June 1, 2007

May'07 virus and spam review by Doctor Web, Ltd.

Virus Monitoring Service of Doctor Web, Ltd. reports on virus events in May 2007.

May 2007 virus environment took over the strain it survived the previous month. Win32.HLLM.Limar in various modifications remained the prime trouble-maker. It accounted from 30 up to 70% of the infected traffic starting from the midst of May. As the scheme below proves hardly ever a month had escaped sudden outbreaks caused by its modifications.

Another event to be noted is new modifications of Win32.HLLM.Graz, disseminated via spam in attached *.hta files of different kind which made it even more difficult to detect the infection. However, both the former and the current versions of this mail worm run the same way: they install a rootkit component to hide the worm’s files on the disk and in the log files of the infected system.

Malware of Asian origin in numerous modifications of Win32.HLLW.Gavir, Win32.HLLP.Whboy, Win32.HLLW.Cent, Win32.HLLW.Autoruner and Win32.HLLW.Creater made a triumphal go, too. They all uniquely auto-start every time Windows is started, with copies of the malware and the autorun.inf file with the rout to the malware carrier created in the Windows directory. Both malware copies and the autorun.inf file are hidden. Disabling hidden files representation in the Explorer requires that a corresponding parameter in the log should be changed. Win32.HLLW.Gavir, Win32.HLLP.Whboy, Win32.HLLW.Creater can infect .exe files. Mail worms seem to have taken up the function of malware download. Win32.HLLW.Autoruner, for example, downloads Trojan.PWS.Wsgame stealing on-line games passwords and other malware - BackDoor.Paziruk, BackDoor.Cafezz.

Trojan.RedBrowser mobile phones malware along with its clones Adware.Freesms and Trojan.Webser – Symbian.Viver sprang up from oblivion. It originally disguised itself as multimedia codec sending SMS messages to the paid telephone number while being incapable of self-dissemination or self-installation on the targeted phones. The malefactors took over Trojan.Webser experience in social engineering and did their best.

Spam review

Although summertime is within sight spam targeting financial directors and accountants with invitations to seminars devoted to taxation and legislation aspects has only slightly decreased comprising 67% of the overall Russian spam. The bulk of English spam (about 80%) is still owed to medical ads offering medicine, medical services or plastic surgery.

9474 virus entries were added to Dr.Web virus database in May 2007.

Below goes a short summary table online check for this month:

Here is also a summary table of most spread viruses detected on mail servers protected by Dr.Web in May 2007: