Archive for the ‘Win32/Renocide’ Category

Win32/Renocide, the aftermath

March 16th, 2011 Comments off

On March 8th, we announced the release of our latest Malicious Software Removal Tool (MSRT), version that included detection and cleaning capabilities for a backdoor enabled worm we are calling Win32/Renocide. If you are not familiar with this threat, we recommend reading our encyclopedia entry here.

According to our telemetry, this new addition was among the top 5 detected threats (in the first week of release), both when when classified based on number of detected files and number of infected machines.

Rank Family Name Threat Count
1 Sality 248,250
2 Rimecud 209,208
3 Taterf 178,421
4 Renocide 167,826
5 Frethog 125,781
6 Bubnix 116,772
7 Vobfus 114,850
8 Conficker 88,636
9 Zbot 78,304
10 FakeSpypro 64,904

Chart 1 – Win32/Renocide, detected files


Rank Family Name Machine Count
1 Rimecud 200,267
2 Taterf 160,632
3 Sality 160,579
4 Renocide 123,413
5 Vobfus 107,866
6 Frethog 104,121
7 Bubnix 88,858
8 Conficker 82,192
9 Zbot 72,669
10 FakeSpypro 62,943

Chart 2 – Win32/Renocide, infected machines

The high tally of affected machines reflects Renocide’s relative age; the botnet has been around since 2008 and has slowly but steadily increased its prevalence. Our first detection dates back to the first half of 2008.

If you look at the ranking for machine count you’ll notice that the first 2 families are also worms. Rimecud is a backdoor-enabled worm (just like Renocide), while Taterf is an account stealer. Although only third when it comes to machine count ranking, Sality leads in the threat count ranking due to the fact that it is a file infector.

You can read more about all malware families present in this blog from our encyclopedia. We thank you for using MSRT.

Marian Radu,
MMPC Dublin