Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

April 2008 virus activity review from Doctor Web, Ltd.

May 12, 2008

As usual the virus monitoring service of Doctor Web, Ltd. кept a watchful eye over viral activities in April.

No doubt the discovery of a new modification of the malware classified by the Dr.Web as BackDoor.MaosBoot became the most notable event of the end of March and in the early April. The program belongs to the new class of viruses that combine features of an MBR virus and a rootkit. BackDoor.MaosBoot mainly targets computers of end users to obtain sensitive financial info. The virus has a long list of bank-client applications. The improved version of the malware easily obtains sensitive information using the list.

In the mid-April the virus monitoring service also detected a surged mailing of an almost forgotten Win32.HLLM.Limar downloader. Though the surge didn't turn into an epidemic, however, the implication was that spreading of the malware on a higher scale should not be ruled out.

Meanwhile, an event of the month is most certainly dispelling the myth that malware known as Rustock.C didn't exist. The virus monitoring service of Doctor Web, Ltd. actually nailed the long elusive rootkit that entered the Dr.Web database as Win32.Ntldrbot. The malicious code is used to turn PCs into spamming bots joined into a vast botnet. Moreover the catching virus was also capable of remaining completely undetected and so it did supposedly since October 2007! According to Secure Works the Rustock botnet is the third among largest botnets and can spam up to 30 billion messages every day. The network mainly advertises pharmaceutical products and securities.

Some features of Win32.Ntldrbot

  • Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult.
  • Implemented as a driver, it runs on the lowest kernel level.
  • Protects itself, prevents runtime changes.
  • Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won’t work, if the rootkit is running.
  • Intercepts system functions using non-standard method.
  • Functions as a file-virus and infects system drivers.
  • A particular sample of the rootkit becomes adjusts to the hardware of an infected machine and most likely won’t run on another computer.
  • Utilizes time-triggered reinfection feature. An old infected file is cured. So the rootkit "wonders" through system drivers infecting only one at a time.
  • Filters calls to an infected file, intercepts FSD-procedures of a file system driver and redirects a call to the original file instead of the infected one.
  • Features anti-rootkit protection.
  • Injects its library to one of the Windows system processes, so the library starts spamming. A driver is connected to the DLL using a special command transfer mechanism.
. It is very important that currently Dr.Web is the only anti-virus capable of detecting and curing a running Win32.Ntldrbot

April 2008 virus statistics

Table 1.Top 20 viruses detected on mail servers

 01.04.2008 00:00 - 13.05.2008 23:00 
1Win32.HLLM.Netsky.35328270654 (29.51%)
2Win32.HLLM.Netsky.based95383 (10.40%)
3Win32.HLLW.Autoruner.43773490 (8.01%)
4Win32.HLLM.MyDoom.based57639 (6.28%)
5Win32.HLLM.Beagle38671 (4.22%)
6Win32.HLLM.Netsky30887 (3.37%)
7Win32.HLLP.Sector30885 (3.37%)
8Exploit.MS05-05328784 (3.14%)
9VBS.Igidak26239 (2.86%)
10Win32.HLLM.Oder22487 (2.45%)
11Win32.Virut20823 (2.27%)
12Win32.HLLM.Perf17012 (1.85%)
13Win32.HLLM.Netsky.2406416739 (1.83%)
14Win32.HLLM.MyDoom.3380811208 (1.22%)
15Win32.HLLM.Netsky.280089592 (1.05%)
16Trojan.DownLoader.495869305 (1.01%)
17Win32.LazyAdmin.327688791 (0.96%)
18Win32.HLLM.Netsky.286728689 (0.95%)
19Trojan.Regger8657 (0.94%)
20Exploit.IframeBO8093 (0.88%)

Table 2. Top 20 viruses detected on PCs

 01.04.2008 00:00 - 13.05.2008 23:00 
1Trojan.Okuks.302184293 (33.03%)
2Trojan.Spambot.30991286403 (19.45%)
3Trojan.Click.17013501156 (7.58%)
4Trojan.Okuks.24172393 (2.61%)
5Win32.HLLM.Generic.440158366 (2.39%)
6JS.Nimda156129 (2.36%)
7Win32.Alman131706 (1.99%)
8Win32.HLLW.Autoruner.437107772 (1.63%)
9VBS.Generic.548104092 (1.57%)
10Adware.SaveNow.12891458 (1.38%)
11Win32.HLLP.PissOff.3686488904 (1.34%)
12Trojan.Recycle82489 (1.25%)
13Trojan.DownLoader.4958677948 (1.18%)
14Win32.HLLP.Jeefo.3635275027 (1.13%)
15BackDoor.Generic.113862350 (0.94%)
16VBS.Igidak49603 (0.75%)
17Win32.HLLP.Neshta48690 (0.74%)
18Win32.HLLM.Lovgate.247851 (0.72%)
19Trojan.NtRootKit.42546560 (0.70%)
20Win32.HLLW.Autoruner33661 (0.51%)

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040