Top 10 spyware threats for September 2006

Sunbelt Software announced the top ten most prevalent spyware threats for the month of September. The results are based on monthly scans performed by Sunbelt’s award-winning antispyware product CounterSpyâ„?. This month, SpySheriff has moved up the list with more instances of the rogue application being detected on users’ machines. SpySheriff uses fake alerts and false positives to lure users into purchasing its software and is known to be distributed through exploits that also download adware and spyware without users’ consent.

The top ten most prevalent spyware threats for the month of September are:

     1.  DesktopScam                                        1.50%
2. Trojan-Downloader.Zlob.Media-Codec 1.36%
3. Virtumonde 0.90%
4. Zango.SearchAssistant 0.78%
5. SpySheriff 0.76%
6. Command Service 0.70%
7. Trojan.Smitfraud 0.65%
8. Trojan.WinlogonHook.Delf.A 0.63%
9. DollarRevenue 0.54%
10. StartPage.TimesSquare 0.46%


This program is used to trick the affected user into purchasing certain security applications. DesktopScam will display false warnings that the computer is infected and uses a fake Windows update globe to trick the user into thinking that Microsoft Windows is reporting a spyware infection. Clicking on this notification directs the user to a pre-defined website to order malware removal software. In some cases the SecurityToolbar.DesktopScam may be present as well.


Trojan-Downloader.Zlob.Media-Codec is a trojan that installs rogue security software on the infected machine without notice and consent. It purports to be a needed codec or upgrade to Windows Media Player when users attempt to watch certain adult/porn videos to trick the user into downloading it. Once downloaded, it contacts remote servers and initiates the download of rogue security software such as SpywareQuake.


Virtumonde is an adware program that displays pop-up advertisements on the desktop and also downloads other software from various remote servers. There are many variants of Virtumonde, some with trojan-like behaviors including downloading other software without notice and consent, transmitting information to remote servers without notice and consent, and lowering system security on the infected machine.


Zango.SearchAssistant opens new browser windows showing websites based on the previous websites you visit. The adware will run in the background on a computer and will periodically direct users to other sponsors' websites, allowing users to compare prices between websites. While the Software is installed on the computer, Zango may collect information about users and the websites visited. This information will be used to provide users with comparative shopping opportunities when they are most relevant. By installing and/or using the Software users grant permission for Zango to periodically display sponsors' websites.


SpySheriff is a purported antispyware application to scan for and remove spyware from users' computers. SpySheriff is known to be distributed through exploits that also download adware or spyware on users' computers without notice or consent. When SpySheriff is downloaded through an exploit, it puts a red icon in the system tray and shows a false warning that the computer is infected with spyware.

Command Service

Command Service is an adware application that opens pop-ups and displays various types of advertising on the user's desktop while browsing web pages. Command Service is installed by a number of drive-by downloaders, including IE-Plugin.


Trojan.Smitfraud downloads and installs programs that purport to scan for adware and spyware and typically display false reports of spyware in order to frighten the user into paying for the program.


WinlogonHook.Delf.A is a backdoor trojan that gives an attacker the ability to control the infected machine without the user's knowledge. It attaches itself to the Winlogon process and runs every time Windows is booted up and may contact remote servers to download and install additional malware.


DollarRevenue is an adware program that spawns pop-up advertising on the desktop and downloads other adware. It is typically installed without consent or notice through a security exploit and is accompanied by additional adware. DollarRevenue files can contact the internet and initiate the download of so much adware that the computer may become unusable. It is known to have been installed from the same site as a password stealing trojan.


StartPage.TimesSquare hijacks the IE start page and search pages and displays ads. Antivirus software identifies this as a Trojan.StartPage variant.

Don't miss