My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Fake torrent-trackers and other tricks of virus-makers in April 2010

May 1, 2010

In April 2010 cyber-criminals focused on new SMS fraud schemes. This time they targeted users of torrent trackers and file sharing resources whom they tried to lure to fake web-sites supposedly providing such services. April also saw discovery of new malicious programs targeting smart phones while fake anti-viruses maintained their leadership among malware found in e-mail traffic.

Fake torrent-trackers and file sharing sites

Doctor Web’s virus analysts uncovered an entire network of fake torrent-trackers and file sharing resources located in different parts of the globe and yet targeting Russian-speaking users. Criminals exploited wide popularity of such resources and carelessness of many people who search for necessary information using search engines and posted links to music, books, moves and other contents on such web-sites.

Fake torrent-trackers and file sharing resources appeared at the top of search results lists returned to users by search engines. Apparently criminals performed search engine optimization and perform other preliminary activities to improve efficiency of their schemes.

A user obtaining a download link on such a web-site downloaded a 16 megabyte executable file instead of a supposed archive with desired content. Dr.Web detects such files as Tool.SMSSend.2.

Launching the file brings up a window prompting the user to send several paid short messages that will allow him to gain access to a downloaded archive. In truth such malicious files do not contain any useful data. Similar schemes are known to target users from other countries where instead of an SMS would-be victims are offered to use their credit cards to pay for their downloads before they actually download anything.

Currently Doctor Web’s statistics server registers around 6 000 instances of detection of Tool.SMSSend.2 per 24 hours.

Copyright protection virus

Apart from techniques listed above criminals also attempted to intimidate torrent users.Trojan.Fakealert.14886 (as classified by Doctor Web) spread in quite large numbers over the Internet in April. In an infected system the Trojan displayed a message warning a victim that illegally obtained content protected by copyright was detected on the computer which would result in prosecution.

Trojan.Fakealert.14886 spreads as a software installer. If a user doesn’t remove the program using standard Windows tools for adding and removing software and simply reboots the system, the Trojan will block access to the system similarly to Trojan.Winlock malware. The highest number of detections of this program was registered in Europe.

A new modification of Trojan.Winlock that warned a user of his violation of copyright law also emerged in April. It offered users to send a paid SMS-message in order to continue downloading files via torrent through a backup communication channel.

Fake anti-viruses

Fake anti-viruses enhanced with new or updated look and feel continued there broad-scale offensive in English-speaking countries. Their spreading techniques didn’t change while the number of their detections registered by Doctor Web’s statistics server declined and reached 750 000 against an approximate 1 000 000 in March.

Trojan.Fakealert gallery

Windows blockers

The rate of spreading of Trojan.Winlock in Russia also went down in April and reached 720 instances of detection per 24 hours compared with 1 300 registered in March. However, the number of new modifications of Trojan.Winlock increased. Doctor Web’s technical support received requests related to such Trojans on a daily basis.

Trojan.Winlock gallery

Dialler for smart phones

Virus analysts registered spreading of the WinCE.Dialer.1 malicious program, that targeted pocket PCs running Windows Mobile. Once installed, it started making calls at paid phone numbers registered in different countries.

The program springs into action in 48 hours following a successful infection of the system. WinCE.Dialer.1 spreads as a supposed game for pocket PCs.

The share of malicious programs in e-mail traffic scanned by Dr.Web software in April 2010 increased by 28 %. The share of malicious files among all files scanned on user machines increased by 2.12. The figures show that in April criminals mainly focused on spreading malware over infected web-sites, using PDF, Flash and browser exploits and other techniques rather than e-mail.

Malware detected in mail traffic in April

 01.03.2010 00:00 - 01.04.2010 00:00 
1 Trojan.DownLoad.41551 11193316 (13.64%)
2 Trojan.DownLoad.37236 9927963 (12.10%)
3 Trojan.DownLoad.47256 7320678 (8.92%)
4 5865274 (7.15%)
5 Trojan.MulDrop.40896 5147022 (6.27%)
6 Trojan.Fakealert.5115 5100040 (6.22%)
7 Trojan.Packed.683 4148051 (5.06%)
8 Trojan.Fakealert.5238 3808296 (4.64%)
9 Trojan.DownLoad.50246 2921645 (3.56%)
10 Trojan.Fakealert.5825 2484216 (3.03%)
11 Trojan.Fakealert.5437 1834890 (2.24%)
12 Trojan.Fakealert.5356 1659867 (2.02%)
13 Trojan.Fakealert.5784 1445121 (1.76%)
14 Trojan.Fakealert.5229 1338146 (1.63%)
15 Trojan.PWS.Panda.122 1332036 (1.62%)
16 Trojan.Fakealert.11956 1267041 (1.54%)
17 Trojan.Fakealert.5457 1162458 (1.42%)
18 Trojan.Siggen.18256 1106066 (1.35%)
19 Trojan.Packed.19694 1099122 (1.34%)
20 Trojan.MulDrop.46275 1058813 (1.29%)
Total scanned: 17,689,058,602
Infected: 82,042,532 (0.464%)

Malicious files detected on user machines in April

01.04.2010 00:00 - 01.05.2010 00:00
1 Win32.HLLW.Shadow 834227 (2.84%)
2 Trojan.AuxSpy.187 829685 (2.82%)
3 VBS.Sifil 525939 (1.79%)
4 Trojan.Starter.516 438173 (1.49%)
5 ACAD.Pasdoc 419684 (1.43%)
6 Win32.HLLW.Gavir.ini 364819 (1.24%)
7 Win32.HLLW.Shadow.based 339566 (1.16%)
8 Trojan.DownLoad.32973 330055 (1.12%)
9 Trojan.AuxSpy.111 283554 (0.97%)
10 Trojan.AntiAV.6 231204 (0.79%)
11 Win32.HLLW.Autoruner.9410 170593 (0.58%)
12 Win32.Dref 162827 (0.55%)
13 IRC.Apulia.1215 155887 (0.53%)
14 BackDoor.Tdss.2459 153602 (0.52%)
15 Trojan.PWS.GoldSpy.3382 148201 (0.50%)
16 Win32.HLLW.Autoruner.5555 143042 (0.49%)
17 HTTP.Content.Malformed 132141 (0.45%)
18 Win32.Alman.1 119085 (0.41%)
19 Win32.HLLW.Share 102652 (0.35%)
20 Trojan.PWS.Siggen.2674 85937 (0.29%)


Total scanned: 77,991,983,505
Infected: 22,880,659 (0.0293%)

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments