Two Top Twenties have been compiled from data generated by the Kaspersky Security Network (KSN) throughout May 2009.
The first Top Twenty is based on data collected by Kaspersky Lab’s version 2009 antivirus product. The ranking is made up of the malicious programs, adware and potentially unwanted programs most frequently detected on users’ computers.
| Position | Change in position | Name |
| 1 | Net-Worm.Win32.Kido.ih | |
| 2 | Virus.Win32.Sality.aa | |
| 3 | Trojan-Dropper.Win32.Flystud.ko | |
| 4 | Trojan.Win32.Autoit.ci | |
| 5 | Trojan.JS.Agent.xy | |
| 6 | Exploit.HTML.CodeBaseExec | |
| 7 | Trojan-Downloader.Win32.VB.eql | |
| 8 | Trojan.Win32.Chifrax.a | |
| 9 | Virus.Win32.Virut.ce | |
| 10 | Virus.Win32.Sality.z | |
| 11 | Worm.Win32.AutoRun.dui | |
| 12 | Packed.Win32.Krap.b | |
| 13 | Packed.Win32.Black.a | |
| 14 | Worm.Win32.Mabezat.b | |
| 15 | Virus.Win32.Alman.b | |
| 16 | Packed.Win32.Klone.bj | |
| 17 | P2P-Worm.Win32.Palevo.ddm | |
| 18 | Trojan.Win32.Swizzor.a | |
| 19 | Exploit.JS.Agent.agc | |
| 20 | Email-Worm.Win32.Brontok.q |
There were no significant changes to the Top Twenty in May.
There are only two newcomers: Palevo.ddm, a P2P worm and Swizzor.a, a Trojan.
The former, in addition to spreading in various public peer-to-peer networks, infects removable media. This gives it an additional boost, helping it to spread even more widely.
The latter utilises some interesting and sophisticated code obfuscation tricks and methods for masking its presence on the system. Since hundreds of new variants of this malicious program are generated every day on cybercriminal servers, this Trojan has made it into both our Top Twenty rankings.
All malicious, advertising and potentially unwanted programs in the first Top Twenty can be grouped according to the main classes of threat, which we detect. In the past few months, the changes in the balance between these classes have not exceeded 5%.
A total of 42,520 unique malicious, advertising, and potentially unwanted programs were detected on users’ computers in May. This figure is almost exactly the same as last month’s.
The second Top Twenty presents data on which malicious programs most commonly infected objects detected on users’ computers. Malicious programs capable of infecting files make up the majority of this ranking.
| Position | Change in position | Name |
| 1 | Virus.Win32.Sality.aa | |
| 2 | Worm.Win32.Mabezat.b | |
| 3 | Trojan-Clicker.HTML.IFrame.aga | |
| 4 | Virus.Win32.Virut.ce | |
| 5 | Net-Worm.Win32.Nimda | |
| 6 | Virus.Win32.Xorer.du | |
| 7 | Virus.Win32.Sality.z | |
| 8 | Virus.Win32.Parite.b | |
| 9 | Virus.Win32.Alman.b | |
| 10 | Virus.Win32.Virut.q | |
| 11 | Net-Worm.Win32.Kido.ih | |
| 12 | Virus.Win32.Small.l | |
| 13 | Email-Worm.Win32.Runouce.b | |
| 14 | Worm.Win32.Fujack.k | |
| 15 | Virus.Win32.Parite.a | |
| 16 | Virus.Win32.Virut.n | |
| 17 | Virus.Win32.Hidrag.a | |
| 18 | Virus.Win32.Sality.ae | |
| 19 | Worm.Win32.Otwycal.g | |
| 20 | Trojan.Win32.Swizzor.a |
Contrary to the trend of the past several months, May saw more changes to the second ranking than the first.
The most interesting changes were: Trojan-Clicker.HTML.IFrame.aga, going straight in to third place, and the appearance, albeit at the bottom of the ranking, of Virus.Win32.Sality.ae.
IFrame.aga is one more version of the iframe that the now widespread Virus.Win32.Virut.ce uses to infect web pages. And Sality.ae is the latest version of the well-known Sality virus. The new variant replaces Sality.y after it dropped out of our ranking in January. As a result, there are three members of this family on our ranking again. Even though it currently props up our second ranking, if previous versions of this malware are anything to go by, we can expect this newcomer to begin climbing.
