April 2008 virus activity review from Doctor Web, Ltd.
May 12, 2008
As usual the virus monitoring service of Doctor Web, Ltd. кept a watchful eye over viral activities in April.
No doubt the discovery of a new modification of the malware classified by the Dr.Web as BackDoor.MaosBoot became the most notable event of the end of March and in the early April. The program belongs to the new class of viruses that combine features of an MBR virus and a rootkit. BackDoor.MaosBoot mainly targets computers of end users to obtain sensitive financial info. The virus has a long list of bank-client applications. The improved version of the malware easily obtains sensitive information using the list.
In the mid-April the virus monitoring service also detected a surged mailing of an almost forgotten Win32.HLLM.Limar downloader. Though the surge didn't turn into an epidemic, however, the implication was that spreading of the malware on a higher scale should not be ruled out.
Meanwhile, an event of the month is most certainly dispelling the myth that malware known as Rustock.C didn't exist. The virus monitoring service of Doctor Web, Ltd. actually nailed the long elusive rootkit that entered the Dr.Web database as Win32.Ntldrbot. The malicious code is used to turn PCs into spamming bots joined into a vast botnet. Moreover the catching virus was also capable of remaining completely undetected and so it did supposedly since October 2007! According to Secure Works the Rustock botnet is the third among largest botnets and can spam up to 30 billion messages every day. The network mainly advertises pharmaceutical products and securities.
Some features of Win32.Ntldrbot
- Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult.
- Implemented as a driver, it runs on the lowest kernel level.
- Protects itself, prevents runtime changes.
- Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won’t work, if the rootkit is running.
- Intercepts system functions using non-standard method.
- Functions as a file-virus and infects system drivers.
- A particular sample of the rootkit becomes adjusts to the hardware of an infected machine and most likely won’t run on another computer.
- Utilizes time-triggered reinfection feature. An old infected file is cured. So the rootkit "wonders" through system drivers infecting only one at a time.
- Filters calls to an infected file, intercepts FSD-procedures of a file system driver and redirects a call to the original file instead of the infected one.
- Features anti-rootkit protection.
- Injects its library to one of the Windows system processes, so the library starts spamming. A driver is connected to the DLL using a special command transfer mechanism.
April 2008 virus statistics
Table 1.Top 20 viruses detected on mail servers
| 01.04.2008 00:00 - 13.05.2008 23:00 | ||
| 1 | Win32.HLLM.Netsky.35328 | 270654 (29.51%) |
| 2 | Win32.HLLM.Netsky.based | 95383 (10.40%) |
| 3 | Win32.HLLW.Autoruner.437 | 73490 (8.01%) |
| 4 | Win32.HLLM.MyDoom.based | 57639 (6.28%) |
| 5 | Win32.HLLM.Beagle | 38671 (4.22%) |
| 6 | Win32.HLLM.Netsky | 30887 (3.37%) |
| 7 | Win32.HLLP.Sector | 30885 (3.37%) |
| 8 | Exploit.MS05-053 | 28784 (3.14%) |
| 9 | VBS.Igidak | 26239 (2.86%) |
| 10 | Win32.HLLM.Oder | 22487 (2.45%) |
| 11 | Win32.Virut | 20823 (2.27%) |
| 12 | Win32.HLLM.Perf | 17012 (1.85%) |
| 13 | Win32.HLLM.Netsky.24064 | 16739 (1.83%) |
| 14 | Win32.HLLM.MyDoom.33808 | 11208 (1.22%) |
| 15 | Win32.HLLM.Netsky.28008 | 9592 (1.05%) |
| 16 | Trojan.DownLoader.49586 | 9305 (1.01%) |
| 17 | Win32.LazyAdmin.32768 | 8791 (0.96%) |
| 18 | Win32.HLLM.Netsky.28672 | 8689 (0.95%) |
| 19 | Trojan.Regger | 8657 (0.94%) |
| 20 | Exploit.IframeBO | 8093 (0.88%) |
Table 2. Top 20 viruses detected on PCs
| 01.04.2008 00:00 - 13.05.2008 23:00 | ||
| 1 | Trojan.Okuks.30 | 2184293 (33.03%) |
| 2 | Trojan.Spambot.3099 | 1286403 (19.45%) |
| 3 | Trojan.Click.17013 | 501156 (7.58%) |
| 4 | Trojan.Okuks.24 | 172393 (2.61%) |
| 5 | Win32.HLLM.Generic.440 | 158366 (2.39%) |
| 6 | JS.Nimda | 156129 (2.36%) |
| 7 | Win32.Alman | 131706 (1.99%) |
| 8 | Win32.HLLW.Autoruner.437 | 107772 (1.63%) |
| 9 | VBS.Generic.548 | 104092 (1.57%) |
| 10 | Adware.SaveNow.128 | 91458 (1.38%) |
| 11 | Win32.HLLP.PissOff.36864 | 88904 (1.34%) |
| 12 | Trojan.Recycle | 82489 (1.25%) |
| 13 | Trojan.DownLoader.49586 | 77948 (1.18%) |
| 14 | Win32.HLLP.Jeefo.36352 | 75027 (1.13%) |
| 15 | BackDoor.Generic.1138 | 62350 (0.94%) |
| 16 | VBS.Igidak | 49603 (0.75%) |
| 17 | Win32.HLLP.Neshta | 48690 (0.74%) |
| 18 | Win32.HLLM.Lovgate.2 | 47851 (0.72%) |
| 19 | Trojan.NtRootKit.425 | 46560 (0.70%) |
| 20 | Win32.HLLW.Autoruner | 33661 (0.51%) |
Rate
Repost
![[VK]](http://st.drweb.com/static/new-www/social/no_radius/vkontakte.png)
![[Twitter]](http://st.drweb.com/static/new-www/social/no_radius/twitter.png)
Like
![[facebook]](http://st.drweb.com/static/new-www/social/no_radius/facebook.png)
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments