August`07 virus and spam review by Doctor Web, Ltd.
Virus Monitoring Service of Doctor Web, Ltd. reports on virus events in August 2007.
Undoubtedly, the outbreak of the so-called “storm worm” turned out to be the major spam event of the month. During the first decade the spammers used a time-proved social engineering technique – a greeting postcard with a link in the message body inviting users to visit it. The subjects of these messages were changed several times later, the content as well. It offered, for instance, to watch a YourTube clip with the recipient staring in it and check a user account at some entertaining portal afterwards. If opened in Internet Explorer, a downloading script implanted into the web-page, detected as Trojan.Packed.142 by Dr.Web was executed. This script is detected by Dr.Web as VBS.Psyme.434. As a result, the infected computer became a bot in the P2P network created by Trojan.Packed.142 and started distributing spam, or launching DDoS attacks.In the second decade Virus Monitoring Service of Doctor Web, Ltd. detected in downloadable executable modules a dangerous polymorphic virus classified by Dr.Web as Win32.Virut.5, affecting all executable files and capable of taking control over infected computers via IRC channels. Some variants of the executable files of Trojan.Packed.142 infected by Win32.Virut.5 spread around for a few days. Dr.Web Anti-virus, in contrast to many other anti-viruses, not only detects, but, which is most important, cures files infected with Win32.Virut.5. The scale of the “storm worm” makes any delay in detecting the malware and curing computers really fatal. A similar case occurred last year when the Win32.Polipos file virus spread over peering networks and Dr.Web was the only anti-virus to detect and curу the infected machines.
Later the propagation of the Trojan.Packed.142 variants infected by Win32.Virut.5 stopped. We observed almost the same in May`07, when there was a mass distribution of the Win32.HLLM.Limar worm infected by Win32.Virut.
There was also detected another file virus labeled Win32.Scproj.7573. This one infects all the .exe files on hard disks and movable carriers. It doesn’t modify, as a rule, the file volume writing itself to a zero byte section. There’s no visible sign of infection, except for Explorer errors, messages of some programs on the integrity damages of their .exe files, etc. The virus intercepts the network access via the infected attachments and can avoid firewalls` security policies for trusted attachments. Its body comprises links from which it can receive instructions on its further action. In a definite time after the start of the infected Explorer, the virus scans the network for the network shares with write access and, having found them, infects all their .exe files.
Modifications of the notorious Win32.HLLM.Beagle mass-mailing worm should be noted on the list as well, although their distribution was far from being an epidemic.
August 2007, spam review
A few spam distributions were detected this month. The first one, the “storm worm” distribution mentioned above, was the most scalable one. The second comprised the messages with PDF files attached. The third contained e-mails with Here is the news you have been waiting for. subjects distributed from computers infected by Trojan.Packed.142. Spam seems to have taken over the basic viruses’ traits: alarming subjects, offers to read a document or important data (characteristic of Win32.HLLM.Netsky), Delivery Failure reports (typical of Win32.HLLM.MyDoom, Win32.HLLM.Limar mail worms), ZIPed attachments, etc.
Russian spam was marked by an increased number of self-advertising offers of spammers` services. Invitations to accounting and taxation seminars rated traditionally high comparing to "cultural" spam, which decreased in volume.14 474 entries were added in August 2007 to Dr.Web virus database.
Below goes a short summary table of online check for this month:
| Virus name | Quantity |
|---|---|
| VBS.Psyme.239 | 469 |
| Trojan.Packed.142 | 415 |
| BackDoor.Bulknet | 322 |
| VBS.PackFor | 284 |
| Trojan.SCKeyLog.20 | 124 |
| Win32.Virut | 107 |
| Trojan.Virtumod | 81 |
| Trojan.Peflog.30 | 56 |
| Trojan.Peflog.31 | 56 |
| Trojan.DownLoader.29530 | 33 |
Below is a summary table of 20 top viruses detected in August 2007:
| Virus name | % of the total quantity |
|---|---|
| Win32.HLLM.Graz | 19.16% |
| Trojan.DownLoader.30541 | 16.31% |
| Win32.HLLM.Netsky.35328 | 15.05% |
| Win32.HLLM.MyDoom.based | 8.03% |
| Win32.HLLM.Beagle | 7.21% |
| Win32.HLLM.Netsky | 4.30% |
| Win32.HLLM.Netsky.based | 3.67% |
| Win32.HLLM.Perf | 2.88% |
| Win32.HLLP.Sector | 2.70% |
| Exploit.MS05-053 | 2.49% |
| Win32.HLLM.Limar.based | 2.40% |
| BackDoor.Bulknet.52 | 1.92% |
| Trojan.DownLoader.29243 | 1.75% |
| Win32.HLLM.Limar | 1.41% |
| Win32.HLLM.MyDoom.33808 | 1.35% |
| Win32.HLLM.Oder | 1.01% |
| Win32.HLLM.MyDoom.49 | 0,70% |
| Win32.HLLM.Netsky.24064 | 0.56% |
| Win32.HLLM.Beagle.pswzip | 0.47% |
| Win32.HLLM.Generic.391 | 0.44 |
| Other malware | 6.18% |
Rate
Repost
![[VK]](http://st.drweb.com/static/new-www/social/no_radius/vkontakte.png)
![[Twitter]](http://st.drweb.com/static/new-www/social/no_radius/twitter.png)
Like
![[facebook]](http://st.drweb.com/static/new-www/social/no_radius/facebook.png)
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments