May 2008 virus activity review by Doctor Web, Ltd.
Doctor Web, Ltd. – the Russian developer of IT security solutions branded Dr.Web – provides the review of virus and spam activity in May 2008
The top event of May surely became the discovery of the elusive Win32.Ntldrbot (aka Rustock.C) by the anti-virus laboratory of Doctor Web, Ltd. The long sought rootkit used infected machines to build a vast botnet. Secure Works consider the botnet to be the third among largest botnets with spamming capability of up to 30 billion messages in 24 hours. Computers protected by the Dr.Web anti-virus will never become the part of the network because the new version of Dr.Web scanner detects the stealthy virus as well as cures an infected machine of the malware. It’s been a month since the cure against Win32.Ntldrbot was provided but by now Dr.Web is still the only anti-virus that cures the rookit.
Another notable event in the month passed became the increased malicious activity faking and manipulating search results to infect PCs. A user of an infected machine follows a link displayed on a search results page but gets to an unrelated web-site. Still the unrelated link can look as other genuine links provided by a search engine. As a consequence a user fails to find required information, an advertiser pays for unrelated traffic but above all such malicious activities have negative impact on the credibility of a search engine blamed for selling out top positions on its search results pages. Upon a request from the management of the Yandex search engine malicious programs of the type were moved from Adware to Trojans in the Dr.Web classification. Currently Yandex recommends Dr.Web CuireIt! as the best free tool curing computers of such Trojan programs.
Spam activity
Spam traffic often spreads viruses, Trojans and other malware. Recently spammers have been exploiting popular Internet brands of the RuNet. Socail networks have a lot of members and inevitably become primary targets of spammers. Such an attack can get a computer of a social networker into a botnet or put a user at risk of losing all information stored on the hard drive. The latter was the case with Win32.HLLW.AntiDurov. What makes the virus especially dangerous is its destructive feature which is rather uncommon among present day malware. On 25th day of each month at 10 a. m.deletion of all files located on the C drive is initiated. It’s been a while since Doctor Web, Ltd. virus monitoring service registered malware with such functions.
Table 1. Top 10 viruses detected on mail servers
| 01.05.2008 00:00 - 31.05.2008 23:00 | ||
| 1 | Win32.HLLM.Netsky.35328 | 189739 (21.18%) |
| 2 | Trojan.Recycle | 123825 (13.82%) |
| 3 | Win32.HLLW.Autoruner.437 | 90463 (10.10%) |
| 4 | Win32.HLLM.Netsky.based | 69604 (7.77%) |
| 5 | Win32.HLLM.MyDoom.based | 40297 (4.50%) |
| 6 | Win32.HLLM.Beagle | 25937 (2.90%) |
| 7 | Win32.HLLP.Sector | 24384 (2.72%) |
| 8 | Exploit.MS05-053 | 23234 (2.59%) |
| 9 | Win32.Virut | 19869 (2.22%) |
| 10 | Win32.HLLM.Oder | 18095 (2.02%) |
Table 2. Top 10 viruses detected on PCs
| 01.05.2008 00:00 - 31.05.2008 23:00 | ||
| 1 | Trojan.Okuks.30 | 1507944 (44.18%) |
| 2 | Win32.HLLM.Generic.440 | 308960 (9.05%) |
| 3 | Trojan.Spambot.3099 | 272036 (7.97%) |
| 4 | VBS.Generic.548 | 156819 (4.59%) |
| 5 | Win32.Alman | 89604 (2.63%) |
| 6 | Adware.SaveNow.128 | 65850 (1.93%) |
| 7 | BackDoor.Generic.1138 | 59082 (1.73%) |
| 8 | Win32.HLLM.Perf | 56024 (1.64%) |
| 9 | BackDoor.Aimbot | 45793 (1.34%) |
| 10 | Win32.HLLP.Jeefo.36352 | 41913 (1.23%) |
Rate
Repost
![[VK]](http://st.drweb.com/static/new-www/social/no_radius/vkontakte.png)
![[Twitter]](http://st.drweb.com/static/new-www/social/no_radius/twitter.png)
Like
![[facebook]](http://st.drweb.com/static/new-www/social/no_radius/facebook.png)
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments