April 2009 virus activity review from Doctor Web
April 30, 2009
The April virus activity review from Doctor Web features a description of latest samples of ransomware and the latest modification of BackDoor.Maosboot using new rootkit technologies.
The main trend of April 2009 was the wide spread of numerous species of ransomware targeting various user groups. Modifications of Trojan.Blackmailer displaying an adult content banner on every loaded web-page and variations of Trojan.Winlock that blocked access to Windows became the most typical pieces of extortive malware.
Till recent time Trojan.Blackmailer could only be installed in a system as a plugin for Internet Explorer. However, the last month saw its compatibility expanded. The new modification of the Trojan found by Doctor Web virus analysts could also perform its malicious tasks as a plugin for Opera and Mozilla Firefox. It entered the Dr.Web virus classification as Trojan.BrowseBan.
Considering immense number of variations of Trojan.Winlock Doctor Web created a special web-form that enabled users to unlock their systems free of charge. The form is constantly updated as new modifications of the program are discovered.
Rootkits
In April Doctor Web updated its GUI Scanner that featured the updated anti-rootkit module Dr.Web Shield to ensure that it was capable of neutralizing a new modification of BackDoor.Maosboot. The latest variation of the rootkit retained all malicious features of its predecessors but also had an enhanced self-protection mechanism. The Dr.Web scanner searches for BackDoor.Maosboot in RAM and bootsectors and cures a system compromised by the rootkit.
Spam
No severe fishing attacks were registered in April except for few instances of phishing mailings targeting customers of Chase Bank and eBay.
In spite of the decrease in number of malicious programs spreading via e-mail April was marked by a mass mailing of Trojan.PWS.Panda.114 sent to users in an attached zip archive. To lure a user into launching the archived executable file, the archive content was described as an invoice issued by the WorldPay following a supposed payment on an order of goods or services.
May 2009 can see development of new rootkit technologies and other techniques that would make neutralization of malware more complicated for anti-virus vendors. New phishing schemes are expected to be implemented by cyber criminals. Doctor Web recommens all users to be more careful while surfing the web or opening messages from strangers. If you consider a message or a file to be suspicious, don’t hesitate to consult the support service of your anti-virus vendor.
Malicious files detected in mail traffic in April
| 01.04.2009 00:00 - 01.05.2009 00:00 | ||
| 1 | Win32.HLLM.Netsky.35328 | 5062360 (39.53%) |
| 2 | Win32.HLLM.Netsky | 1437083 (11.22%) |
| 3 | Win32.HLLM.Beagle | 1342369 (10.48%) |
| 4 | Win32.HLLM.MyDoom.33808 | 1208929 (9.44%) |
| 5 | Win32.HLLM.MyDoom.44 | 902604 (7.05%) |
| 6 | Win32.HLLM.Netsky.based | 837098 (6.54%) |
| 7 | Win32.HLLM.Perf | 452229 (3.53%) |
| 8 | Trojan.PWS.Panda.114 | 205823 (1.61%) |
| 9 | Exploit.IFrame.43 | 160164 (1.25%) |
| 10 | Trojan.MulDrop.13408 | 134804 (1.05%) |
| 11 | Win32.HLLM.Beagle.27136 | 126968 (0.99%) |
| 12 | Trojan.MulDrop.19648 | 119572 (0.93%) |
| 13 | Win32.HLLM.MyDoom.based | 108142 (0.84%) |
| 14 | Win32.HLLM.Beagle.pswzip | 103743 (0.81%) |
| 15 | Win32.HLLM.Beagle.32768 | 102671 (0.80%) |
| 16 | Win32.HLLM.Graz | 85777 (0.67%) |
| 17 | Win32.HLLM.Netsky.28008 | 66242 (0.52%) |
| 18 | Win32.HLLM.MyDoom.49 | 56540 (0.44%) |
| 19 | Win32.HLLM.Netsky.28672 | 47283 (0.37%) |
| 20 | Win32.HLLW.Generic.98 | 35647 (0.28%) |
| Total scanned: | 54,056,156,800 |
| Infected: | 12,805,303 (0.02%) |
Malicious files detected on user machines in April
| 01.04.2009 00:00 - 01.05.2009 00:00 | ||
| 1 | JS.Nimda | 2847064 (9.49%) |
| 2 | W97M.Thus | 1997735 (6.66%) |
| 3 | Trojan.PWS.Panda.114 | 1953645 (6.51%) |
| 4 | Trojan.Blackmailer.1094 | 1594326 (5.31%) |
| 5 | Trojan.Starter.516 | 1499987 (5.00%) |
| 6 | Win32.HLLM.Beagle | 1392680 (4.64%) |
| 7 | Win32.Virut.5 | 1257669 (4.19%) |
| 8 | Win32.Virut.14 | 1071607 (3.57%) |
| 9 | Win32.HLLW.Gavir.ini | 1027911 (3.43%) |
| 10 | Win32.HLLM.Netsky.35328 | 1000396 (3.33%) |
| 11 | Trojan.MulDrop.16727 | 977197 (3.26%) |
| 12 | Win32.HLLM.Netsky.based | 805848 (2.69%) |
| 13 | Trojan.DownLoader.42350 | 618289 (2.06%) |
| 14 | Trojan.Starter.544 | 503713 (1.68%) |
| 15 | Trojan.Blackmailer.1093 | 502017 (1.67%) |
| 16 | Win32.HLLW.Shadow.based | 478774 (1.60%) |
| 17 | Trojan.Blackmailer.1086 | 452606 (1.51%) |
| 18 | Win32.HLLM.MyDoom.49 | 342923 (1.14%) |
| 19 | Win32.HLLW.Autoruner.5555 | 328393 (1.09%) |
| 20 | Win32.HLLW.Krepper | 317541 (1.06%) |
| Total scanned: | 208,510,260,840 |
| Infected: | 30,005,292 (0.01%) |
Rate
Repost
![[VK]](http://st.drweb.com/static/new-www/social/no_radius/vkontakte.png)
![[Twitter]](http://st.drweb.com/static/new-www/social/no_radius/twitter.png)
Like
![[facebook]](http://st.drweb.com/static/new-www/social/no_radius/facebook.png)
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments