February 2, 2012

Doctor Web—the Russian anti-virus vendor—warns users of a Trojan.OneX program that uses infected machines to send spam via Facebook and messaging clients. Currently, two modifications of this Trojan horse with similar features are found regularly in the wild. Given the spreading scheme the number of victims can be extremely large.

Trojan.OneX runs only under 32-bit Windows versions. When run in a 64-bit system, it stops working after downloading a text file from a remote server. Once launched on the infected machine, Trojan.OneX.1 checks if its copy is already present in the system, and then decrypts the remote server address it will use to download a special text file. This file contains several lines in English such as “hahaha! http://goo.gl [...]. jpeg “, with which the Trojan horse substitutes messages the user tries to post to Facebook. Message text is replaced by strings from the file only in the chat mode. In such cases actual messages sent from the infected system are blocked. Every hour, the Trojan horse downloads a new configuration file from a remote server.

Trojan.OneX.1 looks for running processes with the names firefox, iexplore and IEXPLORE in the system, and, if found, injects its code into the processes. Then it takes control of functions responsible for sending messages.

Soon after the first modification of the Trojan horse had been discovered, Doctor Web's virus analysts got hold of another malware sample dubbed Trojan.OneX.2. Unlike the first version, the second modification uses popular messaging software processes such as skype, pidgin, aim, msnmsgr icq.exe, yahoom, ymsg_tray.exe, googletalk, xfire.exe instead of browsers. The mouse and keyboard connected to the infected system are blocked when a message is being sent. Unlike Trojan.OneX.1, Trojan.OneX.2 can parse configuration files in Unicode.

Messages sent by the Trojan horses often contain links to malicious phishing sites. One such site mimics the RapidShare design. Users are prompted to download a JPEG image which in fact is a zip-archive containing Photo14.JPG.scr—an executable file (Trojan.Packed.22289) that incorporates BackDoor.IRC.Bot.1446. This malicious program not only gives attackers access to the infected computer and steals confidential data, but also allows intruders to run various commands on the infected computer, download and install other applications. Notably: Doctor Web registered cases when Trojans BackDoor.IRC.Bot was used to spread Trojan.OneX, which, in turn, contributes to the further spread of BackDoor.IRC.Bot.

The signatures of these malicious programs have been added to the Dr.Web virus database so users whose systems are protected by Dr.Web anti-virus software may rest assured that their machines are well protected.

January 30, 2012

Doctor Web has updated the file monitor Dr.Web SpIDer Guard G3 in single-user Dr.Web products series 6.0 for Windows.

The update moves the scanning exceptions list from the Scanning Engine service to the Dr.Web SpIDer Guard G3 file monitor driver. As a result, the file monitor handles exceptions itself, without recourse to the scanning service. Thus the update increases the anti-virus's overall performance (particularly, the file monitor's) and lowers its resource consumption.

The update is released for Dr.Web Anti-virus and Dr.Web Security Space, as well as for Dr.Web Desktop Security Suite and Dr.Web Server Security Suite with no centralized control tool.

The update will be automatically downloaded by the anti-viruses, but applying it will require a system reboot.

January 30, 2012

Doctor Web is pleased to announce that yet another ISP has launched the Dr.Web AV-Desk service. Since the beginning of this year, the Link group of companies, a provider of IT services to home users and businesses in Moscow and Moscow and Tver regions, has been offering the Dr.Web Anti-Virus service on a subscription basis.

The delivery model whereby licensed anti-virus protection is offered as a service is becoming more popular these days. To a large extent, this is due to the fact that this type of service offers unique opportunities both to providers that deploy it and end users in need of high-quality anti-virus protection.

"A significant share of our customers is comprised of home users. And it is very convenient for them to pay for network access and anti-virus services simultaneously, without having to worry that their anti-virus license may suddenly expire", said Alexander Ryabov, Link General Director. "Moreover, customers is free to choose whatever subscription package best suits them. We take care to provide our subscribers with top-quality services, which, above all, include the most convenient and safe Internet surfing possible. We are confident that the Dr.Web Anti-Virus service will minimize the risk of infecting home computers and data loss.".

To subscribe to the Dr.Web Anti-Virus, visit your personal account area on the provider's website. The Dr.Web AV-Desk Internet Service lets users customize the information protection on their PCs flexibly and efficiently. Users are offered a choice of one of the four subscription packages available for purchase. Essential protection against viruses is included in the Dr.Web Classic package; Dr.Web Standard enhances security using the Anti-spam feature, while the comprehensive Dr.Web Premium provides advanced protection thanks to the HTTP monitor and Parental Control module. The Dr.Web Premium Server package protects Windows Server platforms and is ideal for small companies that prefer to minimize the costs of anti-virus protection, without paying for the annual server license in one lump sum. The subscriber’s account is debited on a monthly basis for both the server license and the Internet connection fee. An additional convenience is that An additional convenience is that subscriptions can be suspended at any time (e.g., for the duration of a vacation or business trip) and resumed whenever desired.

About the Dr.Web AV-Desk Internet Service

Doctor Web was the first anti-virus vendor to offer an anti-virus as a service on the Russian market. The deployment of Dr.Web AV-Desk lets a service provider’s subscribers use the Dr.Web Anti-virus as a service: they can choose how long they want to subscribe, renew their subscriptions automatically, and that means, they can decide for themselves how much they want to spend on anti-virus security. Providing an anti-virus as a service ensures its instant delivery and easy subscription management for home users and business customers. The Dr.Web AV-Desk Internet service was created by Doctor Web in 2007. The number of service providers that deliver the Dr.Web AV-Desk service in different regions of Russia and also in the Ukraine, France, Spain, Netherlands, Mongolia, Kazakhstan, Kyrgyzstan, Bulgaria and Estonia exceeds 350.

Following results shown by the service in 2007, Dr.Web AV-Desk was named the “best product offered as a service” by PC Magazine Russia. In September 2008, Dr.Web AV-Desk was awarded the Grand Gold Medal for “most original scientific and technical solution in communications technology” at the ITE Siberian Fair.

www.av-desk.com

About Link Group of Companies

The Link group of companies has been successfully operating on the telecommunications market in Moscow and the Moscow and Tver regions since 2004. Company members of the group provide a full range of communication services, such as high-speed Internet access, telephone services and digital television as well as maintenance of local and regional telecommunications operator networks.

www.link-region.ru

January 30, 2012

Doctor Web announces the update of the GUI scanner incorporated into the Dr.Web AV-Desk Internet service, as well as Dr.Web Desktop Security Suite and Dr.Web Server Security Suite with the control center.

The update resolves an issue that might cause abnormal termination of the scanner during preparation for scanning.

The update will be downloaded and installed automatically.

January 27, 2012

The Russian anti-virus vendor Doctor Web warns Internet users of the new malignant program that blocks access to Windows. This Trojan horse has been dubbed Trojan.Winlock.5490. The malicious application poses a danger to systems running Microsoft Windows with French locale set as default system language.

Otherwise Trojan.Winlock.5490, written in C, won't run in a system with a different default language. The Trojan horse incorporates anti-debugging features: when loaded, it checks if its process is launched in VirtualBox, QEmu or VMWare environment. If it is, the Trojan horse process is ended. A significant portion of Windows blockers work in the offline mode. They contain an unlock code in their own resources (plain text or encrypted ), or calculate it based on the number of parameters or do not have such a code at all. Trojan.Winlock.5490 belongs to the last group of extortion programs . It deletes itself automatically in a week after installation. However, after having blocked access to Windows it reports to a remote server and sends information about the infected machine, payment card numbers entered by the victim and receives "OK" as a response.

Once Trojan.Winlock.5490 is in the system, it starts an svchost.exe process with its injected code and orders Windows to hide the Task bar and stops all explorer.exe and taskmgr.exe process threads. Then the Trojan.horse adds its registry entry to be launched automatically and displays a window containing a demand to pay 100 euro with Paysafecard or Ukash card. The message language is French. The the card number entered by the victim is sent to the remote command server and the user is informed that the payment will be processed in 24 hours.

Because this Trojan horse does not use unlock codes, users are advised to scan their computers with Dr.Web LiveCD. You can also try to change the date in BIOS (set a date several months later than the current one) and scan hard drives with Dr.Web CureIt!. You may also delete the Trojan horse autorun entry from the Windows Registry found in Software\Microsoft\Windows\CurrentVersion\Run\.

January 26, 2012

Doctor Web—the Russian IT security software developer—unveils Dr.Web Light for Mac OS X. The anti-virus is distributed free of charge via Mac App Store and can be installed on user machines and servers running Mac OS X 10.6 (Snow Leopard) and Mac OS X 10.7 (Lion).

Unlike Dr.Web anti-virus for Mac OS X, Dr.Web Light for Mac OS X doesn't feature Dr.Web SpIDer Guard responsible for real time system protection. Yet the anti-virus is as reliable as any other Dr.Web product and can be used to scan and disinfect files on your hard disk and removable data-storage devices.

As many other applications under Mac OS X, Dr.Web Light for Mac OS X is installed in one click and can be removed as easily. The anti-virus is very user-friendly. For example, if you need to scan a certain file or folder, use the Finder context menu or simply move the object to the scanner window or drag it to the icon in the Dock or the Application area.

In addition, you may use the system menu to start any type of scanning: express, full and custom. The option to scan with administrator privileges which may be necessary to check system files is also available. A user can also create custom scanning rules, include and exclude selected files or folders from scanning and define actions that anti-virus should take upon detection of a threat: cure, delete, move to quarantine.

Dr.Web Light for Mac OS X consumes very little of system resources and can be run on all computers running Mac OS X if they support downloading and updating applications via the Mac App Store. In addition, Mac book users can set the anti-virus to suspend scanning automatically when their laptops start using the battery and thus extended battery life.

Virus definitions for Dr.Web Light for Mac OS X can be updated on schedule or on-demand and the program itself will be updated through the Mac App Store.

If you want to learn more about Dr.Web Light for Mac oS X, click here.

Dr.Web for Mac OS X providing enhanced protection is covered by Dr.Web anti-virus and Dr.Web Desktop Security Suite licenses. You can download the distribution file from the corresponding section of Doctor Web's site. Dr.Web for Mac OS X Server is available under the Dr.Web Server Security Suite licence.

January 25, 2012

Doctor Web announced an update for the GUI scanner incorporated into single-user products of the Dr.Web 6.0 series for Windows. The updated scanner is also included into Dr.Web CureIt! and Dr.Web CureNet! utilities.

The update resolves an issue that might cause abnormal termination of the scanner during preparation for scanning. The update will be downloaded and installed automatically.

With the update, Dr.Web CureIt! can be run in a system protected by avast! Free Antivirus. Incompatibility between the utility and other anti-viruses that wasn't caused by issues in the Dr.Web product was nonetheless resolved following numerous user requests.

To use the updated Dr.Web CureIt! you need to download the distribution file, Dr.Web CureNet! users need to run the update module.

January 25, 2012

Doctor Web—the Russian anti-virus vendor—announces the new version of its online testing service Dr.Web LiveDemo that enables users to test Dr.Web software remotely. The list of products available for testing has been expanded and new features have been implemented.

Dr.Web LiveDemo is a versatile tool that helps system administrators get acquainted with Dr.Web products’ features before they buy them. With Dr.Web LIveDemo you can test Dr.Web products thoroughly without deploying them in your local network—only Doctor Web's resources will be utilized for testing while a user needs only an Internet connection. The service will also be useful for Doctor Web's partners willing to demonstrate Dr.Web products to their corporate clients.

The main improvement coming with the new version is increased flexibility. Now, the test launch date is determined in accordance with customer needs and can be assigned to any day convenient for the customer.

In addition, the new version of Dr.Web LiveDemo offers an expanded list of anti-virus solutions from Doctor Web for testing. For example, users can now try out Dr.Web for MS Exchange and Internet gateways Unix, and take advantage of corresponding check lists. So system administrators get an opportunity to test Dr.Web software in the environment very similar to the one where they will probably run them—in a local network connecting personal computers, various mail servers and an Internet gateway.

Dr.Web LiveDemo service is free. Fill out an application to get access to the service.

January 24, 2012

Doctor Web has upgraded the Dr.Web Anti-rootkit Service in the personal 7.0 products for Windows: Dr.Web anti-virus and Dr.Web Security Space.

The update for Dr.Web Anti-rootkit Service resolves an issue when abnormal system termination could occur upon launching the scanner.

The update will be downloaded and installed automatically.

January 23, 2012

The number of so-called "paid archives" detected by Dr.Web anti-virus software as Trojan.SmsSend is steadily increasing each month. This comes as no surprise since attackers do not need to be skilled programmers to create that kind of malware. Many sites offer so-called "affiliate programs" that thoughtfully provide ready-made solutions — special "design templates" to help you build your own Trojan.SmsSend within a few minutes. The volume of this clandestine market is truly enormous: attackers earn tens of thousands of dollars per month on distributing paid archives. Doctor Web, a Russian information security vendor, is ready to share exclusive information with users on how this mechanism works and advise how to avoid financial losses from the attackers’ activities.

Trojan.SmsSend is normally an executable file that poses as an installer of a useful program. When you try to open such an archive, the computer screen displays the installation window of the corresponding application, and then the program requests that a paid SMS message be sent to a number specified by the attackers. Only then can the installation proceed. In some cases, allegedly in order to activate the program, the user is asked to enter the mobile phone number and then the code obtained in a reply SMS message. By doing this, the victim agrees to the terms of a subscription to a paid service, for which his or her account will be debited monthly. The trick is that such "paid archives" either do not contain the promised application, or the application can be easily downloaded for free from the official developer's website.

Despite the seeming simplicity and obviousness of this fraudulent scheme, the market for such "services" is truly vast. More and more unsophisticated users are responding to offers of web criminals by sending paid SMS for what they could be getting for free. Doctor Web specialists have managed to ascertain the volume of the revenue brought in by malware distributors. Thus, one partner program that is widely advertised in various underground forums and websites, from where it continually attracts new members, promises distributors of Trojan.SmsSend up to $200 a day for sending one-time paid messages to premium numbers. The leaders of this illegal market, occupying the top ten of the most active Trojan distributors, earn $850 to $7,740 a month, the average being $2,678.50.

Revenues obtained from online fraud victim subscriptions to paid services are significantly higher; they can range from $3,000 to $22,000 per attacker monthly, with an average of $8,295.50. One should understand that for online attackers who earn such sums by deceiving Internet users, this activity is their main source of income, and it occupies all their spare time. Moreover, they are well aware that what they are doing is a crime, the responsibility for which is outlined in Article 273 of the Criminal Code of the Russian Federation ("The creation, use and distribution of malicious computer programs").

Trojan.SmsSend viruses are also distributed in a variety of ways that include fake file-sharing websites, web pages specially created to mimic the interface of the Internet resources of official developers of various programmes, e-mail spam, specialist forums, or mass messaging over ICQ protocol. In addition, online fraudsters actively use adnets such as Yandex.Direct and Google AdSense, place contextual advertising in social networks, and are not afraid to send links to malware from previously hacked accounts.

Users can easily avoid such dangers and prevent themselves from falling prey to online scams, if they will just spend a little more time searching for the official site of the manufacturer of the program they are planning to download. In most cases, they will be able to get it absolutely free, and that way, they certainly won’t pay a dime for an archive that contains nothing useful. Well, and if you did fall victim to network attackers, nothing prevents you from submitting a corresponding statement to the police.

Doctor Web is planning a campaign against attackers who use short service numbers when distributing malware. Information on such numbers will be rapidly shared with mobile operators to assist their technical services in deciding whether to terminate individual numbers used in fraudulent schemes.

January 19, 2012

Doctor Web has updated the Scanning Engine service in the sixth version of the Dr.Web for Windows workstations — Dr.Web Anti-Virus, Dr.Web Security Space, and Dr.Web Desktop Security Suite without the Control center.

The update fixes issues that caused the module to crash on some systems. Bugs which in some cases led to repeated scanning of the same file on the disk were also fixed.

The update will be automatically downloaded by the anti-viruses but applying the update will require a system reboot.

18 января 2012 года

Doctor Web, a Russian anti-virus vendor, releases Dr.Web plugin for Microsoft ISA Server and Forefront TMG Internet gateways.

The application protects corporate networks from viruses and spam. It detects and removes all types of malicious software in the data stream passing through Microsoft ISA Server and Forefront TMG via HTTP, FTP, SMTP and POP3. The plugin scans inbound mail traffic for viruses, paid dialers, adware, riskware, hack tools and jokers.

The application integrates with Microsoft ISA Server and Forefront TMG by incorporating their own data filters into Microsoft Firewall Service and Microsoft Forefront TMG Firewall services respectively. The plugin operates on the Dr.Web CMS (Dr.Web Central Management Service) platform that support centralized management of application settings, and its components with the option of remote administration through a web browser over HTTPS protocol. Dr.Web CMS has a built-in Dr.Web CMS Web Console web server with a client authentication, which provides access to the application management to authorized administrators only.

For more information on the plugin features and system requirements, as well as detailed installation guide, please refer to the release notes.

The Dr.Web for Microsoft ISA Server and Forefront TMG is part of a commercially available Dr.Web Gateway Security Suite. If you have purchased the latter, you receive a key file to activate the Dr.Web for Microsoft ISA Server and Forefront TMG, and Unix, Qbik WinGate, Kerio and MIMEsweeper Internet gateways. As an additional component to the basic Anti-virus license, you may choose an Anti-spam.

January 16, 2012

Doctor Web has updated its software product Dr.Web for Android Anti-virus&Anti-spam.

Bugs that caused the #WIPE# command included in the anti-theft component to operate incorrectly have been fixed. (The #WIPE# command is used to restore factory settings and delete all SD card data.). This issue concerned devices running Android versions 2.2 and 2.3. Also fixed was a bug that caused multiple SMS reports to be sent upon entering #SIGNAL# (the action that remotely locks a phone with the Anti-theft feature and activates a special audio signal). In addition, users who have forgotten their Anti-theft passwords can now unlock their mobile devices using Device ID; this feature applies to devices with no IMEI codes.

Among other issues eliminated were the causes of the program crashes that sometimes occurred during blacklist editing.

In the version of Dr.Web for Android that is installed from the Doctor Web site, the Mode display in the anti-virus settings was fixed.

Also, several improvements were made to the updated program interface.

The update concernes users who have installed the anti-virus from the Doctor Web site and all alternative resources with the exception of Android Market. For users of Google Online Store, this update took place in December 2011.

In order to carry out an update via the Doctor Web site, download a new distribution file.