October 29, 2008

Doctor Web — the Russian developer of IT security solutions branded Dr.Web — has successfully neutralized the whole family of Trojan.Ws232Pacther that fake ad links displayed on search results pages of Yandex, Rambler, Google and other search engines.

Trojan.Ws232Pacther infect the ws2_32.dll system file merging all its segments so it becomes much easier to infect. The Trojan places 16 Kbytes of malicious code near the end of the file. After that the malicious program intercepts some export functions of the library.

The Trojan belongs to malicious programs faking web pages that change contents of a webp-page loaded by the browser of a user (e.g it changes links displayed as search results or as advertisements). The new species was discovered by analysts of the Yandex web-portal and by specialists of Doctor Web. Dr.Web software detected the malware as belonging to the Trojan.Ws232Pacther family.

By now two modifications of the Trojan are found: Trojan.Ws232Pacther.1 and Trojan.Ws232Pacther.2. The first one was discovered on October 27 while the second variation emerged one day later. Trojan.Ws232Pacther.2 has a new encryption key but doesn’t have an encrypted piece of HTML code.

Trojan.Ws232Pacther do not impose any threat to users of Dr.Web software. Those who still hasitate which anti-virus they should choose can use the free Dr.Web CureIt! utility available for downloading at www.freedrweb.com http://www.freedrweb.com. The program will scan your computer using the latest update of the Dr.Web virus database without installation in the system. Dr.Web CureIt! will help you to get rid of Trojan.Ws232Pacther and other malicious programs that could evade detection by an installed anti-virus. Besides, a free browser plugin called Dr.Web LinkChecker can be used for regular check of links.