March 4, 2008

February didn’t see any new malware in the wild. Starting at the end of January and up to mid-February Trojan.Packed.357 was being sent out as St. Valentine greetings. Unlike other malicious programs the Trojan executable packer is constantly being changed, the authors of the malicious program also resort to various social engineering techniques to lure users into launching the executable. Launching it places a driver in the Windows installation directory and installs it. The driver has a random name. Dr.Web virus database lists it as Trojan.Spambot.2569. A corresponding entry is also added to the Windows registry. Besides, the malware creates a P2P network configuration file on a hard drive and writes its code to %systemroot%\system32\services.exe. After that it opens random UDP ports and sends out requests to remote hosts, upon receiving a reply it starts sending out spam.

We’d also like to mention spam messages that contained the following words as subject^NEW Full mpeg4 Veronika Zemanova", "NEW Stunning video with a naked celebrity Beyonce", "NEW New sexy songs Salma Hayek", "Stunning video Carmen Electra", "Shocking porno dvd Meg Ryan", "Interesting porno Jennifer Lopez

Such messages provided a link to download an executable detected by Dr.Web anti-virus as Trojan DownLoader 49038.

One more spam mailing contained [postcdard.ru] in its subject and targeted mainly Russian speaking users. A message offered a link to a greeting card. Following it triggered downloading of Trojan.DownLoader.35394. Launching the Trojan downloaded another bunch of malware used to send out spam.

February spam activity summary

Apart from unsolicited mail mentioned above a few words should also be said about an emerged mailing of spam with messages offering downloading commercial software. A share of business related messages and offers of spam mailing based on mailing databases of the CIS has increased.

Statistics

15700 entries have been added to the Dr.Web virus database in February 2008.