My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

July 2008 virus activity review by Doctor Web

August 4, 2008

Doctor Web, Ltd presents the virus activity review for July 2008.

Virus epidemics causing uproar and panic among Internet users have long since passed. Nowadays malicious activities are less overt and in most cases remain unnoticed by inexperienced users. The July reaffirmed this tendency making “Trojan activity review” somewhat more appropriate title for this article for it is Trojans of all sorts that are brought in focus here.

Concerning Trojans

Trojans of the Virtumod family are the most interesting species from the point of view of analysis and working out a curing algorithm. Other anti-virus vendors classify them as Virtumonde/Vundo/Monder. By now these malicious programs have not paved their way to enter the glorious top ten spread malware but one can quite often come across with them in the wild. Very few anti-viruses can boast successful detection of such Trojans, let alone successfully cure them. The reason behind this complexity for anti-virus vendors is an operation algorithm employed by virus makers who are very consistent in the three or even four-way development of their polymorphic packer. Recent months saw over 10 modifications with dozens of thousands of samples for each type of the packer. The figures are based on data of other anti-virus vendors along with Dr.Web and also take into account samples found during an online virus scan.

Virtumod is not the sole active example of the off-line polymorphism. Now it is clear that without the centralized development of counteraction to this trend and without a versatile technology for prompt implementation of identifying of polymorphic packers in an anti-virus kernel the anti-virus industry may soon find itself inept in the face of emerging challenges.

Trojan.Clb is another malicious program spreading rather rapidly. It contains a rootkit and uses the splicing technology to hide files on disks and entire branches of the registry. Besides, there is also Trojan.DnsChange.967 that substitutes DNS server IP addresses on routers that support configuration via the web-interface. It imposes a real danger for users connected to wireless networks where the web-interface is typically used to configure routers. Users connecting to the Internet via a Wi-Fi access point can fall a victim of the DNS IP address substitution with their private data leaked to an unknown recipient.

Trojan.Okuks getting to a PC can also become a rather unpleasant surprise. Most anti-viruses have no problems detecting it. Meanwhile curing the malware is something entirely different. Incorrect curing of a system file infected by the Trojan or deletion of such a file without fixing the registry will get a Windows user a permanent BSOD after the first reboot.

The leaders

Actually there is only one leader that wanders up and down the top ten and seems to be reluctant to step down. Here we speak about worms belonging to the Autorunner family which are in abundance received by Doctor Web, Ltd. for the online virus scan.

Flash drives we got used to at home or in the office become the primary carrier for the worm. Virtually every user owns a flash drive. Employees carry data on flash drives on a business trip or take their work to their homes. However, along with the increased labour productivity the convenient storage device also imposes a threat because becoming one of the preferred means of spreading for viruses. But the most remarkable thing is that a flash drive is not the only USB device that can be compromised by the worm. It can get to a photo or a video camera or a mobile phone as easily. An Autoranner worm took the top notch in the anti-virus stats on the global infection level for servers protected by Dr.Web anti-viruses.

Malware in the mail traffic

 01.07.2008 00:00 - 31.07.2008 23:00 
1Win32.HLLW.Autoruner.437239451 (18.39%)
2Win32.Dref109607 (8.42%)
3Win32.HLLM.Netsky.3532889795 (6.90%)
4Win32.HLLM.Netsky.based45561 (3.50%)
5Win32.HLLM.Beagle42279 (3.25%)
6Win32.HLLM.MyDoom.based28334 (2.18%)
7Win32.HLLM.Generic.44026898 (2.07%)
8Adware.Cydoor26143 (2.01%)
9Win32.HLLP.Jeefo.3635224710 (1.90%)
10Win32.Virut22588 (1.73%)
11Trojan.MulDrop.1672722380 (1.72%)
12Trojan.Starter.54421632 (1.66%)
13Win32.Sector.2048021616 (1.66%)
14Win32.Alman21354 (1.64%)
15VBS.Igidak19669 (1.51%)
16Danish.based18572 (1.43%)
17Trojan.MulDrop.647418481 (1.42%)
18Win32.HLLW.Gavir.ini17191 (1.32%)
19Win32.HLLW.Autoruner.183115596 (1.20%)
20Trojan.Packed.51113550 (1.04%)

Malware detected on workstations

 01.07.2008 00:00 - 31.07.2008 23:00 
1Trojan.Starter.516202341 (18.09%)
2Win32.HLLW.Gavir.ini106435 (9.51%)
3Win32.HLLW.Autoruner.27491205 (8.15%)
4Trojan.Recycle90006 (8.05%)
5Win32.HLLW.Autoruner.43776710 (6.86%)
6Trojan.Starter.54472730 (6.50%)
7JS.Nimda40157 (3.59%)
8VBS.Redlof38242 (3.42%)
9Win32.HLLM.Generic.44037992 (3.40%)
10Win32.HLLP.Whboy24129 (2.16%)
11Win32.HLLW.Autoruner.227221893 (1.96%)
12Adware.SaveNow.12817982 (1.61%)
13Program.RemoteAdmin17230 (1.54%)
14BackDoor.IRC.Sdbot.5515902 (1.42%)
15Win32.HLLP.PissOff.3686415670 (1.40%)
16Win32.HLLP.Jeefo.3635213282 (1.19%)
17Trojan.Packed.51111425 (1.02%)
18VBS.Generic.5488984 (0.80%)
19Win32.HLLP.Sector8273 (0.74%)
20Exploit.IFrame.418101 (0.72%)

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments