March 2010 saw a smaller number of Windows blockers and banners in Internet browsers. Fake anti-viruses with constantly changing look and feel mainly targeted English-speaking users. Discovery of several new modifications of Trojan.Encoder became a significant event of the past month.

Windows blockers and banners in web browsers

If you look at the graph showing how browser blockers (Trojan.BrowseBan) and blockers of Windows (Trojan.Winlock) spread in March, you will see that they got to where they were in mid October and November 2009. However, the weekly graph shows the number of detections remaining around 10 000 on a daily bases which roughly amounts to 100 000 infected systems per week.

In March Doctor Web received over 100 unique screenshots of blockers via its user technical support system. Since cases when a user can take a screenshot in the infected systems are very rare, the total number of processed support requests related to the subject is much higher.

Blockers remain one of the most common issues in user support requests for several reasons. First of all, it is quite difficult to get rid of such species of malware since they hamper any user activity in the system and secondly these are malicious programs whose activities are meant to be noticed. While most malicious programs operate covertly, Doctor Web strongly recommends all users of Dr.Web products contact the technical support service immediately if they think that they have even an indirect evidence of an active infection in the system.

Botnet communicates over Microsoft Word

Trojan.Oficla is a malware underworld specimen that allows owners of botnets created by means of this program to hide in a system as a Microsoft Word process if the latter is installed on the computer.

Authors of Trojan.Oficla sell new modifications of the program to other criminals so that they create new botnets that operate all over the world.

As zombies in any other botnet, machines compromised by Trojan.Oficla are fully controlled by the botnet’s owner and can download other malicious programs from a server belonging to criminals, install and launch downloaded malware.

Doctor Web’s statistics server registered around 100 000 detections of this malicious program in one week of March 2010. Trojan.Oficla spreads with e-mail messages and exploits vulnerabilities of web browsers. It can also take advantage of other spreading channels. The choice here is determined by imagination of the botnet’s owner.

Invisible banker

Trojan.PWS.Ibank is another piece of malware that doesn’t attract users’ attention while at work. Its numerous modifications retrieve account details of customers of large banks in Russia. Trojans exploit vulnerabilities of banking software used by clients to carry out transactions over the Internet.

Retrieved account information is sent to criminals. Trojan.PWS.Ibank also operates as a key logger.

Trojan.PWS.Ibank spreads in surges. A rapid growth of the number of its detections that dropped again within 24 hours was registered several times in March.

Fake anti-viruse

By the end of March an inflow of support requests regarding fake Russian online anti-viruses has practically stopped. However, traditional representatives of this malware family (Trojan.Fakealert) infect user systems with the number of detections of such programs remaining steady 30 millions per month.

Methods used to spread fake anti-viruses have been honed through years and remain the same. Yet appearance of such malware does change. Fake anti-viruses tend to look more and more like popular IT security solutions spread using social engineering techniques.

Trojan.Fakealert screenshots

File encoder

The March was also marked by discovery of several new modifications of Trojan encoders that demanded over USD 50 from a user willing to get his data back.

Trojan.Encoder.67 encrypted all files except for files located in certain system directories that sometimes might render a system non-operational and even itself from actually displaying a ransom demand message.

Trojan.Encoder.68 compromised only files of certain types. It placed target files in password-protected ZIP archives. The password consisted of 47 symbols and was unique for each infected system. Doctor Web offered users free access to a web-form where they could generate passwords to extract their files.

Tools required to counter an.Encoder.68 programs can be found on the special web-page of Doctor Web’s site devoted to free anti-virus tools.

In March the share of malicious code in mail traffic increased by 22% compared with February while the share of malicious code among files scanned on users machines reduced by 24%. These fluctuations are insignificant since the overall share of malware from the total number of scanned objects remained the same as in February.

Malicious programs detected in mail traffic in March

Malicious programs detected on user machines in March