News of Doctor Web

Dr.Web for Android available for testing

Mon, 26 Jul 2010 00:00:00 GMT

July 26, 2010

The Russian anti-virus vendor Doctor Web launched public beta-testing of the new Dr.Web product for protection of mobile devices running Android.

The new product scans the entire file system of a mobile device including the phone’s memory where applications files are stored. Malicious objects detected by Dr.Web for Android are moved to the quarantine.

If the file monitor is running, Dr.Web for Android automatically scans each program installed into the device’s memory as well as each file written onto an SD card.

How to install Dr.Web for Android:

Connect the mobile device to a computer using a USB data-cable.
Set the device to work as a storage device.
Copy the drweb-600-android-beta.apk on the SD card.
Disconnect the mobile device from the computer.
Launch any file manager on the device (e.g. you can use ASTRO from the Android Market).
Navigate to the /sdcard directory and find the drweb-600-android-beta.apk file.
Use the application manager to start installation.

Doctor Web welcomes all users willing to participate in the beta-testing of Dr.Web for Android.

Software modules of Dr.Web products 6.0 for Windows workstations and file servers updated

Thu, 22 Jul 2010 00:00:00 GMT

July 22, 2010

Doctor Web updated a number of components included in Dr.Web products from series 6 for Windows workstations and file servers (32- and 64-bit). The update improves stability and compatibility of the products with third-party software. It also provides anti-viruses with optimized algorithms for operation of the GUI and wider integration with the Windows Security Centre.

The SpIDer Guard file monitor is now compatible with third-party software, in particular, with the Device Lock solution and enjoys more stable operation. For the SpIDer Mail monitor processing of IMAP traffic has been optimized. An error in the SpIDer Agent module that might make the My Dr.Web item disappear from the menu has been corrected. Now in anti-virus settings a user can specify how often the Windows Security Centre will display notifications if Dr.Web virus databases used by the anti-virus have become outdated.

Dr.Web solutions 6.0 for Windows will be updated automatically. The update will require a system restart.

Support of Dr.Web products 4.44 ends in six months

Tue, 13 Jul 2010 00:00:00 GMT

July 13, 2010

Doctor Web notifies users that support of Dr.Web products version 4.44 will end on January 31 2011. No updates of virus databases and program modules for the products will be released following that date. In order to continue using Dr.Web it is recommended to switch to newer versions of Dr.Web anti-viruses in advance.

Even though the product line 4.44 appeared in 2007 — which by anti-virus standards is quite a along time ago — some customers still use the older versions of Dr.Web anti-viruses for a number of reasons. Doctor Web reminds its customers that upgrading products with valid licenses is free and won't shorten the usage period.

At the same time upgrading guarantees technical support and up-to-date protection at all times and also provides a variety of components and technologies absent in 4.44 products. The HTTP monitor SpIDer Gate, Parental control, enhanced self-protection, the unique non-signature detection technology Origins Tracing come with the products of the series 5 while the new file monitor, built-in firewall and support of 64-bit systems are available in products of the 6th series.

Please, note that Doctor Web strongly recommends upgrading to newer versions of Dr.Web software before January 31, 2011.

Components of Dr.Web 6.0 products for Windows updated

Thu, 08 Jul 2010 00:00:00 GMT

July 8, 2010

Doctor Web updated a number of components included in Dr.Web products from the series 6 for single user and server products for Windows (32- and 64-bit). The update also provides several fixes and improvements. Most significant changes have been done to three components of the anti-virus control module (agent), HTTP-monitor and self-protection module.

An error that sometimes might make the agent freeze while it was operational has been fixed. An issue related to incorrect displaying of menu items has been resolved and interaction between the component and quarantine manager has been improved. An option to display scanning notifications, when a system hasn’t been checked for viruses for a long time, has been added. It allows a user to start scanning immediately or postpone the procedure. Besides, the feature enabling installing desired interface language packs for the installed anti-virus has been added. In the self-protection disable dialogue window a user can now choose to output a captcha code in audio if for dome reason he is unable to see a captcha image.

The updated HTTP monitor SpIDer Gate allows changing its settings without breaking an Internet connection. Compatibility with non-standard http-clients has been improved significantly. Logging control already available for other modules of the anti-virus has been implemented for SpIDer Gate too. Now the HTTP monitor can operate in the proxy mode with corresponding settings accessible over the graphical interface and supports native script domain names. Compatibility of SpIDer Gate with the firewall has been improved and the option to scan archives is now disabled by default.

Errors in operation of Dr.Web SelfPROtect that might prevent Dr.Web modules from launching under Windows 7, cause critical system errors while communicating over the network or memory leaks in network services have been corrected. An issue that prevented playing sound notifications by the anti-virus with the self-protection enabled under Windows Vista and later has been resolved. Yet the self-protection mechanism has been enhanced with new routines to counteract malware.

The graphical interface and help system have been improved for all the three components and the automatic updating module.

Dr.Web solutions 6.0 for Windows will be updated automatically. The update will require a system restart.

Dr.Web virus databases re-released to prevent false detections

Thu, 08 Jul 2010 00:00:00 GMT

July 8, 2010

Doctor Web announced that it re-released virus databases due to changes done to amalware detection algorithms. These changes allow preventing false detections when scanning objects in RAM. The total size of updated databases is 9 MB.

The re-released databases are available on all Doctor Web updating servers and Dr.Web anti-viruses will download them automatically during updating

Dr.Web for Qbik WinGate keeps your network clean

Wed, 07 Jul 2010 00:00:00 GMT

July 7, 2010

Russian anti-virus vendor Doctor Web announced the release of the Dr.Web for Qbik WinGate plugin. This product is integrated with one of the most popular corporate proxy-servers, and, unlike other solutions on the market today, it can scan Qbik WinGate traffic for spam as well as for viruses.

As employees lose work time to cleaning mailboxes full of spam, and system administrators struggle to divide their time between daily routines and tackling viral and spam incidents, the thorough scanning of mail and Internet traffic has become a significant challenge for organizations.

Dr.Web for Qbik WinGate detects and neutralizes any type of Internet threat that could disrupt network operations and breach security systems. The plugin scans HTTP, FTP, SMTP and POP3 traffic.

The product features unique Dr.Web technologies, such as Origins Tracing, that complement the heuristic analyzer for more reliable detection of unknown viruses.

Dr.Web for Qbik WinGate is the only product on the market today for Qbik WinGate that features an anti-spam module. This module requires no training and supports customized actions for different categories of spam and the creation of black and white e-mail address lists. Guaranteed technical support directly from the developer is another significant advantage of this new Dr.Web product.

Ask for demo | Buy from partners | Buy online

Russian Windows blockers, European “bankers”, and other threats of June 2010

Fri, 02 Jul 2010 00:00:00 GMT

July 2, 2010

Windows blockers remain a major virus threat in Russia. In June, malicious programs demanding that users refill cell phone account balances belonging to criminals constituted 30 percent of Windows blockers incidences. Regular visitors to social networking web sites were also targeted. Visitors who attempted to log on to favourite sites received messages informing them that their accounts had been suspended, and that to unfreeze them, they needed to send paid text messages. Meanwhile, banking Trojans attacked European bank customers, forcing them to surrender their TAN codes to cyber criminals. Such codes are used by some banks for one-time transaction authorizations. However, sometimes even such extreme precautions on the part of banks can’t prevent cyber criminals from inflicting damage.

Windows blockers countermeasures

While Windows blockers continued to terrorize users, Doctor Web did its best to help those whose systems were compromised by malicious programs of this type.

In January 2010, Doctor Web launched its Dr.Web Unlocker web site. The site includes web forms offering unblocking codes for certain phone numbers and text messages displayed by Trojans. Later an unlock code generator was also introduced. The site is updated on a regular basis to address the latest trends in the development of system blocking malware.

In addition, since June 23, 2010, Doctor Web has made its support service available free of charge to every user (regardless of the anti-virus involved) whose system has been blocked by a Windows blocker program and who can’t get help at the unlocker site. To further fight the outbreak, Doctor Web cooperates with law enforcement agencies and provides up-to-date information to the widest audience possible about the current status of the epidemic, including prevention and curing techniques.

During June, Doctor Web’s statistics server registered over 420,000 instances of detection of Windows blockers, down from the previous month’s figure of 940,000+. Most of these programs were detected by Dr.Web anti-viruses as Trojan.Winlock, Trojan.Adultban, and Trojan.Packed.20343.

By the end of June, Trojans demanding cell phone balance refills as ransom amounted to 30 percent of all blockers. Doctor Web's analysts studied numerous cases of systems being infected by such programs and concluded that, in most cases, users wouldn’t receive unlock codes even if they paid the ransom. Once again the facts confirm this rule: no matter how desperate you are, never give money to criminals!.

Below is a gallery of screenshots showing June’s most common Windows blockers.

Social networking web sites – an attraction for criminals

Many users contacting Doctor Web’s technical support service in June were unable to visit social networking and free e-mail service web sites. When trying to load web pages, users got messages informing them that their accounts had been suspended for spamming, and that to continue they would have to send paid text messages. Dr.Web software detected the malicious programs responsible for such messages as Trojan.Hosts.

Reports received at the end of June indicated new modifications to Trojan.Hosts’ demand to refill cell phone balances, demands similar to those made by Windows blockers.

Because Trojan.Hosts and Trojan.Winlock are parts of schemes with similar mechanisms for converting acquired funds into actual money, Doctor Web also helps those whose support requests concern such viruses.

Internet banking users in danger

European bank customers who make wide use of Internet banking, particularly those of Volksbank Austria and German Postbank, became the primary targets of malware in Europe. Banks use TAN codes to achieve better security for online transactions. Each transaction has its own unique TAN code which allows customers to carry out transactions without disclosing their individual PIN codes. But cyber criminals have found a loophole: Users whose computers were infected by malicious programs like Trojan.PWS.Banker or Trojan.PWS.Bancos are prompted to enter TAN codes whenever they try to use an Internet banking system. Codes submitted by users get into the hands of criminals.

The Trojans were able to detect a browser used to access an Internet-banking web site and sprang into action only if the browser was Internet Explorer, demonstrating once again that users of other browsers are better protected from threats lurking on the Internet.

ПGeneral trends of June include the still active Oficla botnet, with four modifications of Trojan.Oficla found among the top 20 malware threats most frequently detected in e-mail. Intruders also often resorted to malicious scripts detected by Dr.Web anti-viruses as JS.Redirector.based.3. Embedded in HTML documents attached to spam messages, they redirect users to web sites that spread malware or to advertisements that typically promote pharmaceutical products.

Malicious files detected in mail traffic in June

01.06.2010 00:00 - 01.07.2010 00:00
1	Trojan.DownLoad1.58681	94881 (10.75%)
2	Trojan.Oficla.38	90647 (10.27%)
3	Trojan.Winlock.1651	73241 (8.30%)
4	Trojan.Oficla.zip	53192 (6.03%)
5	JS.Redirector.based.3	49394 (5.60%)
6	Trojan.Oficla.45	36125 (4.09%)
7	Trojan.Inject.8798	32974 (3.74%)
8	Win32.HLLW.Shadow.based	31944 (3.62%)
9	Trojan.Botnetlog.zip	28964 (3.28%)
10	Trojan.Packed.20425	22365 (2.53%)
11	Trojan.DownLoad1.62000	22311 (2.53%)
12	Trojan.Click1.10425	22229 (2.52%)
13	Win32.HLLW.Kati	16839 (1.91%)
14	Trojan.Inject.8874	12293 (1.39%)
15	Trojan.DownLoader.origin	10000 (1.13%)
16	Trojan.Siggen1.41503	9198 (1.04%)
17	Trojan.Oficla.33	7436 (0.84%)
18	Trojan.Packed.436	6902 (0.78%)
19	Win32.HLLW.Shadow.6	6765 (0.77%)
20	Win32.HLLW.Autoruner.4360	5299 (0.60%)

Total scanned:	13,188,581,400
Infected:	847,004 (0.0642%)

Malicious files detected on user machines in June

01.06.2010 00:00 - 01.07.2010 00:00
1	Trojan.Inject.8798	1265565 (13.62%)
2	Trojan.Siggen1.37243	678958 (7.31%)
3	ACAD.Pasdoc	672529 (7.24%)
4	Trojan.Packed.20343	301736 (3.25%)
5	Trojan.Siggen1.51699	280021 (3.01%)
6	Win32.HLLW.Gavir.ini	279207 (3.01%)
7	Win32.HLLW.Shadow	263432 (2.84%)
8	Win32.HLLW.Shadow.based	263423 (2.84%)
9	Trojan.Siggen1.40023	227444 (2.45%)
10	Trojan.AuxSpy.229	217638 (2.34%)
11	Win32.HLLP.Jeefo.36352	214459 (2.31%)
12	Win32.HLLP.Neshta	214243 (2.31%)
13	VBS.Sifil	207502 (2.23%)
14	Trojan.DownLoad.32973	205901 (2.22%)
15	Trojan.WinSpy.641	198304 (2.13%)
16	Win32.HLLW.Autoruner.5555	125789 (1.35%)
17	Adware.OSSProxy	96510 (1.04%)
18	Win32.HLLM.Generic.440	84592 (0.91%)
19	BackDoor.IRC.Sdbot.4590	72811 (0.78%)
20	VBS.Autoruner.8	63321 (0.68%)

Total scanned:	64,422,986,656
Infected:	9,288,857 (0.0144%)

Components of Dr.Web products for Windows updated

Mon, 28 Jun 2010 00:00:00 GMT

June 28, 2010

Doctor Web updated the SpIDer Guard file monitor and Scanning Engine service included in Dr.Web products for Windows from the 6 series. Upgrades include new scanning and curing algorithms, improve products’ stability and contain some improvements and fixes for a number of known errors.

Now the file monitor SpIDer Guard scans only processes and modules that are actually launched or loaded and ignores system calls to files. Improvements have been done to the quarantine (now it supports a greater number of languages) and the console scanner. The update also improves compatibility with the Windows Security Centre under Windows XP/Vista (Action Center in Windows 7). and error handling algorithm. Curing has also been enhanced for certain file types.

A number of errors that didn’t allow the anti-virus to work properly have been corrected. In particular defects in the procedure for blocking unknown malicious programs launched from removable data storage devices by means of autorun.inf have been corrected. An error that might make the anti-virus increase the CPU load to 100% after updating of virus databases has been fixed. The issue that might cause system freezing and memory leaks has been resolved. Changes have also been done to the algorithm for parsing regular expressions used to specify scan exceptions. Compatibility of products with third-party driver filters has also been improved.

Dr.Web solutions 6.0 for Windows will be updated automatically. The update will require a system restart.

New Dr.Web CureIt! with efficiency improved manyfold

Thu, 24 Jun 2010 16:48:14 GMT

June 24, 2010

The Russian anti-virus vendor Doctor Web announced the release of the completely reworked version of its free utility Dr.Web CureIt! that comes to rescue of millions of users all over the world in the time of need. The updated version features brand new algorithms for neutralization of cyber threats. During beta-testing the utility demonstrated superior efficiency compared with other Dr.Web products. Improvements incorporated into the new Dr.Web CureIt! will be implemented in the commercial version of the utility and later in all Dr.Web products.

The key innovation of Dr.Web CureIt! is its own starter that solves curing issues that arose due to flaws in operation of a standard WinRAR unpacker. It also minimizes the probability for malicious programs to block the utility upon its starting and doesn’t allow unpacking the file without launching it. By now intruders might take advantage of the latter issue and use third party tools to build the utility on their own and spread Trojans disguised as Dr.Web CureIt!.

Dr.Web self-protection is initiated at the earliest phase of launching. New stealth algorithms allowing the utility to remain unnoticed by viruses rule out the possibility of blocking before this point.

In order to deal with widely spread Trojan.Winlock programs the unique blocker neutralization mode has been implemented in Dr.Web CureIt!. Upon launching the utility all its windows are displayed on a protected desktop that can’t be blocked by malware. A user receives a notification informing him that he may continue using Dr.Web CureIt! in the enhanced protection mode (in this mode no other applications can be launched) or switch to the standard mode. If the user decides on staying in the enhanced mode, he won’t be able to change for the standard mode of operation until scanning is completed.

Unlike the previous versions, new Dr.Web CureIt! is fully compatible with various system emergency tools for Windows such as LiveCD.

System requirements of the utility have changed: now it runs only under Windows 2000 and later; support of both 32- and 64-bit systems has been implemented with self-protection and enhanced anti-blocker mode operational in both cases. As before the utility is updated as new virus databases are released to remain up-to-date at all times.

The new Dr.Web CureIt! proved to be highly demanded and received positive feedback from a large number of users during the beta-testing. Developers did their best to ensure that the upgraded utility would remain one of the most powerful tools of emergency anti-virus aid.

Download new Dr.Web CureIt!

Dr.Web e-mail anti-viruses 5.0 for Unix updated

Thu, 17 Jun 2010 00:00:00 GMT

June 17, 2010

Doctor Web updated Dr.Web Mail Gateway and Dr.Web for Unix mail servers 5.0 (32- and 64-bit).

An error that prevented sending notifications upon detection of viruses to users has been corrected.

To apply the update users ofDr.Web for Unix mail servers and Dr.Web Mail Gateway you need to download updated distributions of corresponding products and install them.

New subscribers to Dr.Web anti-virus in Pskov region

Fri, 11 Jun 2010 00:00:00 GMT

June 11, 2010

By now the anti-virus service was available to users in the Pskov region only from one provider. However, from June 2 2010 customers of Pskovskaya GTS, the leader on the telecom market of the city, can also enjoy benefits that come with the best anti-virus software delivery model Currently the number of Internet service subscribers of Pskovskaya GTS exceeds 10 000.

At Pskovskaya GTS extending the range of available services has been on the management’s agenda for quite a while. Nowadays distribution of information security services providing customers with a quick solution to a security problem is among most promising businesses. Therefore, the Internet service Dr.Web AV-Desk that delivers anti-virus software to customers in the SaaS format was a logical choice for the provider.

Prior to deployment of Dr.Web AV-Desk the company became familiar with other services offered to providers by security software developers. However, numerous advantages, ranging from the simple subscription procedure to the large number of providers that already use the solution from Doctor Web which showed that the service was really in high demand, drove the company to choose Dr.Web.

“Our engineers deployed the service within one week. During the internal testing we already realized that Dr.Web AV-Desk met our expectations. I think that easy accessibility and a wide range of subscription control options will satisfy our customers as well”, regional business development manager of Pskovkaya GTS Yury Ekimov said.

About Dr.Web AV-Desk

Doctor Web was the first anti-virus vendor that offered an anti-virus as a service on the Russian market.

Deployment of Dr.Web AV-Desk allows subscribers of a service provider to use Dr.Web anti-virus as a service: choose a desired subscription period, renew their subscription automatically and therefore plan how much they are going to spend on anti-virus security. Providing an anti-virus as a service ensures its instant delivery and easy management of a subscription for home users and business customers. Dr.Web AV-Desk was released by Doctor Web in 2007. The number of service providers that deliver the Dr.Web anti-virus service in different regions of Russia and also in the Ukraine, France, Spain, Netherlands, Mongolia, Kazakhstan, Kyrgyzstan, Bulgaria and Estonia exceeds 250. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk was awarded the large golden medal of the Siberian Fair as an original technical and telecom solution.

www.av-desk.com

About Pskovskaya GTS

Pskovskaya GTS is a long-term player on the market striving to adopt cutting age telecom technologies. It allows the company to deliver high-quality services to more than 60 thousand customers.

www.gtspskov.ru

Dr.Web for Mac OS X updated

Thu, 10 Jun 2010 00:00:00 GMT

June 10, 2010

Doctor Web released an updated version of Dr.Web for Mac OS X.

Issues in operation of the system for updating virus databases and components under Mac OS X 10.4 (Tiger) and 10.5 (Leopard) have been fixed.

In order to update Dr.Web for Mac OS X 10.4 and 10.5, use the updated distribution to install Dr.Web for Mac OS X.

Traffic interception module in Dr.Web products for Windows updated

Mon, 07 Jun 2010 00:00:00 GMT

June 7, 2010

Doctor Web updated the module for interception of mail and HTTP traffic included in Dr.Web products from the series 6 for protection of Windows workstations.

The issue that resulted in incompatibility between the interception module and ISA server clients under Windows thus causing connectivity problems for workstations and rendering the HTTP monitor SpIDer Gate and SpIDer Mail monitor non-operational has been fixed.

Dr.Web solutions 6.0 for Windows workstations will be updated automatically.

Dr.Web compatible with new Kerio firewall

Thu, 03 Jun 2010 00:00:00 GMT

June 3, 2010

Following the release of a new version of the Kerio firewall that has its title changed from WinRoute to Control Doctor Web confirms that the new version is fully compatible with Dr.Web for Kerio WinRoute.

At the end of May Doctor Web tested Kerio Control 7 to determine if it was compatible with the Dr.Web plugin under 32 and 64 bit versions of Windows. Tests showed that the Dr.Web plugin integrated seamlessly with the new Kerio firewall.

“We are glad to continue our cooperation with Doctor Web. Its anti-virus solutions integrate with our new Kerio products very well”, Maxim Akimov, the head of the Kerio Technologies branch office in Russia and CIS said.

Dr.Web e-mail anti-viruses 5.0 for Unix updated

Thu, 03 Jun 2010 00:00:00 GMT

June 3, 2010

Doctor Web updated шеы Dr.Web Mail Gateway and Dr.Web for Unix mail servers 5.0 (32- and 64-bit). The updates provide fixes for a number of known errors.

The update fixes an error related to interaction between the agent and statistics server. The UrlStatisticsServer parameter has been removed from the agent.conf file. If a user doesn’t want statistics to be sent to a server, he will need to set the empty value for the StatisticsServer parameter.

Interaction between the products and the Exim mail server in the local_scan mode has been optimized. Besides, the mail filter has become case sensitive and improvements have been done to the Japanese locale.

To apply the update users of Dr.Web for mail servers Unix and Dr.Web Mail Gateway need to download updated distributions of corresponding products and install them.

Components of Dr.Web 6.0 products for Windows updated

Thu, 03 Jun 2010 15:35:46 GMT

June 3, 2010

Doctor Web updated the traffic intercepting module, mail monitor and the Scanning Engine service featured by Dr.Web products from the 6 series for protection of Windows workstations (32- and 64-bit).

For the HTTP and mail traffic intercepting modules their compatibility with networking software has been improved. Operation of the components that involves their interaction with SpIDer Mail and SpIDer Gate has been optimized. SpIDer Mail has also undergone changes: its compatibility with the firewall has been improved, interaction of the component with mail clients, servers and Dr.Web quarantine has been optimized, scanning of IMAP traffic has also been improved. Errors that might cause an abnormal termination of the component while processing headers with invalid base64-encoding, prevented the mail monitor from intercepting connections under the 64-bit version of Windows XP and resulted in incorrect saving of the exceptions list have been correcte.

Changes have also been done to the Scanning Engine. Operation of the quarantine has been optimized (it also supports a greater number of languages) and its compatibility with the Windows Security Centre under Windows XP/Vista (Action Center in Windows 7) has been improved. New command line parameters have been added for the console scanner. Errors found in operation of this component have been corrected.

Dr.Web solutions 6.0 for Windows workstations and servers will be updated automatically.

Virus threats in May 2010: Windows blockers, new bootkits and encoders

Wed, 02 Jun 2010 00:00:00 GMT

June 2, 2010

May 2010 saw another outbreak of Windows blockers (Trojan.Winlock, Trojan.AdultBan) where many modifications of the Trojan didn’t demand from users to send short messages. New types of Trojan.Encoder programs in their turn brought “fun” to a number of careless users. New bootkits were discovered through the month and Doctor Web introduced a corresponding curing procedure in a timely manner. And fake anti-viruses (Trojan.Fakealert) went down in Doctor Web’s statistics.

New wave of blockers

Starting from May 14 Doctor Web’s statistics server registered a number of detections of Windows blockers per 24 hours that exceeded an average figure. In four subsequent days the number exceeded a 24 hour average of last months several times but on May 18 it reached 215000 (Trojan.Winlock and Trojan.AdultBan) while the average figure is 1500. The high detections figures persisted till the end of May.

Despite the fact that the surge in spreading of Trojan.Winlock programs occurred in the second half of the month, the total number of their detections in May reached 920000 thus beating the previous record set in January 2010. The detections graph below illustrates the trend in spreading of Windows blockers.

Blockers that do not require an SMS ransom

Since May 7 Doctor Web’s technical support service started receiving requests regarding blockers of Windows that instructed users to pay a ransom over payment terminals rather than by means of an SMS. In May criminals tried a variety of payment systems to get ransoms through including WebMoney, RBKMoney and Wallet One. Such blockers as well as their standard modifications are detected by Dr.Web anti-viruses as Trojan.Winlock programs.

However, in last days of the month users were typically offered to transfer money to the account of a mobile phone user. It is worth mentioning that criminals change accounts regularly making it harder for law enforcement agencies to find them.

Trojan.Winlock programs of the new type informed users that their unblocking code would be found on a bill printed by the terminal once the required amount was acquired. However, some terminals were unable to process such requests and print such information. Moreover, criminals may not bother themselves with implementing printing codes on bills and only want to get as much money as possible.

Such malicious programs added to the already existing variety of Windows blockers made their number even higher. As criminals switched to electronic payment systems from SMS to receive money from users, they no longer faced difficulties caused by joint efforts of mobile operators, aggregators and law enforcement agencies.

Doctor Web publishes unlock codes on its Dr.Web Unlocker site as new modifications of Windows blockers are discovered. On this web-site users may also find passwords for decryption of files compromised by some modifications of Trojan.Encoder.

Below you can find a gallery of screenshots that show what most notable Windows blockers found on user machines in May look like.

Trojan.Winlock gallery

New bootkits

In May Doctor Web’s developers also discovered such new bootkits (a type of rootkits capable of modifying a disks’ boot sector and therefore launch before an operating system) as Trojan.Alipop and Trojan.Hashish. The first one targeted mainly Chinese users and was used to generate fake website hits. The second boot-virus was designed to launch any components that a cyber-criminal considered necessary in the system. Currently Trojan.Hashish includes malicious objects belonging to the Win32.HLLC.Asdas family of programs that display banners in browser windows. The bootkit is also capable of infecting executable files.

Doctor Web’s virus analysts promptly implemented a curing algorithm for the new bootkits in the Dr.Web scanner for Windows. At present there are few anti-virus makers that create curing procedures against such malicious programs while addressing such issues in a timely manner is the quality possessed even by fewer. Many anti-viruses available at the market are unable to cure a bootkit that compromised the system where the anti-virus runs. Meanwhile, alternative system cleaning techniques can be hard to implement for an ordinary user.

Fake anti-viruses dwindle

Even though the number of detections of Trojan.Fakealert tended to go down through May, it only meant that criminals decided to reach a greater efficiency through quality rather than quantity. Guides for neutralization of fake-anti-viruses published on European anti-malware resources are getting more complex. But criminals also make use of such guides and subsequent versions of fake anti-viruses provide users with new challenges. This arms race is somewhat similar to activities related to spreading and neutralizing Windows blockers in the Russian segment of the Internet.

Below you can find another gallery of screenshots showing most common fake anti-viruses of the past month.

Trojan.Fakealert gallery

Encoders

Several new modifications of Trojan.Encoder programs that encrypt user data and their construction kits appeared in May. From May 15 till 17 a surge in spreading of encoders was detected. Such programs based on the same engine and offered victims to contact criminals over ICQ or send a paid SMS. Their average number of detections in 24 hours reached 1300 – 1900 during those days while normally the average figure doesn’t exceed 500.

Some Trojan.Encoder modifications were designed specifically to discredit Doctor Web. They set compromised systems to use Dr.Web icons to display encrypted files and Dr.Web was used by virus makers as a title of their programs in texts shown to victims.

«Doctor Web recommends users to stay vigilant and contact Doctor Web’s virus laboratory if they have any problems with enconder Trojans. Measures implemented by Doctor Web to aid users against such programs drove criminals to such attempts to damage reputation of Doctor Web.

The share of malicious programs among all programs scanned with Dr.Web software in May2010 went down significantly both in mail traffic and among files on user machines. The cause behind such a decline can be a lower number of fake anti-viruses (they left the malware TOP20 in mail traffic) as well as lower activity of largest botnets.

Malicious files detected in mail traffic in May

01.05.2010 00:00 - 01.06.2010 00:00
1	Trojan.Botnetlog.zip	112576 (22.36%)
2	Win32.HLLM.MyDoom.54464	95952 (19.05%)
3	Trojan.Winlock.1651	49108 (9.75%)
4	Win32.HLLW.Shadow.based	43598 (8.66%)
5	Trojan.DownLoad.37236	19956 (3.96%)
6	Win32.HLLW.Autoruner.4360	16815 (3.34%)
7	BackDoor.Siggen.17777	14187 (2.82%)
8	Trojan.Oficla.45	12008 (2.38%)
9	Trojan.MulDrop.64815	8296 (1.65%)
10	JS.Click.136	6842 (1.36%)
11	BAT.Lucky.2671	6301 (1.25%)
12	Win32.HLLW.Kati	6181 (1.23%)
13	Win32.HLLM.Netsky.18401	6056 (1.20%)
14	Trojan.MulDrop.55238	5556 (1.10%)
15	Win32.HLLM.Netsky.35328	5447 (1.08%)
16	Win32.HLLM.Netsky.based	5314 (1.06%)
17	Win32.HLLM.Netsky	4859 (0.96%)
18	Trojan.DownLoad1.55035	4034 (0.80%)
19	Exploit.PDF.820	3936 (0.78%)
20	Trojan.DownLoad1.54042	3928 (0.78%)

Total scanned:	8,016,805,833
Infected:	503,569 (0.00628%)

Malicious files detected on user machines in May

01.05.2010 00:00 - 01.06.2010 00:00
1	Trojan.PWS.Webmonier.364	3224492 (13.66%)
2	ACAD.Pasdoc	741227 (3.14%)
3	Win32.HLLW.Shadow	664019 (2.81%)
4	Win32.HLLM.Dref	659756 (2.80%)
5	VBS.Sifil	507591 (2.15%)
6	Win32.HLLP.Neshta	370930 (1.57%)
7	Trojan.WinSpy.641	364950 (1.55%)
8	Win32.HLLP.Jeefo.36352	323031 (1.37%)
9	Win32.HLLW.Shadow.based	318348 (1.35%)
10	Trojan.Winlock.1678	306182 (1.30%)
11	Win32.HLLW.Autoruner.21042	243231 (1.03%)
12	Win32.HLLW.Gavir.ini	222372 (0.94%)
13	Trojan.Winlock.1686	191359 (0.81%)
14	Win32.HLLW.Autoruner.5555	170284 (0.72%)
15	Trojan.DownLoad.32973	165409 (0.70%)
16	Win32.HLLP.PissOff.36864	156540 (0.66%)
17	Trojan.Inject.8798	132271 (0.56%)
18	Trojan.Winlock.1793	122261 (0.52%)
19	Win32.Virut.5	113156 (0.48%)
20	DDoS.Pamela	110075 (0.47%)

Total scanned:	855,347,743,950
Infected:	23,604,815 (0.00276%)

Dr.Web AV-Desk step forward in Belarus

Mon, 24 May 2010 00:00:00 GMT

May 24, 2010

Alternativnaya Cifrovaya Set (alternative digital network) has become the first provider to deploy the Internet-service from Doctor Web in Belarus Now more than eighty thousand customers of one of the largest companies in the country (many of them are already familiar with Dr.Web products) can sign up for a SaaS anti-virus.

Prior to the deployment Doctor Web’s products and services were certified by the Operative analytical Centre of the President of the Republic of Belarus. The upcoming deployment of Dr.Web AV-Desk by Alternativnaya Cifrovaya Set was first revealed on the press-conference that followed the certification.

From the beginning of May customers of one of the largest ISPs in Belarus can protect their computers by choosing one of four Dr.Web anti-virus subscription packages according to their security requirements. The parental control available in the Dr.Web Premium subscription package is viewed by the company as one of the most important protection components.

"The present-day market offers a wide variety of anti-virus products ranging from professional solutions to simple free anti-viruses for home usage. An ordinary user can easily get lost in this diversity. That’s why I’m inclined to trust solutions that have been proving themselves worthy since users in CIS countries began using the Internet extensively. Dr.Web Anti-virus is the time-tested product that guarantees security of corporate and home systems. Its key advantages are great usability and reliability. A user doesn't need to think what those dozens of features are about and master complex configuration tools to be well-protected. We are ready to recommend this product to all our customers", Alexander Vavulo, the marketing manager of Alternativnaya Cifrovaya Set commented upon the deployment of Dr.Web AV-Desk.

About Dr.Web AV-Desk

Doctor Web was the first anti-virus vendor that offered an anti-virus as a service on the Russian market.

Deployment of Dr.Web AV-Desk allows subscribers of a service provider to use Dr.Web anti-virus as a service: choose a desired subscription period, renew their subscription automatically and therefore plan how much they are going to spend on anti-virus security. Providing an anti-virus as a service ensures its instant delivery and easy management of a subscription for home users and business customers. Dr.Web AV-Desk was released by Doctor Web in 2007. The number of service providers that deliver the Dr.Web anti-virus service in different regions of Russia and also in the Ukraine, France, Spain, Netherlands, Mongolia, Kazakhstan, Kyrgyzstan, Bulgaria and Estonia is rexceeds 250. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk was awarded the large golden medal of the Siberian Fair as an original technical and telecom solution.

www.av-desk.com

About Alternativnaya Cifrovaya Set

Alternativnaya Cifrovaya Set provides high-speed access to the Internet over ADSL and Ethernet. The company operates in seven cities of Belarus and participates in development of telecom infrastructure of the country.

www.telecom.by

The GUI-based scanner in Dr.Web products for Windows updated

Thu, 20 May 2010 15:17:30 GMT

May 20, 2010

Doctor Web announced the release of the updated GUI-based scanner incorporated in Dr.Web anti-virus solutions of 5.0 and 6.0 series for Windows. The component has undergone a number of important changes resulting in its higher stability and increased curing capability.

The update enhances the archive scanning routine, registry curing and memory scan. The routine for interrupting scan of large or complex objects has also been improved allowing users to stop the anti-virus before it finishes checking a file.

Several error fixes contributed to a more stable operation of the scanner under different operating systems. Issues that caused critical system errors, freezing and failures of the anti-virus have been resolved. Statistics displaying errors have also been fixed.

Dr.Web solutions for workstations and file servers, Dr.Web Enterprise Suite and the Dr.Web anti-virus service software will download and install the update automatically.

Dr.Web for Mac OS X updated

Thu, 13 May 2010 00:00:00 GMT

May 13, 2010

Doctor Web updated its anti-virus solution for Mac OS X. The update incorporates several improvements and corrects a number of errors.

Now the program’s updating system supports automatic updating of a key file. With the update Dr.Web for Mac OS X also receives a new license manager that allows registering a serial number via the anti-virus interface. Updating settings are now protected with an administrator password.

Optimized routines of SpIDer Guard contribute to much lower system load while the file monitor is operational. The monitor status indication error and the error that lead to anapplication failure while SpIDer Guard was running have been corrected. In addition graphical interface of the monitor and GUI-scanner has been updated.

Now a user can go to his personal area at Doctor Web’s site right from the anti-virus control centre. With the update Dr.Web for Mac OS X also gets support of the German language.

An error of the drwebd module that occurred during processing of temporary files has been fixed. Redundant authorization requests in anti-virus settings have been removed.

In order to update Dr.Web for Mac OS X the update must be installed over the previous version of the product.