Virus monitoring service of Doctor Web, Ltd. analyzed activity of viruses in November 2007.

Starting at the end of October the Storm Worm spam was being sent for 10 days in November. E-mail messages had an intriguing subject — “Dancing Skeleton”. Such messages were devoted to Halloween and offered a user to take a look at a dancing skeleton. When a user followed a link using Internet Explorer, it triggered a download script embedded in a page code which in turn activated installation of executable modules of the worm. However, it functioned the same way as before: a driver was installed on the infected system, the machine became a member of a P2P-network and was used to send out spam messages.

We’d like to remind you that Storm Worm emerged in January 2007 and was distributed using e-mail messages containing information about a weather disaster in Europe. A user launched an attached executable to get more details on the event. As the result a Trojan programme exploiting a system backdoor was installed on a computer. Polymorphic packers are used in executables of the malware, that’s why Dr.Web Anti-virus uses entreis like Trojan.Packed (e.g. Trojan.Packed.142, Trojan.Packed.200, Trojan.Packed.230) to detect them.

However, let’s get back to the survey. The ”Dancing skeleton” mailing was stopped after a while, mailing messages like described above were not detected later in November. Meanwhile, as nature abhors a void, so virus activity didn’t get lower. As the Storm Worm propagation had stopped, creators of the Win32.HLLM.Limar worm came into place. The worm wasn’t that active in the previous month but it propagated via e-mail, ICQ and Skype. Launch of a file a user was prompted to download resulted in infection of the system, interruption of routines of some anti-viruses and other IT-security programmes, and usage of the infected system as a zombi spam distributor.

And this is not the end yet. Another spam mailing wave was monitored for the whole month: a user was promised to learn how to improve his/her health and welfare but if followed a link placed in the message body a downloading script was executed and a malicious programme detected by Dr.Web Anti-virus as Win32.HLLM.Graz was installed.

Given that in most cases a user has to follow a link to be infected by a malicious programme, Doctor Web, Ltd. offers the free service to check links. The service is implemented as a browser plug-in that can be used to scan any web-page for viruses before it is actually opened, or to check a file one is going to download. When a page is checked, links to scripts and frames present in the page code are also checked. More details on the service you can get on the Dr.Web free services web-site of Doctor Web, Ltd.

The launch of the Dr.Web AV-Desk™ anti-virus service targeting ISPs and IT-security service providers gives Virus monitoring service of Doctor Web, Ltd. even more info on viruses that are infecting machines of end-users. Of course, the statistics provided here is not final, but even now we can say that top malware leaders are the password stealers. Dr.Web AV-Desk™ has been running on servers of some of Russian providers for three weeks and scan results for 6.5 billions of files show that 3.5 millions of them are related to malicious programmes and the absolute leaders are Trojan.PWS.Wsgame.origin, detected using the state of the art non-signature Origins Tracing™ technology, and Win32.HLLP.Jeefo.36352 virus, and Trojans Trojan.Recycle, Trojan.PWS.LDPinch.2468,Trojan.Proxy.1824.

November 2007 spam activity summary

Apart from traditional commercial spam it should be mentioned that the number of messages proposing various cultural events such as exhibitions, concerts, etc, has increased.

13403 entries were added to Dr.Web virus database in November, 2007.

A brief table illustrating November scan results:

You can also have a look at the summary of viruses that were detected most often on mail servers: