July 1, 2008
Concerning viruses
The increased spreading of a dangerous file virus classified by Dr.Web as Win32.Sector.5 (aka Sality) is not something to be omitted. The number of requests to the helpdesk from system administrators regarding malicious activates of the virus turned out to be so large that one could call it as much as an epidemics. As stated by those affected by the malware the present modification of Sector started causing problems in February this year. By now the epidemics has escalated and reached an astounding level. Banks, audit companies, retail chains, software developers, engineering companies, research facilities and federal cultural institutions were affected by activities of the file virus.
First samples of the sector family appeared in early 2003. In five years the malware mutated but retained its destructive capabilities and acquired new ones. Each subsequent variant of the virus tended to be less overt concerning its presence in the system. Experts of Doctor Web, Ltd. anti-virus laboratory think that the mutation provides an evidence that Win32.Sector.5 may now be used to hide other less complex but equally malicious programs stealing sensitive information or sending out spam.
As soon as Win32.Sector.5 gets into a system it injects its code in all processes currently present in RAM and removes certain branches of the system registry so booting in the safe mode becomes impossible. After that the file virus infects all .exe and .scr files on all available disks or network resources. In order to spread faster it also infects autoarun and most frequently launched files. Besides, Win32.Sector.deletes files and processes related to most known anti-virus programs and blocks access to web-sites of the anti-virus vendors preventing updating. Unlike other anti-viruses that either block access to an infected file or delete it, Dr.Web cures files infected by the file virus. The malware is not a threat to users of Dr.Web anti-virus performing regular updates of the virus database. If you are using some other anti-virus but for some reason you believe that your computer may be infected by Win32.Sector.5, you can check your system using the free curing utility called Dr.Web CureIt!.
On Trojans
The news of another modification of an encoder family Trojan –Trojan.Encoder.18 (aka Gpcode) – stirred the Internet at the beginning of June. Having infiltrated into the system the Trojan searches for files with certain extensions (typically Micosoft Office files) and encrypts the data. After that an owner of the files is offered to pay for decryption. Restoring data after activities of this malware is somewhat complicated for the malefactor uses 1024 bit long encryption key. Users of Dr.Web had been protected against Trojan.Encoder.18 even before a sample entered the virus database. The unique Origins Tracing™ technology allowed detecting the malware as Trojan.Sespy.origin.
In the previous year when the author of the Trojan used shorter keys for encryption it was pretty obvious that eventually it would become more complex. Meanwhile, some anti-virus vendors rushed to boast their decryption capabilities even though it was clear that they were bound to lose this sort of contest. Sooner or later the key would get long enough to set the decryption time frame beyond the boundaries of reason. Anti-virus experts of Doctor Web, Ltd. focused on prompt detection of the dangerous program so it would not be able to put to use its destructive capabilities. This approach turned out to be more efficient than rasing a worldwide call for decryption of a kilobit RSA key.
Curious
Surely a contact entry with the UIN 12111 that caused panic among users of ICQ instant messaging service became quite an incident. The technical support service of Doctor Web, Ltd. received lots of questions from users concerned about the “viral” contact list entry even though a contact entry itself could not do any harm. The turmoil calmed down only when the 12111 entry was explained at the ICQ web-site.
A few words about spam
In June spam tended to become smaller and shorter. Messages with a catchy subject line and a link supplemented with a brief comment in the body were sent in ten waves. Links become one of the common ways to evade spam filters. Besides the trick can also be dangerous as a provided link can direct to an infected web-page so a user can get a Trojan along with the content. Doctor Web, Ltd. described one of such mailings in the previous month. The virus monitoring service registered over 50 mailing like this. Many of them lasted for quite a while.
Dr.Web AV-Desk virus top 20
01.06.2008 00:00 - 01.07.2008 00:00 | ||
1 | Trojan.Starter.516 | 601730 (28.08%) |
2 | Win32.HLLM.Generic.440 | 241884 (11.29%) |
3 | Win32.HLLW.Gavir.ini | 220720 (10.30%) |
4 | BackDoor.Bulknet.214 | 142402 (6.65%) |
5 | BackDoor.Aimbot | 133710 (6.24%) |
6 | Trojan.NtRootKit.425 | 127033 (5.93%) |
7 | Adware.SaveNow.128 | 46982 (2.19%) |
8 | Win32.Expiro.7 | 22141 (1.03%) |
9 | Exploit.IFrame.41 | 19108 (0.89%) |
10 | VBS.Igidak | 18492 (0.86%) |
11 | Win32.HLLP.Jeefo.36352 | 18149 (0.85%) |
12 | Program.RemoteAdmin | 17512 (0.82%) |
13 | Win32.Sector.20480 | 15938 (0.74%) |
14 | Trojan.DownLoader.42350 | 15816 (0.74%) |
15 | Win32.Alman | 14665 (0.68%) |
16 | Trojan.Recycle | 13752 (0.64%) |
17 | Win32.HLLP.Sector | 13714 (0.64%) |
18 | VBS.Generic.548 | 13675 (0.64%) |
19 | Win32.HLLW.Gavir.54 | 13503 (0.63%) |
20 | Win32.HLLP.Whboy | 13191 (0.62%) |
June virus top 20 in e-mail
01.06.2008 - 30.06.2008 | ||
1 | Win32.HLLW.Autoruner.437 | 245788 (17.85%) |
2 | Win32.HLLM.Netsky.35328 | 163596 (11.88%) |
3 | BackDoor.Bulknet.214 | 78683 (5.72%) |
4 | Trojan.PWS.Lich | 70877 (5.15%) |
5 | Win32.HLLP.PissOff.36864 | 65000 (4.72%) |
6 | Win32.HLLM.Netsky.based | 62291 (4.52%) |
7 | Win32.HLLW.Autoruner.2147 | 53621 (3.89%) |
8 | Trojan.NtRootKit.425 | 45741 (3.32%) |
9 | Win32.HLLM.MyDoom.based | 34515 (2.51%) |
10 | Win32.HLLM.Beagle | 33763 (2.45%) |
11 | Win32.Virut | 25187 (1.83%) |
12 | Trojan.Recycle | 22821 (1.66%) |
13 | Win32.HLLW.Autoruner.1831 | 22218 (1.61%) |
14 | Exploit.MS05-053 | 21490 (1.56%) |
15 | VBS.Igidak | 18517 (1.34%) |
16 | Trojan.MulDrop.16727 | 18420 (1.34%) |
17 | Win32.HLLP.Sector | 16092 (1.17%) |
18 | Win32.HLLM.Oder | 16056 (1.17%) |
19 | Trojan.Nsanti.Packed | 15774 (1.15%) |
20 | Win32.HLLM.Netsky.24064 | 15516 (1.13%) |
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments