January virus activity review from Doctor Web
February 2, 2009
Doctor Web presents the virus activity review for January 2009. The first month of 2009 went rather smoothly except for the outbreak of Win32.HLLW.Shadow.based. It didn’t see mass mailings spreading malicious code in attachments or directing users to bogus web-sites. However, fraudulent SMS, fake anti-viruses, new Trojans turning user machines into botnet zombies as well as phishing attacks were registered every now and then.
Win32.HLLW.Shadow.based (Net-Worm.Win32.Kido, W32.Downadup, Worm:Win32/Conficker)
In January Doctor Web issued a warning about the outbreak of the Win32.HLLW.Shadow.based polymorphic worm. This malicious program showed once again that installation of critical updates for Windows and other software is a must for every user willing to maintain high security of the system. It is also recommended to disable the autorun for removable drives as it is exploited by Win32.HLLW.Shadow.based as well as by many other malicious programs. Strange as it seems but the epidemics may have a positive effect upon users learning to use stronger passwords for the Trojan attempts to crack an administrator password in order to spread over a local network.
Virus analysts of Doctor Web have been adding entries for new modifications of Win32.HLLW.Shadow.based into the virus database throughout the January. If you suspect that your system is infected with the polymorphic worm, install all critical updates for the version of Windows you use, disconnect the machine from the network and use Dr.Web CureIt! to scan your system. Computers running Dr.Web for Windows with its virus databases updated regularly are protected from attempts of Win32.HLLW.Shadow.based to get into the system.
E-cards
Even though the e-card disguise for malware has been well known for quite a while it remains as efficient as ever. In December 2008 and January 2009 numerous fake New Year and Christmas greeting notifications got in mailboxes of millions of users. As January drew to the end, web-sites supposedly providing Valentine greetings began to emerge. Trojan.Spambot is one of many malicious programs that get to user machines from such sites. Also known as Waledac the Trojan turns a compromised system into a zombie.
SMS-fraud
Criminals also attempted to get more money from accounts of subscribers of mobile operators. They used malware to encrypt data stored on a computer of a victim and demanded him to pay for their decryption. They could also demand money for removal of a malicious program installed as a browser plugin or lure a user into downloading and installing of a program on the phone that would start sending paid SMS. The malicious program is detected by Dr.Web as Java.SMSSend.19.
Fake anti-viruses
Fake anti-viruses also retained their popularity. Even if a program didn’t perform any malicious tasks in a compromised system it was still harmful as fraudsters received money for a useless piece of code. In January one of numerous web-sites offered online scanning of a system.
All machines that were checked for viruses by the “anti-virus” got infected. Moreover, when scanning was completed, a victim was offered to download another malicious program detected by Dr.Web as Trojan.Fakealert.3914.
Phishing
The number of phishing attacks was lower in January compared with previous months. Main targets of criminals in the last month were customers of amazon.ca and PayPal.
 |
 |
Malicious programs in e-mail traffic in January
| 01.01.2009 00:00 - 01.02.2009 00:00 | ||
| 1 | Win32.Virut | 14723 (18.70%) |
| 2 | Win32.HLLM.MyDoom.based | 13479 (17.12%) |
| 3 | Trojan.MulDrop.18280 | 6235 (7.92%) |
| 4 | Trojan.MulDrop.13408 | 4594 (5.84%) |
| 5 | Trojan.MulDrop.16727 | 4357 (5.53%) |
| 6 | Win32.HLLM.Alaxala | 4022 (5.11%) |
| 7 | Win32.Sector.12 | 2686 (3.41%) |
| 8 | Win32.HLLM.Beagle | 2141 (2.72%) |
| 9 | Win32.HLLM.Netsky.35328 | 1944 (2.47%) |
| 10 | Win32.HLLM.Netsky | 1698 (2.16%) |
| 11 | Trojan.Click.22109 | 1570 (1.99%) |
| 12 | Win32.HLLM.Mailbot | 1498 (1.90%) |
| 13 | Win32.HLLW.Shadow.3 | 1405 (1.78%) |
| 14 | Win32.HLLM.Perf | 1353 (1.72%) |
| 15 | Trojan.MulDrop.19648 | 1252 (1.59%) |
| 16 | Win32.HLLM.MyDoom.33 | 1182 (1.50%) |
| 17 | Win32.Virut.5 | 968 (1.23%) |
| 18 | Win32.IRC.Bot.based | 769 (0.98%) |
| 19 | W97M.Thus | 687 (0.87%) |
| 20 | BackDoor.Dosia.72 | 619 (0.79%) |
| Scanned: | 321,156,519 |
| Infected: | 78,718 (0.02%) |
Malicious programs on user machines in January
| 01.01.2009 00:00 - 01.02.2009 00:00 | ||
| 1 | Win32.HLLW.Gavir.ini | 2451656 (19.14%) |
| 2 | DDoS.Kardraw | 2058062 (16.06%) |
| 3 | Win32.HLLM.Generic.440 | 714503 (5.58%) |
| 4 | VBS.Generic.548 | 453207 (3.54%) |
| 5 | Win32.Virut.5 | 435746 (3.40%) |
| 6 | Win32.Alman | 358676 (2.80%) |
| 7 | Trojan.Recycle | 349560 (2.73%) |
| 8 | Trojan.Starter.881 | 303349 (2.37%) |
| 9 | Win32.Sector.16 | 210250 (1.64%) |
| 10 | Win32.HLLW.Shadow.based | 209118 (1.63%) |
| 11 | Win32.HLLM.Lovgate.2 | 188398 (1.47%) |
| 12 | Win32.HLLP.Neshta | 174684 (1.36%) |
| 13 | Win32.HLLP.Jeefo.36352 | 169943 (1.33%) |
| 14 | Win32.HLLW.Autoruner.2536 | 159100 (1.24%) |
| 15 | VBS.PackFor | 138289 (1.08%) |
| 16 | Win32.Sector.12 | 128054 (1.00%) |
| 17 | Win32.HLLW.Autoruner.5555 | 127353 (0.99%) |
| 18 | Win32.Sector.5 | 123027 (0.96%) |
| 19 | Trojan.DownLoader.42350 | 119657 (0.93%) |
| 20 | Win32.HLLM.Perf | 88711 (0.69%) |
| Scanned: | 70,489,000,159 |
| Infected: | 12,811,152 (0.02%) |
Rate
Repost
![[VK]](http://st.drweb.com/static/new-www/social/no_radius/vkontakte.png)
![[Twitter]](http://st.drweb.com/static/new-www/social/no_radius/twitter.png)
Like
![[facebook]](http://st.drweb.com/static/new-www/social/no_radius/facebook.png)
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments