My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

The endless story of Trojan.Encoder, fake anti-viruses on the offensive and other malicious trends of September 2009

October 5, 2009

September is the time when children get back to their computers to do their homework and adults return from holiday trips to their office desks. As the number of Internet users increases, so does the number of viral threats and victims of a cyber fraud or virus attack. Increased activity of Trojan.Encoder that encrypted data in compromised systems, fake anti-viruses and social networking account crack guides became the most notable events of the past month. Doctor Web presents its review of these events and other malicious trends of September.

Another Trojan.Encoder surge

In September Doctor Web registered an increased number of Russian users that fell victims of Trojan.Encoder that encrypted users’ documents and demanded a ransom for decryption. The demanded amount of money increased, however, transferring the money never guaranteed that a victim would receive a decryption tool or that such a tool would actually work. Every day dozens of users get help from Doctor Web to restore their encrypted files.

The last week saw three new modifications of the Trojan.Encoder featuring new encryption keys and different cyber criminal's contact information. Doctor Web promptly provided users with decryption utilities for each of them. . However, the most interesting modification of this piece of ransomware turned out to be the latest one. It added the drweb extension to encrypted files. Obviously successful neutralisation of the ransomware by Dr.Web anti-viruses drove its author towards playing a mean trick on Doctor Web by using its brand as a part of a filename.

Doctor Web analysts also got hold of a link to a malicious site maintained by the author of the late Trojan.Encoder modifications. It should be noted that the cyber-criminal adopted images of a spider and doctor to trick users into thinking that he was in some way related to Doctor Web which certainly is not true. Apparently such a design aims to confuse users and discredit Doctor Web.

The criminal does its best to present himself as a good doer that helps people to restore their data. His web-site provides users with a demonstration video showing how the utility a user is offered to pay for works.

Based on available information we can suggest that there is only one man behind the extortion of money from users whose documents have been encrypted.

Some anti-viruses are good, others aren’t

Fake anti-viruses have been a cause of problems and worries to many users worldwide. Various techniques ranging from traditional spam mailings and up to special advertisement web-sites were adopted to trick users into downloading and installing such programs.

Trojan.Fakealert.5115 was one of fake anti-viruses found in large numbers on the Internet reaching its highest detection figure on September 27 when 800 000 detections of this malicious program were registered by Doctor Web statistics servers.

As Trojan.Fakealert.5115 is launched, an infection alert appears in the notification area and a user is prompted to download special software to avoid possible data losses. A user has to click on the message to allow “Windows” to download required software automatically.

After that other components of the Trojan.Fakealert.5115 detected by Dr.Web as Trojan.Fakealert.4709 and Trojan.Fakealert.5112 are downloaded from servers set up by cyber criminals. Another visual manifestation of Trojan.Fakealert.5115 is a window of a fake anti-virus product called Antivirus Pro 2010.

New modifications of this fake anti-virus – Trojan.Fakealert.5229 and Trojan.Fakealert.5238 – have been registered recently. Unlike other variations of the fake anti-virus, Trojan.Fakealert.5229 reboots a compromised system during its operation.

Trojan.Fakealert.5238 in its turn displays a modified Windows Security Centre window informing a user that his computer is supposedly protected by Antivirus Pro 2010 but the user needs to purchase a license.

Pressing a purchase button directs a user to a fraudulent web-site where the victim can buy this rather costly software dummy. As usual the "fully-functional" anti-virus turns out to be a piece of code that does nothing.

Fake anti-viruses have been bringing a significant profit to their authors but number of such programs increased notably in the last month.

Someone wants to crack a social networking web-site?

One of virus makers made an unusual proposition to potential victims. On his web-page he described a method that would enable users to gain access to registered user accounts of a Russian social networking web-site and at the same time protect their own accounts from unauthorized access.

To achieve a desired result one had to modify his hosts file thus removing the necessity for malware to perform the operation.

Naturally, the method never brought would-be hackers a success. But in case of a failure the cyber-criminal also offered users to download a program that would perform all required actions automatically. Yet downloading and running the application would lead to disappointment once again. And it is hardly surprising since the program is a piece of malware detected by Dr.Web anti-viruses as Trojan.DownLoad.47503.

Statistics show that hundreds of users decided on joining the ranks of hackers. This malicious program can still be found in the wild with the highest number of detections registered on September 28.

Trojan.Winlock once again. Now over ICQ together with the pinch

A new Trojan.Winlock modification – Trojan.Winlock.252 – and Trojan.PWS.LDPinch.1941 were spread using ICQ in the last September week.

An ICQ user received a message prompting him to follow a link to look at a photograph. Following the link resulted in downloading of the lock.ex file compressed with a viral packer. This file stored four other files in the compromised system: explorerr.ex, svcoost.ex, 43.jpg, а также 154.bat The bat file was used to remove the dropper. Explorer.ex is detected by Dr.Web anti-viruses as Trojan.PWS.LDPinch.4308 compressed with + FSG packer. When extracted, the object is detected as Trojan.PWS.LDPinch.1941 while the svcoost.ex file is defined as Trojan.Winlock.252. Spreading of a Trojan.Winlock program together with a “pinch” makes the threat even more dangerous because a compromised system will not simply be blocked but also all passwords found on the computer will be stolen.

Mail viruses persist

Currently Trojan.DownLoad.47256 is the most frequently detected malware in e-mail traffic. The peak of its outbreak has already passed however, Doctor Web’s statistics servers still register hundreds of thousands of Trojan.DownLoad.47256 detections.

In terms of statistics Trojan.Packed.2915 is not very far behind Trojan.DownLoad.47256 . Trojan.Packed.2915 came as a replacement of Trojan.Botnetlog (see the August review from Doctor Web) spread with messages supposedly sent by DHL Express.

As before every new mailing came with a new modification of the Trojan. A Trojan.Packed.2915 signature created by Doctor Web’s analysts enables Dr.Web anti-viruses to detect even new modifications of the Trojan that have not been studied in the virus laboratory.

The outbreak of Trojan.Packed.2915 reached its maximum on September 25. Now it is likely to decline but the number of detections is still measured in dozens of thousands per day.

In the face of the wide spreading of ransomware Doctor Web doesn't recommend users to get in contact with cyber criminals, let alone transferring money to their accounts. Instead contact Doctor Web’s specialists. In most cases they will be able to help restore a system or encrypted data. E-mail remains one of the main malware distribution channels so Doctor Web once gain strongly advices against opening files attached to e-mails from unfamiliar senders. It is also not recommended to adopt hacking and cracking methods described on certain web-sites because such actions can compromise security of a system and endanger your information as well as violate a law.

Viruses detected in e-mail traffic in September

 01.09.2009 00:00 - 01.10.2009 00:00  
1 Trojan.DownLoad.47256 4208589 (61.34%)
2 Trojan.Fakealert.5115 927637 (13.52%)
3 Trojan.Packed.2915 514717 (7.50%)
4 Trojan.DownLoad.5637 181751 (2.65%)
5 Win32.HLLM.MyDoom.33808 170029 (2.48%)
6 Win32.HLLM.Beagle 146890 (2.14%)
7 Trojan.Packed.2788 113316 (1.65%)
8 Win32.HLLM.Netsky.35328 84013 (1.22%)
9 Win32.HLLM.Netsky.based 70553 (1.03%)
10 Trojan.Botnetlog.11 67909 (0.99%)
11 W97M.Godzilla 61111 (0.89%)
12 Win32.HLLM.MyDoom.54464 50964 (0.74%)
13 Trojan.MulDrop.19648 36837 (0.54%)
14 Win32.HLLM.Perf 32354 (0.47%)
15 Win32.Sector.28480 30066 (0.44%)
16 Win32.HLLM.MyDoom.based 24638 (0.36%)
17 Trojan.Fakealert.5229 15730 (0.23%)
18 Win32.HLLM.Netsky 12506 (0.18%)
19 BackDoor.Gladrac 10804 (0.16%)
20 Trojan.DownLoad.16849 9195 (0.13%)
Total scanned:12,475,886,574
Infected:6,861,469 (0.05%)

Viruses detected on user machines in September

 01.09.2009 00:00 - 01.10.2009 00:00  
1 Trojan.DownLoad.47256 7851901 (36.17%)
2 Trojan.Fakealert.5115 1709557 (7.87%)
3 Win32.HLLW.Gavir.ini 1091500 (5.03%)
4 Win32.HLLW.Shadow.based 552387 (2.54%)
5 Win32.Alman.1 453996 (2.09%)
6 Win32.HLLM.Beagle 399883 (1.84%)
7 JS.Nimda 381940 (1.76%)
8 Trojan.DownLoad.5637 366191 (1.69%)
9 DDoS.Kardraw 338885 (1.56%)
10 Trojan.Recycle 332882 (1.53%)
11 Win32.HLLM.Netsky.35328 306700 (1.41%)
12 VBS.Sifil 296165 (1.36%)
13 Win32.Sector.17 275083 (1.27%)
14 Win32.HLLW.Autoruner.5555 273128 (1.26%)
15 Trojan.AuxSpy.4 234102 (1.08%)
16 Trojan.MulDrop.16727 212213 (0.98%)
17 Win32.HLLW.Texmer.43 207238 (0.95%)
18 Trojan.Packed.2788 194328 (0.90%)
19 Win32.Virut.14 193677 (0.89%)
20 Win32.HLLM.Netsky.based 179267 (0.83%)
Total scanned:845,578,747,316
Infected:21,708,714 (0.00%)

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments