Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to news

April 2009 virus activity review from Doctor Web

April 30, 2009

The April virus activity review from Doctor Web features a description of latest samples of ransomware and the latest modification of BackDoor.Maosboot using new rootkit technologies.

The main trend of April 2009 was the wide spread of numerous species of ransomware targeting various user groups. Modifications of Trojan.Blackmailer displaying an adult content banner on every loaded web-page and variations of Trojan.Winlock that blocked access to Windows became the most typical pieces of extortive malware.

Till recent time Trojan.Blackmailer could only be installed in a system as a plugin for Internet Explorer. However, the last month saw its compatibility expanded. The new modification of the Trojan found by Doctor Web virus analysts could also perform its malicious tasks as a plugin for Opera and Mozilla Firefox. It entered the Dr.Web virus classification as Trojan.BrowseBan.

Considering immense number of variations of Trojan.Winlock Doctor Web created a special web-form that enabled users to unlock their systems free of charge. The form is constantly updated as new modifications of the program are discovered.


In April Doctor Web updated its GUI Scanner that featured the updated anti-rootkit module Dr.Web Shield to ensure that it was capable of neutralizing a new modification of BackDoor.Maosboot. The latest variation of the rootkit retained all malicious features of its predecessors but also had an enhanced self-protection mechanism. The Dr.Web scanner searches for BackDoor.Maosboot in RAM and bootsectors and cures a system compromised by the rootkit.


No severe fishing attacks were registered in April except for few instances of phishing mailings targeting customers of Chase Bank and eBay.

In spite of the decrease in number of malicious programs spreading via e-mail April was marked by a mass mailing of Trojan.PWS.Panda.114 sent to users in an attached zip archive. To lure a user into launching the archived executable file, the archive content was described as an invoice issued by the WorldPay following a supposed payment on an order of goods or services.

May 2009 can see development of new rootkit technologies and other techniques that would make neutralization of malware more complicated for anti-virus vendors. New phishing schemes are expected to be implemented by cyber criminals. Doctor Web recommens all users to be more careful while surfing the web or opening messages from strangers. If you consider a message or a file to be suspicious, don’t hesitate to consult the support service of your anti-virus vendor.

Malicious files detected in mail traffic in April

 01.04.2009 00:00 - 01.05.2009 00:00  
1 Win32.HLLM.Netsky.35328 5062360 (39.53%)
2 Win32.HLLM.Netsky 1437083 (11.22%)
3 Win32.HLLM.Beagle 1342369 (10.48%)
4 Win32.HLLM.MyDoom.33808 1208929 (9.44%)
5 Win32.HLLM.MyDoom.44 902604 (7.05%)
6 Win32.HLLM.Netsky.based 837098 (6.54%)
7 Win32.HLLM.Perf 452229 (3.53%)
8 Trojan.PWS.Panda.114 205823 (1.61%)
9 Exploit.IFrame.43 160164 (1.25%)
10 Trojan.MulDrop.13408 134804 (1.05%)
11 Win32.HLLM.Beagle.27136 126968 (0.99%)
12 Trojan.MulDrop.19648 119572 (0.93%)
13 Win32.HLLM.MyDoom.based 108142 (0.84%)
14 Win32.HLLM.Beagle.pswzip 103743 (0.81%)
15 Win32.HLLM.Beagle.32768 102671 (0.80%)
16 Win32.HLLM.Graz 85777 (0.67%)
17 Win32.HLLM.Netsky.28008 66242 (0.52%)
18 Win32.HLLM.MyDoom.49 56540 (0.44%)
19 Win32.HLLM.Netsky.28672 47283 (0.37%)
20 Win32.HLLW.Generic.98 35647 (0.28%)
Total scanned:54,056,156,800
Infected:12,805,303 (0.02%)

Malicious files detected on user machines in April

 01.04.2009 00:00 - 01.05.2009 00:00  
1 JS.Nimda 2847064 (9.49%)
2 W97M.Thus 1997735 (6.66%)
3 Trojan.PWS.Panda.114 1953645 (6.51%)
4 Trojan.Blackmailer.1094 1594326 (5.31%)
5 Trojan.Starter.516 1499987 (5.00%)
6 Win32.HLLM.Beagle 1392680 (4.64%)
7 Win32.Virut.5 1257669 (4.19%)
8 Win32.Virut.14 1071607 (3.57%)
9 Win32.HLLW.Gavir.ini 1027911 (3.43%)
10 Win32.HLLM.Netsky.35328 1000396 (3.33%)
11 Trojan.MulDrop.16727 977197 (3.26%)
12 Win32.HLLM.Netsky.based 805848 (2.69%)
13 Trojan.DownLoader.42350 618289 (2.06%)
14 Trojan.Starter.544 503713 (1.68%)
15 Trojan.Blackmailer.1093 502017 (1.67%)
16 Win32.HLLW.Shadow.based 478774 (1.60%)
17 Trojan.Blackmailer.1086 452606 (1.51%)
18 Win32.HLLM.MyDoom.49 342923 (1.14%)
19 Win32.HLLW.Autoruner.5555 328393 (1.09%)
20 Win32.HLLW.Krepper 317541 (1.06%)
Total scanned:208,510,260,840
Infected:30,005,292 (0.01%)

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124