My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Virus threats in May 2010: Windows blockers, new bootkits and encoders

June 2, 2010

May 2010 saw another outbreak of Windows blockers (Trojan.Winlock, Trojan.AdultBan) where many modifications of the Trojan didn’t demand from users to send short messages. New types of Trojan.Encoder programs in their turn brought “fun” to a number of careless users. New bootkits were discovered through the month and Doctor Web introduced a corresponding curing procedure in a timely manner. And fake anti-viruses (Trojan.Fakealert) went down in Doctor Web’s statistics.

New wave of blockers

Starting from May 14 Doctor Web’s statistics server registered a number of detections of Windows blockers per 24 hours that exceeded an average figure. In four subsequent days the number exceeded a 24 hour average of last months several times but on May 18 it reached 215000 (Trojan.Winlock and Trojan.AdultBan) while the average figure is 1500. The high detections figures persisted till the end of May.

Despite the fact that the surge in spreading of Trojan.Winlock programs occurred in the second half of the month, the total number of their detections in May reached 920000 thus beating the previous record set in January 2010. The detections graph below illustrates the trend in spreading of Windows blockers.

Blockers that do not require an SMS ransom

Since May 7 Doctor Web’s technical support service started receiving requests regarding blockers of Windows that instructed users to pay a ransom over payment terminals rather than by means of an SMS. In May criminals tried a variety of payment systems to get ransoms through including WebMoney, RBKMoney and Wallet One. Such blockers as well as their standard modifications are detected by Dr.Web anti-viruses as Trojan.Winlock programs.

However, in last days of the month users were typically offered to transfer money to the account of a mobile phone user. It is worth mentioning that criminals change accounts regularly making it harder for law enforcement agencies to find them.

Trojan.Winlock programs of the new type informed users that their unblocking code would be found on a bill printed by the terminal once the required amount was acquired. However, some terminals were unable to process such requests and print such information. Moreover, criminals may not bother themselves with implementing printing codes on bills and only want to get as much money as possible.

Such malicious programs added to the already existing variety of Windows blockers made their number even higher. As criminals switched to electronic payment systems from SMS to receive money from users, they no longer faced difficulties caused by joint efforts of mobile operators, aggregators and law enforcement agencies.

Doctor Web publishes unlock codes on its Dr.Web Unlocker site as new modifications of Windows blockers are discovered. On this web-site users may also find passwords for decryption of files compromised by some modifications of Trojan.Encoder.

Below you can find a gallery of screenshots that show what most notable Windows blockers found on user machines in May look like.

Trojan.Winlock gallery

New bootkits

In May Doctor Web’s developers also discovered such new bootkits (a type of rootkits capable of modifying a disks’ boot sector and therefore launch before an operating system) as Trojan.Alipop and Trojan.Hashish. The first one targeted mainly Chinese users and was used to generate fake website hits. The second boot-virus was designed to launch any components that a cyber-criminal considered necessary in the system. Currently Trojan.Hashish includes malicious objects belonging to the Win32.HLLC.Asdas family of programs that display banners in browser windows. The bootkit is also capable of infecting executable files.

Doctor Web’s virus analysts promptly implemented a curing algorithm for the new bootkits in the Dr.Web scanner for Windows. At present there are few anti-virus makers that create curing procedures against such malicious programs while addressing such issues in a timely manner is the quality possessed even by fewer. Many anti-viruses available at the market are unable to cure a bootkit that compromised the system where the anti-virus runs. Meanwhile, alternative system cleaning techniques can be hard to implement for an ordinary user.

Fake anti-viruses dwindle

Even though the number of detections of Trojan.Fakealert tended to go down through May, it only meant that criminals decided to reach a greater efficiency through quality rather than quantity. Guides for neutralization of fake-anti-viruses published on European anti-malware resources are getting more complex. But criminals also make use of such guides and subsequent versions of fake anti-viruses provide users with new challenges. This arms race is somewhat similar to activities related to spreading and neutralizing Windows blockers in the Russian segment of the Internet.

Below you can find another gallery of screenshots showing most common fake anti-viruses of the past month.

Trojan.Fakealert gallery


Several new modifications of Trojan.Encoder programs that encrypt user data and their construction kits appeared in May. From May 15 till 17 a surge in spreading of encoders was detected. Such programs based on the same engine and offered victims to contact criminals over ICQ or send a paid SMS. Their average number of detections in 24 hours reached 1300 – 1900 during those days while normally the average figure doesn’t exceed 500.

Some Trojan.Encoder modifications were designed specifically to discredit Doctor Web. They set compromised systems to use Dr.Web icons to display encrypted files and Dr.Web was used by virus makers as a title of their programs in texts shown to victims.

«Doctor Web recommends users to stay vigilant and contact Doctor Web’s virus laboratory if they have any problems with enconder Trojans. Measures implemented by Doctor Web to aid users against such programs drove criminals to such attempts to damage reputation of Doctor Web.

The share of malicious programs among all programs scanned with Dr.Web software in May2010 went down significantly both in mail traffic and among files on user machines. The cause behind such a decline can be a lower number of fake anti-viruses (they left the malware TOP20 in mail traffic) as well as lower activity of largest botnets.

Malicious files detected in mail traffic in May

01.05.2010 00:00 - 01.06.2010 00:00
1 112576 (22.36%)
2 Win32.HLLM.MyDoom.54464 95952 (19.05%)
3 Trojan.Winlock.1651 49108 (9.75%)
4 Win32.HLLW.Shadow.based 43598 (8.66%)
5 Trojan.DownLoad.37236 19956 (3.96%)
6 Win32.HLLW.Autoruner.4360 16815 (3.34%)
7 BackDoor.Siggen.17777 14187 (2.82%)
8 Trojan.Oficla.45 12008 (2.38%)
9 Trojan.MulDrop.64815 8296 (1.65%)
10 JS.Click.136 6842 (1.36%)
11 BAT.Lucky.2671 6301 (1.25%)
12 Win32.HLLW.Kati 6181 (1.23%)
13 Win32.HLLM.Netsky.18401 6056 (1.20%)
14 Trojan.MulDrop.55238 5556 (1.10%)
15 Win32.HLLM.Netsky.35328 5447 (1.08%)
16 Win32.HLLM.Netsky.based 5314 (1.06%)
17 Win32.HLLM.Netsky 4859 (0.96%)
18 Trojan.DownLoad1.55035 4034 (0.80%)
19 Exploit.PDF.820 3936 (0.78%)
20 Trojan.DownLoad1.54042 3928 (0.78%)

Total scanned:8,016,805,833
Infected:503,569 (0.00628%)

Malicious files detected on user machines in May

01.05.2010 00:00 - 01.06.2010 00:00
1 Trojan.PWS.Webmonier.364 3224492 (13.66%)
2 ACAD.Pasdoc 741227 (3.14%)
3 Win32.HLLW.Shadow 664019 (2.81%)
4 Win32.HLLM.Dref 659756 (2.80%)
5 VBS.Sifil 507591 (2.15%)
6 Win32.HLLP.Neshta 370930 (1.57%)
7 Trojan.WinSpy.641 364950 (1.55%)
8 Win32.HLLP.Jeefo.36352 323031 (1.37%)
9 Win32.HLLW.Shadow.based 318348 (1.35%)
10 Trojan.Winlock.1678 306182 (1.30%)
11 Win32.HLLW.Autoruner.21042 243231 (1.03%)
12 Win32.HLLW.Gavir.ini 222372 (0.94%)
13 Trojan.Winlock.1686 191359 (0.81%)
14 Win32.HLLW.Autoruner.5555 170284 (0.72%)
15 Trojan.DownLoad.32973 165409 (0.70%)
16 Win32.HLLP.PissOff.36864 156540 (0.66%)
17 Trojan.Inject.8798 132271 (0.56%)
18 Trojan.Winlock.1793 122261 (0.52%)
19 Win32.Virut.5 113156 (0.48%)
20 DDoS.Pamela 110075 (0.47%)

Total scanned:855,347,743,950
Infected:23,604,815 (0.00276%)

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments