November 25, 2008
Doctor Web warns Internet-users of a mail-virus epidemic started on November 25. Though the recent closure of web host McColo Corporation reduced spam levels as much as by 70 percent malefactors are persistent in their search for new ways to spread malware with spam. By now one of such mailings has been amounting to 50 percent of infected mail traffic.
Starting November 25 users started receiving messages in German with the attached abrechnung.zip file (translated into English as “statement of account”). Message text can be different but the aim is to lure a user to open an attached file. The attached archive contains abrechnung.lnk and the scann folder with the scann.a file. This executable file is detected by Dr.Web anti-viruses as Trojan.DownLoad.16843. The file structure of the archive shows that probably a user is meant to launch the abrechnung.lnk file (by default its extension is hidden in Windows Explorer) instead of opening the folder. Eventually the scann.a file will be launched.
This executable injects malicious code into svchost.exe and explorer.exe processes and downloads other components of malware from servers located in China. This Trojan can also spread as the system.exe file on removable disks.
.According to the virus laboratory of Doctor Web spam messages spreading Trojan.DownLoad.16843 amount to 50 percent of infected mail traffic.
Messages with links to pages containingTrojan.DownLoad.4419 are also back. The latest mailing related to the Trojan started Monday evening. This time a user was offered to download a beta version of Microsoft Internet Explorer 8 instead of an adult video.
Doctor Web recommends solutions from its Dr.Web Security Suite to ensure anti-virus and antis-am protection. As usual users should also be careful when decide to follow instructions provided by a suspicious message about free services or fiscal claims.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.