May 1, 2007

Virus Monitoring Service of Doctor Web, Ltd. reports on virus events in April 2007.

April 2007 virus events stirred a good deal of unrest in the web environment. E-mail worms Win32.Dref and Win32.HLLM.Limar have kept the palm they shared before. This time, however, their confrontation was marked by new peculiarities - Win32.Dref switched into diffusion as a ZIP-archive with a password in the graphic file. It’s an old trick derived from another mail worm Win32.HLLM.Beagle. Yet, it served Win32.Dref really good over the first few days, as far from all well-known anti-viruses managed to detect it at mail-servers. Finally a special record Win32.Dref.pswzip assuring the worm's detection as a modification of Win32.Dref and archives alike solved the problem.

Win32.HLLM.Limar in its turn gave a troublesome surprise – the worm’s basic body was additionally infected by a polymorphic file virus Win32.Virut, which came to its victims as extra "bonus". Besides, in the midst of April Win32.HLLM.Limar restated again its undisputable leadership in mail traffic infecting, with peaks as high as 80%.

As the graphic analysis shows, the outbreak of Win32.HLLM.Limar proved to be short-term. But notorious ability of Win32.HLLM.Limar to catch unawares and spread widely shouldn’t be disregarded anyway.

A new modification of Win32.HLLM.Graz is worth attention too, although it passed rather imperceptibly and didn’t seem to attempt at mass diffusion.

As if to make up for this the script worm VBS.Igidak went on its triumphal way. Comparing to the previous months it didn’t spread that much, but its auto launching in the infected system, provided by creation of autorun.inf configuration file with the scripted path to the executable part of the worm, turned to be really tendentious. Both the executable part of the worm and the configuration file are hidden. It makes its visual detection even more difficult because display of files with system or hidden attributes in the standard Windows Explorer and most file managers is disabled by default. Other malware - Trojan.Recycled и Trojan.Corruptor for instance – use the same tricks for system infection.

The number of malware downloading online banking password stealers (Trojan.PWS.Banker) and spam distributors Trojan.Spambot this month increased by 20%.

April 2007 Spam Record

The bulk of spam analyzed by Doctor Web, Ltd. comprises adware, offering different services. 80% of spam are graphic files. Spammers use this form as well as other mixed forms of spam (text decimation, colored letters etc) to avoid spam-filters based on Bayes’s algorithm of unwanted correspondence detection.

Spam of English origin is limited for the most part to medical services advertising, while Russian one covers a wide range of services:

• business offers
• tourist tours
• surname derivation service
• household utilities

General statistics

Virus detection in April, 2007 at mail servers and in networks protected by Dr.Web Anti-virus: