August 1, 2007

Virus Monitoring Service of Doctor Web, Ltd. reports on virus events in July 2007.

July turned to have witnessed not one outbreak of virus events. The first among them to be mentioned is a widespread spam-distribution of congratulating messages headlined as “You've got an e-card from a Class-mate! (or a Neighbor etc)”. The messages' body comprised a link to the postcard. A careless click might bring to disaster, i.e. infection by a new modification of the notorious BackDoor.Groan. The malware installs a special driver to conceal its files on the disk, it's able to operate in P2P networks and launch spam distribution from the infected PC. BackDoor.Groan disguised itself for a while to announce virus events and offering users to download a corresponding curing utility to avoid IP ban. But the authors switched back to the conventional headlines pretty soon. It's worth noting that the first BackDoor.Groan mail distribution was detected in January this year when it was marked by political issues in the headlines.

Mail worm Win32.HLLM.Limar was less noticeable this month than it used to be. It went beyond the limits only once taking up 35% of the whole infected mail traffic and this outbreak didn't last for long as the scheme below shows:

The mail worm Win32.HLLM.Graz came up with its new modifications. It covered 35-40% of the infected traffic now and then, resulting in removal of anti-virus tools on personal computers and preventing their re-installation.

Cyber extortionists became more active too. There were detected a few modifications of a dangerous Trojan disabling computers - Trojan.Plastix. If your machine has been infected by Trojan.Plastix, you're welcome to contact Technical Support service of Doctor Web, Ltd. to recover your computer.

Another Trojan on the list is Trojan.Encoder newly upgraded to Trojan.Encoder.11 and Trojan.Encoder.12 versions, extorting from their victims a sound sum to recover the encoded data.

Trojan.Winlock silently takes over the latter by keeping in the shadow while a PC is on. But after re-installation it springs up announcing that the user runs an unlicensed OS copy and offers to make a corresponding payment through Yandex.Money.

Russian phishing message alerting to an alleged block of the account by Yandex.Money is one more event to be noted. Such messages have been detected by Dr.WEB as Trojan.Bankfraud.402 .

July 2007 spam-review

An outbreak of unwanted messages with PDF attachments was detected in addition to the spam events above. Their volume increased by 30% in comparison to the previous month.

The share of the so called “cultural spam” announcing opera galas, exhibitions, different tours etc. increased as well. Yet, the bulk of the Russian spam still comprises commercial spam including invitations to seminars, accounting matters and the likes.

In July 16 577 entries were added to Dr.Web virus database.

Below goes the summary table of the online scan results for July:

One more summary table shows the viruses prevailed at mail servers in July, 2007: