Monthly Threat Report: May 2016


Analysis of ESET LiveGrid®, a sophisticated malware reporting and tracking system, shows that the highest number of detections this month, with 8.40% of the total, was scored by JS/Danger.ScriptAttachment.

1. JS/Danger.ScriptAttachment
revious Ranking: 3
Percentage Detected: 8.40%

JS/Danger.ScriptAttachment is a generic detection of suspicious e-mail attachments.

2. JS/TrojanDownloader.Nemucod
Previous Ranking: 2
Percentage Detected: 6.71%

JS/TrojanDownloader.Nemucod is a trojan that uses HTTP to try to download other malware. It contains a list of URLs and tries to download several files from those addresses. The files are then executed. This Trojan is now associated with ransomware.

3. Win32/Bundpil
Previous Ranking: 1

Percentage Detected: 5.79%

Win32/Bundpil is a worm that spreads via removable media. The worm contains an URL from which it tries to download several files. The files are then executed and HTTP is used for communication with the command and control server (C&C) to receive new commands. The worm may delete files with the following file extensions:

4. Win32/Agent.XWT
Previous Ranking: 4
Percentage Detected: 2.72%

Win32/Agent.XWT is a trojan that serves as a backdoor. It can be remotely controlled and is usually a part of other malware. It collects the operating system version and language settings, then attemps to send the gathered data to a remote machine using HTTP.

5. Win32/Bayrob
Previous Ranking: N/A
Percentage Detected: 1.68%

Win32/Bayrob is a trojan that serves as a backdoor and can be controlled remotely. When executed, the trojan registers itself as a system service, in order to be executed at every system start. It collects the following information: operating system version, computer name and IP address, information about the operating system and system settings, MAC address and a list of running services. The trojan can then send the information to a remote machine using HTTP.

6. HTML/ScrInject
Previous Ranking: 5
Percentage Detected: 1.31%

Generic detection of HTML web pages containing obfuscated scripts or iframe tags that automatically redirect to a malware download.

7. Win32/Sality
Previous Ranking: 9

Percentage Detected: 1.31%

Sality is a polymorphic file infector. When it is executed registry keys are created or deleted that are related to security applications in the system so as to ensure that the malicious process restarts each time the operating system is rebooted.
It modifies EXE and SCR files and disables services and processes implemented by and associated with security solutions.

More information relating to a specific signature:

8. JS/Adware.Agent.L
Previous Ranking: N/A

Percentage Detected: 1.29%

JS/Adware.Agent.L is the detection name for JavaScript code designed to deliver advertisements on an affected PC. When this code is injected into a webpage, it replaces advertisements it finds with new ones from hxxp:// If ads found are already from rafomedia, the malware does not replace them.

9. Win32/Ramnit
Previous Ranking: 7

Percentage Detected: 1.29%

This is a file infector that executes every time the system starts. It infects .dll (direct link library) and .exe (executable) files and searches for htm and html files into which it can insert malicious instructions. It can be controlled remotely to capture screenshots, send information it has gathered, download files from a remote computer and/or the Internet, and run executable files or shut down/restart the computer.

10. HTML/Refresh
Previous Ranking: 6
Percentage Detected: 1.27%

HTML/Refresh is a trojan that redirects the browser to a specific URL serving malicious software. The malicious program code is usually embedded in HTML pages.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s