December 1, 2008
The closure of McColo Corporation responsible for 75 per cent of world wide spam traffic divided the reported month into two equal parts. Even though e-mail remains the most common means to spread malware virus makers also find other ways to bring malicious code to user machines
AutoIt-worms
A freeware automation language for Windows called AutoIt is very easy to learn and provides wide opportunities for virus makers. The last month showed their growing interest in this scripting language. Even though an AutoIt program is written as a script, such a script can be compiled into a packed executable with its shrouded code being very hard to analyze. November saw an AutoIt worm spreading via removable data storage devices instead of e-mail.
Viruses spreading on removable devices are especially dangerous for companies and governmental institutions forced to introduce special measures to contain the infection. Companies adopt software that allows them to restrict usage of removable devices and sometimes impose a temporary ban on use of removable drives.
Dr.Web anti-virus 5.0 currently undergoing open beta-testing allows to unpack files of an AutoIt worm and to analyze its scripts. Viruses written in this script language enter the Dr.Web database as Win32.HLLW.Autoruner.
Mail viruses
Prior to the closure of McColo spam mailings distributing malware came in high numbers. Below we will take a closer look at diverse methods used to lure a user to launch a malicious file.
Trojan.PWS.GoldSpy.2454 was disguised as an e-card. Even though fake cards have long been known to Internet community they still remain efficient. The name of a malicious file is card.exe. Messages with a link to a malicious file were used to spread another modification of the malware – Trojan.PWS.GoldSpy.2466.
Trojan.DownLoad.3735 was spread as a file with a double extension – the attached active_key.zip contained the active_keys.zip
Messages with attached Trojan.PWS.GoldSpy.2456 threatened a user with a forced disconnection from the Internet caused by a violation of the copyright. Activates of a victim related to the alleged violation for the last six months were said to be listed in an attached file (user-EA49945X-activities.exe) which was nothing more than another malicious program. The U.S presidential election was also used as a message topic in e-mails spreading the Trojan.
Another mailing notified a user upon a failed delivery of a package caused by an incorrect recipient address. An attached invoice was detected by Dr.Web as Trojan.PWS.Panda.31
.Our analysts also registered several mailings advertising easy money on eBay. An html-file attached to a message was detected by Dr.Web as Trojan.Click.21795. The file contained an encrypted script that directed a user to a web-site advertising training courses. Another similar mailing advertised a new way of advertising using RSS and free promotion of web-sites using services by Google and Yahoo
The closure of McColo Corporation reduced spam traffic significantly but was only a short outage. Now mailings related to malware have been short-term though the spam traffic sometimes has been rather high. Such mailings included Trojan.PWS.Panda.31 spam e-mails and messages containing an encrypted script detected by Dr.Web as Trojan.Click.21795.
Authors of Trojan.DownLoad.4419 applied a new technique offering a link to download a beta version of Internet Explorer 8 from a bogus web-site.
A mailing in German described in the previous review from Doctor Web also reemerged. It prompted a user to view important financial information provided in an attached file. Earlier a shortcut and a piece of malicious code had been placed on one folder contained in the attachment while in November they were separated with the link placed outside the folder. Dr.Web detects this Trojan program as Trojan.DownLoad.16843.
Phishing
November 2008 also saw a wave of phishing targeting users of online payment systems, Internet banking and other paid services in several countries. In particular customers of JPMorgan Chase Bank, RBC Royal Bank and usrs of AdWards and PayPal became victims of the phishing attack.
Specialists of the virus monitoring service of Doctor Web added 25 461 entries to the virus database in November with average 850 new entries per each day. Mind that one entry in the Dr.Web database allows the software to detect numerous modifications of one virus. The figures show that regular updating of anti-virus software as often as once per hour becomes a necessity. Dr.Web automatic updating provides such an updating frequency quite easily. In addition a good anti-spam module becomes indispensable for normal work protecting against irrelevant and harmful e-mail messages.
Malware detected in e-mail traffic in November
01.11.2008 00:00 - 01.12.2008 00:00 | ||
1 | Win32.HLLM.MyDoom.based | 13741 (15.33%) |
2 | Win32.Virut | 13036 (14.55%) |
3 | Win32.HLLM.Alaxala | 5705 (6.37%) |
4 | Trojan.MulDrop.13408 | 4534 (5.06%) |
5 | Win32.HLLM.Beagle | 4426 (4.94%) |
6 | Trojan.MulDrop.16727 | 4206 (4.69%) |
7 | Trojan.PWS.GoldSpy.2456 | 4145 (4.63%) |
8 | Win32.HLLW.Autoruner.2640 | 3032 (3.38%) |
9 | Trojan.MulDrop.18280 | 2580 (2.88%) |
10 | Trojan.PWS.Panda.31 | 2228 (2.49%) |
11 | Trojan.DownLoad.16843 | 2192 (2.45%) |
12 | Win32.HLLM.Netsky.35328 | 1888 (2.11%) |
13 | Win32.Virut.5 | 1497 (1.67%) |
14 | Win32.HLLM.MyDoom.33 | 1442 (1.61%) |
15 | Win32.HLLM.Netsky | 1361 (1.52%) |
16 | Trojan.PWS.GoldSpy.2454 | 1328 (1.48%) |
17 | Trojan.MulDrop.19648 | 1310 (1.46%) |
18 | Win32.HLLW.MyDoom.43010 | 1306 (1.46%) |
19 | Win32.HLLM.Mailbot | 1305 (1.46%) |
20 | Trojan.DownLoad.3735 | 1212 (1.35%) |
Malware detected on user machines in November
01.11.2008 00:00 - 01.12.2008 00:00 | ||
1 | Win32.HLLW.Gavir.ini | 2039696 (21.98%) |
2 | Win32.HLLM.Lovgate.2 | 414507 (4.47%) |
3 | VBS.Autoruner.7 | 310657 (3.35%) |
4 | Win32.HLLM.Generic.440 | 288404 (3.11%) |
5 | VBS.Autoruner.8 | 277825 (2.99%) |
6 | Win32.Alman | 275230 (2.97%) |
7 | DDoS.Kardraw | 252853 (2.72%) |
8 | Win32.HLLP.Whboy | 198018 (2.13%) |
9 | Trojan.Recycle | 192769 (2.08%) |
10 | Win32.HLLP.Neshta | 177445 (1.91%) |
11 | Win32.HLLP.Jeefo.36352 | 168291 (1.81%) |
12 | Win32.Virut.5 | 154206 (1.66%) |
13 | Win32.HLLW.Autoruner.274 | 147315 (1.59%) |
14 | Trojan.DownLoader.42350 | 132782 (1.43%) |
15 | Win32.HLLW.Autoruner.3631 | 120982 (1.30%) |
16 | VBS.Generic.548 | 110152 (1.19%) |
17 | Win32.HLLO.Black.2 | 97456 (1.05%) |
18 | Win32.HLLW.Autoruner.2805 | 89892 (0.97%) |
19 | Win32.HLLW.Cent | 88296 (0.95%) |
20 | Trojan.MulDrop.18538 | 86521 (0.93%) |
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments