My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

October virus activity survey from Doctor Web, Ltd.

November 1, 2007

Doctor Web, Ltd. virus monitoring service conducted a survey of virus activity in October of 2007

The scale of Storm Worm spam mailing has been decreasing. However, one can't say that it has stopped. A user receives a mail message with a download link to a greetings card. Following the link loads a cartoon style page. The page code contains download script which is detected by Dr.Web antivirus as VBS.Psyme.438. Executing the script results in an unauthorized installation of an executable. After that it works the same way as before: an infected computer joins a P2P network and sends out spam messages. Besides, infected machines were used for DDoS attacks on anti-spam portals and sites distributing Win32.HLLM.Limar.

Lower activity of Storm Worm allowed authors of Win32.HLLM.Limar "to rear their heads". On October 20-21 a mass mailing was detected, messages contained an attached downloader that installed main modules of Win32.HLLM.Limar on an infected workstation. Win32.HLLM.Limar replaced Windows Messanger temprorarily and sent out messages containing its download links.

This month also saw two new malicious pieces of software spreading over Skype VoIP network - Win32.HLLW.Pykse and Trojan.PWS.Skype. It means that number of malicious programmes exploiting Skype may increase. We would like to remind you that another malicious programme for Skype - Win32.HLLW.Crazy - was discovered this summer.

We can't miss appearing of a malicious PDF document that exploits vulnerabilities of Adobe Systems Reader and Acrobat. Surely a lot of people remember the spam wave with PDF attachments. The first wave messages didn't contain destructive PDF files. However, the current mailing wave has shown that PDF files can impose a tangible threat to a computer of a user. Detecting such PDF files is included in Exploit.PDFUri Dr.Web bases.

October 2007 Spam activity summary

The event of the month was a new spam technique used to evade spam-filters - spam messages with MP3 attachments. But such MP3 files had a very low bit-rate so the new method was not very efficient and a mailing stopped rather quickly.

The amount of commercial spam containing business related information as well as so called "cultural spam" advertising a first night, an exhibition or other cultural events has increased this month.

9855 entries have been added to Dr.Web virus data-base in October.

The table below shows results of online scan for the last month:

Virus name Quantity
VBS.Psyme.239 2142
Worm.Sifiliz 599
Trojan.SCKeyLog.20 423
VBS.PackFor 214
Trojan.PWS.LDPinch 172
Trojan.PWS.Wsgame 143
Win32.HLLM.Wukill 105
Trojan.Spambot 100
Trojan.PWS.Gamania 97
Win32.HLLM.Limar 50

You can also have a look at the summary table of viruses most frequently detected on mail servers in October 2007:

Virus name % of total quantity
Win32.HLLM.Netsky.35328 23.72
Win32.HLLM.Graz 15.06
Win32.HLLM.Beagle 8.05
Win32.HLLM.Netsky 6.39
Win32.HLLM.Netsky.based 5.82
Win32.HLLM.Limar.based 4.73
Win32.HLLM.MyDoom.based 3.85
Win32.HLLP.Sector 3.19
Trojan.DownLoader.35874 2.94
Win32.HLLM.Perf 2.47
Exploit.MS05-053 2.34
Win32.HLLM.Oder 1.89
Win32.HLLM.MyDoom.33808 1.58
Win32.HLLM.Limar 1.51
BackDoor.IRC.Sdbot.1933 1.45
Win32.LazyAdmin.32768 1.39
Trojan.Click.4223 1.13
Win32.HLLM.Netsky.24064 0.95
Win32.HLLM.MyDoom.49 0.80
Win32.HLLM.Netsky.41985 0.73
Other malware 10.01

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments