My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

September virus activity review from Doctor Web

October 3, 2008

Doctor Web presents a virus activity review for September 2008.

October 3, 2008

Doctor Web presents you a virus activity review for September 2008.

The first autumn month brought quite a lot of nuissances to PC users, such as new encrypting Trojans, mass-mailings with URLs to malicious codes, and fake “anti-viruses”. Specialists of the technical support of Doctor Web on a round o’clock bases helped customers and virus analytics from the Dr.Web anti-virus laboratory perfected counteracting techniques against new ill-intentions codes. Some of them will be described below.

At the beginning of the month two new modifications of the extortion Trojan appeared. The program encrypts documents on the victim computers and claims a redemption fee. Earlier Doctor Web reported on the Trojan in the news about Trojan.Encoder.20 and Trojan.Encoder.21. The company developers promptly reacted on a new threat and quickly designed and offered to customers a free deciphering utility.

It should be noted, that new modifications of this Trojan are being distributed more intensively now than before. After all documents on a victim computer are encrypted, a virus displays a picture (see below) on the Desktop and offers to read a txt-file where the procedure of how and where to pay to the Trojan`s author for the decryption is detailed.

Speaking on the extortion-programs, a malicious plugin for Internet Explorer should be mentioned here as well, especially because the number of the support requests from customers infected with it increased dramatically lately. Plugin appears in Internet Explorer and covers the most part of the screen. The malware demands from a user to send an SMS-message from a mobile phone in order to receive instructions on uninstallation. Below you can see how such plugin is displayed in a browser. Virus analytics from the anti-virus laboratory of Doctor Web labeled this malware as Trojan.Blackmailer. A special entry for Trojan.Blackmailer.origin was also added to Dr.Web virus database. This single entry helps to remove from an infected system numerous modifications of the extortion-plugin.

Fake “anti-viruses” became a topical issue in September. Such programs install themselves in a system and display a message allegedly claiming a “virus” is detected. To remove it from a system a user is offered to make some actions, for example, to download full version of this “anti-virus” program. The virus disables some panes of the standard Windows window and changing of images on the Desktop becomes impossible as fake alerts on “infection” are displayed using such images. See example of such message below. Dr.Web classified this virus as Trojan.Fakealert.

Concerning spam, the most noted spam distributions of this month contained URLs as if with erotic movies of famous stars, but in fact the movies turned out to be Trojan programs detected by Dr.Web Trojan.DownLoad.4419. The Trojs quite often change packers and the content and up to several modifications a day can appear. Several special entries are added to Dr.Web virus base to detect the Trojans of this category – Trojan.Packed.628, Trojan.Packed.642 and Trojan.Packed.648. See below the example of such spam message.

As usually, URLs in spam distributions of September pretended to point to well-known sites, but actually led to fake web-pages. One should always be attentive and check carefully what web-site is really opened in the browser, if the link in the spam message is hit, as in most cases such spam messages allure users to advertising web-sites. In the two examples below the first one imitates a message of a Google AdWords support team – a Google`s advertising service. The other one demonstrates a fake message as if sent by the customer support service of the famous Russian social network

”Storm” messages did not leave the Internet in September. They propagated as a message by some TV-company with an URL to a fake movie about some fabricated story. To run the movie, a user is offered to download a codec program which is one of the variants of Trojan.DownLoad in the Dr.Web classification.

In September a number of spam distributions with file attachments increased. As a rule, they contained ZIP-archived executables. Such messages usually contained a brief statement inciting a user to open the enclosure. In some cases it was a debt history report to be redeemed ASAP, or a warning on disabling the access to the Internet with a user`s illegal activity, as well as other tricks. These attachments are detected by Dr.Web as a modification of Trojan.Inject or Tro-jan.PWS.GoldSpy.

Another quite a notable spam distribution contained a price-list packed with ZIP, as if ordered by a customer. Being opened, the document looked as a pure spam message, but in fact it contained an automatically launched macro. The macro restored an executable, wrote it into a temporary folder and executed it. The restored executable is detected by Dr.Web as Trojan.EmailSpy.136. The malware collects info on e-mails stored in a computer and sends these e-mails to the virus writer. The e-mails are used to distribute spam.

Quite a big torrent of e-cards circulated on the Net in September. These are small text message with an URL pointing to a file named e-card.exe (see example below). Being executed, such files lunch not one but several malicious programs. One of such examples is the Trojan classified by Dr.Web as Trojan.MulDrop.19265. After execution it installs into a system three malicious Trojs – Trojan.MulDrop.19266, Trojan.Siggen.252 and Trojan.Sentinel.based. Almost every distribution of such Trojans is unique and viruses in a set are never repeated.

An increasing popularity of the AutoIt programming language is one of the tendencies of September. This language is more and more used to write virus programs. It is an open source language and is used to automate tasks in Windows. Its latest versions are abundant with different options (TCP\ UDP connection, inclusion of files into a compiled file, which can further be extracted at a launch, an option to log keyboard buttons, etc.). All this, as well as ease of use, attracts attention of numerous virus-makers.

The most mass-mailing distributions in September contained malicious codes of Win32.HLLW.Autoruner.2640 and Trojan.Recycle.

On the whole, the virus situation in September did not differ much of that in August. Doctor Web, as always, warns users to never transfer funds to authors of Trojans and never fall into traps of social engineering techniques used by them. If you experience a suspicious activity on your computer, contact technical support service of Doctor Web.

Viruses detected in e-mail traffic

 01.09.2008 00:00 - 01.10.2008 00:00 
1Trojan.Recycle131718 (17.07%)
2Win32.HLLW.Autoruner.264078433 (10.16%)
3Win32.HLLO.Black.269899 (9.06%)
4Win32.Alman46045 (5.97%)
5Win32.HLLM.Beagle23793 (3.08%)
6Trojan.Inject.376321415 (2.78%)
7Win32.HLLW.Gavir.ini19981 (2.59%)
8Win32.HLLM.MyDoom.based16084 (2.08%)
9VBS.Autoruner.815813 (2.05%)
10Trojan.Kllem.115410 (2.00%)
11Trojan.PWS.GoldSpy.226813000 (1.68%)
12Win32.HLLM.Lovgate.212651 (1.64%)
13Trojan.Fakealert.126412411 (1.61%)
14Win32.Sector.2048011778 (1.53%)
15Win32.Virut11156 (1.45%)
16Trojan.PWS.GoldSpy.225910954 (1.42%)
17Trojan.Click.196249253 (1.20%)
18Program.RemoteAdmin8935 (1.16%)
19Win32.HLLP.Sector8393 (1.09%)
20Win32.Sector.286827964 (1.03%)

Viruses detected on workstations

 01.09.2008 00:00 - 01.10.2008 00:00 
1Win32.HLLW.Gavir.ini1385449 (21.47%)
2Win32.HLLM.Generic.440425750 (6.60%)
3Trojan.DownLoader.62844250612 (3.88%)
4Trojan.DownLoader.46199215546 (3.34%)
5Win32.HLLP.Whboy196865 (3.05%)
6Win32.HLLW.Autoruner.2339172038 (2.67%)
7Win32.HLLO.Black.2162074 (2.51%)
8Win32.Alman145801 (2.26%)
9Win32.HLLP.Jeefo.36352124307 (1.93%)
10Trojan.MulDrop.6474121329 (1.88%)
11Trojan.DownLoader.22881113971 (1.77%)
12Trojan.Starman100355 (1.56%)
13VBS.Autoruner.1094128 (1.46%)
14Win32.HLLP.Neshta92017 (1.43%)
15Trojan.Recycle83549 (1.29%)
16BackDoor.Bulknet.23376660 (1.19%)
17Win32.HLLW.Autoruner.268875273 (1.17%)
18Win32.HLLW.Autoruner.123664908 (1.01%)
19Win32.HLLM.Lovgate.260629 (0.94%)
20Win32.Sector.2048051266 (0.79%)

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments