manager to load and install updates for existing software (such as e.g. Adobe PDF Reader). Actually such updates can be and should be loaded from the original provider.
The manager offers to install some other software besides the updates, such as alleged system helpers which are classified as PUP. In many cases, the third party software packet providers earn money for each install (pay per install).

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtector, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). In the current case, the potentially unwanted extras are 'Delta Toolbar' and/or 'Babylon Toolbar'. The toolbars change the browser start page and the default search engine and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

This detection refers to parts of the program AddLyrics, which belongs to the category Adware. It is a browser plugin, which adds sub titles to music videos watched on youtube. Besides this official functionality the plugin also displays advertisements on different websites like Google, Bing or Facebook. The browser settings are changed to achieve this functionality.

The malware family DealPly belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby possibly unintentionally installed by the user (Potentially Unwanted Program). The tool installs itself as browser helper object (BHO)/extension/add-on to the popular browsers if any of these is installed. DealPly monitors browsed pages for displaying advertisements of deals for various products and businesses, like discount coupons, on every page the user visits.

This detection belongs to the category of potentially unwanted programs (PUP). It describes a variety of software (e.g. Zoomex, wxDfast, conTinuEtosave, etc.) which is starts as process after the installation and/or functions as browser plugin/BHO. This software comes with potentially unwanted functions, such as e.g. links to unknown websites within the folder “C:\Documents and Settings\All Users\Start Menu\Programs\{ApplicationName}”. The Software is often part of software packages that users load from thrid party websites and not directly from the original provider.

This detection belongs to the category adware. It is a browser plugin which is, among other things, used to display unwanted advertisments, especially on Google websites.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

2 Trojan.Downloader.JQAC 3.74 % Top10 Chart
3 JS:AddLyrics-B [Adw] 3.01 % Top10 Chart
4 Gen:Variant.Graftor.10487 2.54 % Top10 Chart
5 Adware.BHO.BProtector.C 1.65 % Top10 Chart
6 JS:AddLyrics-D [Adw] 1.44 % Top10 Chart
7 Adware.DealPly.B 0.93 % Top10 Chart
8 Gen:Adware.MPlug.1 0.87 % Top10 Chart
9 JS:Iframe-DHY [Trj] 0.57 % Top10 Chart
10 Win32:DNSChanger-VJ [Trj] 0.56 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G Data program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. The data about the malware is collected and statistically assessed by G Data SecurityLabs.

Total percentage of the top 10: 32.01 %

Rank Name Percentage Malware distribution by percentage within the top 10
1 Gen:Variant.Adware.BHO.Bprotector.1 12.10 % Top10 Chart Top10 Chart

This detection belongs to the category of potentially unwanted programs (PUP). It describes software that often comes bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install).
In the current case, the potentially unwanted extra is the 'Babylon Toolbar'. The toolbar changes the browser start page and the default search engine and also prepare the browser to show targeted ads. It disguises as Browser Helper Object (BHO) or add-on in Mozilla's Firefox and Microsoft's Internet Explorer. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

This detection refers to parts of the program AddLyrics, which belongs to the category Adware. It is a browser plugin, which adds sub titles to music videos watched on youtube. Besides this official functionality the plugin also displays advertisements on different websites like Google, Bing or Facebook. The browser settings are changed to achieve this functionality.

The malware pretends to install the program "File Scout" on the computer. Besides this intended installation, another component is also installed, which belongs to the malware class Downloader. This downloader is capable of downloading and installing further malicious software from the internet. To hide it self, Trojan.Downloader.JQAC uses the name of the Macromedia Flash update mechanism. Possible installation paths on the infected system are for example System\FlashPlayerUpdateService.exe or System\Macromed\Flash\FlashPlayerUpdateService.exe.

The malware family WebCake belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby unintentionally installed by the user. After installation of the main programm WebCake adds extensions to the browsers Internet Explorer, Google Chrome and Firefox if any of these is installed. Through this extensions the Adware is able to display advertisment, like discount coupons on every page the user visits.

This detection belongs to the category of potentially unwanted programs (PUP). It describes an installation manager named Ibryte Optimum Installer. Its advertisment suggsts that users should use this manager to load and install updates for existing software (such as e.g. Adobe PDF Reader). Actually such updates can be and should be loaded from the original provider.
The manager offers to install some other software besides the updates, such as alleged system helpers which are classified as PUP. In many cases, the third party software packet providers earn money for each install (pay per install).

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named BrowserProtector, BrowserDefender, BrowserManager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install). In the current case, the potentially unwanted extras are 'Delta Toolbar' and/or 'Babylon Toolbar'. The toolbars change the browser start page and the default search engine and also prepare the browser to show targeted ads. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

The malware family WebCake belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby unintentionally installed by the user. After installation of the main programm WebCake adds extensions to the browsers Internet Explorer, Google Chrome and Firefox if any of these is installed. Through this extensions the Adware is able to display advertisment, like discount coupons on every page the user visits.

This detection refers to parts of the program AddLyrics, which belongs to the category Adware. It is a browser plugin, which adds sub titles to music videos watched on youtube. Besides this official functionality the plugin also displays advertisements on different websites like Google, Bing or Facebook. The browser settings are changed to achieve this functionality.

The malware family WebCake belongs to the category Adware. This tool is often bundled with some third-party installation program and thereby unintentionally installed by the user. After installation of the main programm WebCake adds extensions to the browsers Internet Explorer, Google Chrome and Firefox if any of these is installed. Through this extensions the Adware is able to display advertisment, like discount coupons on every page the user visits.

This detection belongs to the category of potentially unwanted programs (PUP). It describes a variety of software (e.g. Zoomex, wxDfast, conTinuEtosave, etc.) which is starts as process after the installation and/or functions as browser plugin/BHO. This software comes with potentially unwanted functions, such as e.g. links to unknown websites within the folder “C:\Documents and Settings\All Users\Start Menu\Programs\{ApplicationName}”. The Software is often part of software packages that users load from thrid party websites and not directly from the original provider.

2 JS:AddLyrics-B [Adw] 5.10 % Top10 Chart
3 Trojan.Downloader.JQAC 4.11 % Top10 Chart
4 Adware.WebCake.C 3.02 % Top10 Chart
5 Gen:Variant.Graftor.10487 2.36 % Top10 Chart
6 Adware.BHO.BProtector.C 1.53 % Top10 Chart
7 Adware.WebCake.A 1.17 % Top10 Chart
8 JS:AddLyrics-D [Adw] 0.98 % Top10 Chart
9 Adware.WebCake.B 0.82 % Top10 Chart
10 Gen:Adware.MPlug.1 0.82 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G Data program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. The data about the malware is collected and statistically assessed by G Data SecurityLabs.

Total percentage of the top 10: 20.99 %

Rank Name Percentage Malware distribution by percentage within the top 10
1 Gen:Variant.Adware.BHO.Bprotector.1 7.90 % Top10 Chart Top10 Chart

This detection belongs to the category of potentially unwanted programs (PUP). It describes software that often comes bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install).
In the current case, the potentially unwanted extra is the 'Babylon Toolbar'. The toolbar changes the browser start page and the default search engine and also prepare the browser to show targeted ads. It disguises as Browser Helper Object (BHO) or add-on in Mozilla's Firefox and Microsoft's Internet Explorer. The Software is often part of software packages that users load from third party websites and not directly from the original provider.

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named Browser Protect, Browser Manager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install).
In the current case, the potentially unwanted extras are 'Delta Toolbar' and/or 'Babylon Toolbar'. The toolbars change the browser start page and the default search engine and also prepare the browser to show targeted ads.
The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This detection belongs to the category of potentially unwanted programs (PUP). It describes an installation manager named Ibryte Optimum Installer. Its advertisment suggsts that users should use this manager to load and install updates for existing software (such as e.g. Adobe PDF Reader). Actually such updates can be and should be loaded from the original provider.
The manager offers to install some other software besides the updates, such as alleged system helpers which are classified as PUP. In many cases, the third party software packet providers earn money for each install (pay per install).

This detection belongs to the category of potentially unwanted programs (PUP). It describes a variety of software (e.g. Zoomex, wxDfast, conTinuEtosave, etc.) which is starts as process after the installation and/or functions as browser plugin/BHO. This software comes with potentially unwanted functions, such as e.g. links to unknown websites within the folder “C:\Documents and Settings\All Users\Start Menu\Programs\{ApplicationName}”. The Software is often part of software packages that users load from thrid party websites and not directly from the original provider.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

A redirector redirects website visitors to other targets. The redirect target is disguised using e.g. obfuscation technology in JavaScript, so that the actual target URL is only constructed in the user's browser. The redirector itself does not compromise the user's system. However, it will redirect the user to potentially malicious websites without any user involvement and is therefore a popular means of disguising the source of the actual attack.

JS:Decode-AHP [Trj] is an obfuscated redirector which mainly spreads in Asia.
A redirector redirects website visitors to other targets. The redirect target is disguised using e.g. obfuscation technology in JavaScript, so that the actual target URL is only constructed in the user's browser. The redirector itself does not compromise the user's system. However, it will redirect the user to potentially malicious websites without any user involvement and is therefore a popular means of disguising the source of the actual attack.

This Malware is another variant component of Sirefef/ZeroAccess malware family. Its task is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads). The file is usually dropped in “%Windows%\Installer\{GUID}\U\” as "80000032.@". It monitors Internet traffic and hijacks the browser session in case it encounters one of several predefined URLs.

2 Adware.BHO.BProtector.A 3.24 % Top10 Chart
3 Win32:DNSChanger-VJ [Trj] 2.91 % Top10 Chart
4 Gen:Variant.Graftor.10487 2.18 % Top10 Chart
5 Gen:Adware.MPlug.1 1.08 % Top10 Chart
6 Win64:Sirefef-A [Trj] 1.06 % Top10 Chart
7 Trojan.Wimad.Gen.1 0.74 % Top10 Chart
8 JS:Redirector-PN [Trj] 0.71 % Top10 Chart
9 JS:Decode-AHP [Trj] 0.65 % Top10 Chart
10 Trojan.Sirefef.XL 0.52 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G Data program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. The data about the malware is collected and statistically assessed by G Data SecurityLabs.

Total percentage of the top 10: 21.25 %

Rank Name Percentage Malware distribution by percentage within the top 10
1 Adware.BHO.BProtector.A 8.42 % Top10 Chart Top10 Chart

This detection belongs to the category of potentially unwanted programs (PUP). It describes alleged system helpers, named Browser Protect, Browser Manager or similar, which often come bundled with potentially unwanted extras. In many cases, the third party software packet providers earn money for each install (pay per install).
In the current case, the potentially unwanted extras are 'Delta Toolbar' and/or 'Babylon Toolbar'. The toolbars change the browser start page and the default search engine and also prepare the browser to show targeted ads.
The Software is often part of software packages that users load from third party websites and not directly from the original provider.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This Malware is another variant component of Sirefef/ZeroAccess malware family. Its task is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads). The file is usually dropped in “%Windows%\Installer\{GUID}\U\” as "80000032.@". It monitors Internet traffic and hijacks the browser session in case it encounters one of several predefined URLs.

This detection belongs to the category of potentially unwanted programs (PUP). It describes a variety of software (e.g. Zoomex, wxDfast, conTinuEtosave, etc.) which is starts as process after the installation and/or functions as browser plugin/BHO. This software comes with potentially unwanted functions, such as e.g. links to unknown websites within the folder “C:\Documents and Settings\All Users\Start Menu\Programs\{ApplicationName}”. The Software is often part of software packages that users load from thrid party websites and not directly from the original provider.

This malware is another component of the Sirefef/ZeroAccess Trojan family. Usually, this malware is found by the names "80000000.@", "800000cb." or 00000001." in “%Windows%\Installer\{GUID}\U\” or "C:/RECYCLER/S-1-5-18/$****/U".
The malware monitors svchost.exe and injects a DLL file into svchost.exe, which turns out to be another Sirefef component, detected as Gen:Variant.Graftor.31786.
Another intention of this malware is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the Sirefef Trojan family's rootkit component. This module file are usually dropped in “%Windows%\Installer\{GUID}\U\” as 80000000.@. They modify/add registry entry “\CLSID\{GUID}\InprocServer32“ to be loaded after boot-up. These modules check the internet connection by accessing www.google.com. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

Win32.Aliser.7825 is a file infector which appends 3,372 Bytes of encrypted code to files. The malware infects files in the directory it is stored in. Furthermore, it infects .e*e files in shared directories, with * being a wildcard, for example .exe files. The malware contains a hardcoded list of certain .exe files which it is not going to infect at all.
The malware has techniques which are supposed to make an analysis and also virus signature detection more complicated (anti debugging).
Decrypting the encrypted code, one can find something that might be the author's signature: “ALISA SGWW Kiew’2001”.

This detection belongs to the Sirefef Trojan family's rootkit component. The detected file is usually named "800000cb.@" and can be found in different locations of the operating system. It identifies and manipulates the installed web browser to change search engine results. Its main intention is to lead users to click on these manipulated results and therefore generate money for the attackers (pay per click ads).

2 Win32:DNSChanger-VJ [Trj] 4.48 % Top10 Chart
3 Trojan.Sirefef.XL 1.79 % Top10 Chart
4 Gen:Adware.MPlug.1 1.33 % Top10 Chart
5 Trojan.Sirefef.XF 1.16 % Top10 Chart
6 Trojan.Wimad.Gen.1 1.13 % Top10 Chart
7 Win64:Sirefef-A [Trj] 1.08 % Top10 Chart
8 Trojan.Sirefef.RG 0.69 % Top10 Chart
9 Win32.Aliser.7825 0.63 % Top10 Chart
10 Win32:Sirefef-AO [Rtk] 0.54 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G Data program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. The data about the malware is collected and statistically assessed by G Data SecurityLabs.

Total percentage of the top 10: 17.56 %

Rank Name Percentage Malware distribution by percentage within the top 10
1 Win32:DNSChanger-VJ [Trj] 5.86 % Top10 Chart Top10 Chart

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This Malware is another variant component of Sirefef/ZeroAccess malware family. Its task is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads). The file is usually dropped in “%Windows%\Installer\{GUID}\U\” as "80000032.@". It monitors Internet traffic and hijacks the browser session in case it encounters one of several predefined URLs.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This malware is another component of the Sirefef/ZeroAccess Trojan family. Usually, this malware is found by the names "80000000.@", "800000cb." or 00000001." in “%Windows%\Installer\{GUID}\U\” or "C:/RECYCLER/S-1-5-18/$****/U".
The malware monitors svchost.exe and injects a DLL file into svchost.exe, which turns out to be another Sirefef component, detected as Gen:Variant.Graftor.31786.
Another intention of this malware is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection triggers if files try to exploit the security vulnerability described in CVE-2011-2140. Possible file types showing this behaviour: Specially crafted multimedia files, like .MP4.
The infected file's aim is to exploit the security vulnerability to perform further malicious action on the victim computer - e.g. downloading and executing any other malware.

This generic detection triggers if files try to exploit the security vulnerability described in CVE-2011-3402. Possible file types showing this behaviour: Specially crafted Microsoft Word documents or speacially crafted font files.
The infected file's aim is to exploit the security vulnerability to perform further malicious action on the victim computer - e.g. downloading and executing any other malware.

Win32:ZAccess-PB [Trj] is a detection for the 32 bit and 64 bit DLL file components of the Sirefef/ZeroAccess malware family. Its main goal is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the category of potentially unwanted programs (PUP). It describes a variety of software (e.g. Zoomex, wxDfast, conTinuEtosave, etc.) which is starts as process after the installation and/or functions as browser plugin/BHO. This software comes with potentially unwanted functions, such as e.g. links to unknown websites within the folder “C:\Documents and Settings\All Users\Start Menu\Programs\{ApplicationName}”. The Software is often part of software packages that users load from thrid party websites and not directly from the original provider.

This detection belongs to a Sirefef Trojan component, a dll, and refers to a file named "000000??@" which is usually located at “%Windir%\Installer\U\{GUID}\”. It contains no executable code but an embedded bitcoin miner. With such a miner, the attacker can misuse the infected machine and its performance power to collect/to mine this digital currency online.

2 Trojan.Wimad.Gen.1 1.88 % Top10 Chart
3 Trojan.Sirefef.XL 1.59 % Top10 Chart
4 Win64:Sirefef-A [Trj] 1.44 % Top10 Chart
5 Trojan.Sirefef.XF 1.36 % Top10 Chart
6 MOV:CVE-2011-2140 [Expl] 1.32 % Top10 Chart
7 Exploit.CVE-2011-3402.Gen 1.24 % Top10 Chart
8 Win32:ZAccess-PB [Trj] 1.23 % Top10 Chart
9 Gen:Adware.MPlug.1 1.00 % Top10 Chart
10 Trojan.Sirefef.HU 0.64 % Top10 Chart

Methodology

The Malware Information Initiative (MII) relies on the power of the online community and any customer that purchases a G Data security solution can take part in this initiative. The prerequisite for this is that they must have activated this function in their G Data program. If a computer malware attack is fended off, a completely anonymous report of this event is sent to G Data SecurityLabs. The data about the malware is collected and statistically assessed by G Data SecurityLabs.