My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

April virus review by Doctor Web

May 1, 2007

Virus Monitoring Service of Doctor Web, Ltd. reports on virus events in April 2007.

April 2007 virus events stirred a good deal of unrest in the web environment. E-mail worms Win32.Dref and Win32.HLLM.Limar have kept the palm they shared before. This time, however, their confrontation was marked by new peculiarities - Win32.Dref switched into diffusion as a ZIP-archive with a password in the graphic file. It’s an old trick derived from another mail worm Win32.HLLM.Beagle. Yet, it served Win32.Dref really good over the first few days, as far from all well-known anti-viruses managed to detect it at mail-servers. Finally a special record Win32.Dref.pswzip assuring the worm's detection as a modification of Win32.Dref and archives alike solved the problem.

Win32.HLLM.Limar in its turn gave a troublesome surprise – the worm’s basic body was additionally infected by a polymorphic file virus Win32.Virut, which came to its victims as extra "bonus". Besides, in the midst of April Win32.HLLM.Limar restated again its undisputable leadership in mail traffic infecting, with peaks as high as 80%.

As the graphic analysis shows, the outbreak of Win32.HLLM.Limar proved to be short-term. But notorious ability of Win32.HLLM.Limar to catch unawares and spread widely shouldn’t be disregarded anyway.

A new modification of Win32.HLLM.Graz is worth attention too, although it passed rather imperceptibly and didn’t seem to attempt at mass diffusion.

As if to make up for this the script worm VBS.Igidak went on its triumphal way. Comparing to the previous months it didn’t spread that much, but its auto launching in the infected system, provided by creation of autorun.inf configuration file with the scripted path to the executable part of the worm, turned to be really tendentious. Both the executable part of the worm and the configuration file are hidden. It makes its visual detection even more difficult because display of files with system or hidden attributes in the standard Windows Explorer and most file managers is disabled by default. Other malware - Trojan.Recycled и Trojan.Corruptor for instance – use the same tricks for system infection.

The number of malware downloading online banking password stealers (Trojan.PWS.Banker) and spam distributors Trojan.Spambot this month increased by 20%.

April 2007 Spam Record

The bulk of spam analyzed by Doctor Web, Ltd. comprises adware, offering different services. 80% of spam are graphic files. Spammers use this form as well as other mixed forms of spam (text decimation, colored letters etc) to avoid spam-filters based on Bayes’s algorithm of unwanted correspondence detection.

Spam of English origin is limited for the most part to medical services advertising, while Russian one covers a wide range of services:

  • business offers
  • tourist tours
  • surname derivation service
  • household utilities

General statistics

9973 entries have been added to Dr.Web virus database in April, 2007. Find below a short summary table of on-line monthly virus scan at

Virus name Quantity
Win32.HLLM.Limar 591
VBS.Psyme.239 268
Trojan.Virtumod 240
Trojan.Spambot 177
Trojan.Peflog.31 147
Win32.HLLM.Wukill 128
VBS.Igidak 79
Win32.HLLM.Graz 65
Trojan.PWS.Maran 53
Win32.HLLP.Jeefo.36352 47

Virus detection in April, 2007 at mail servers and in networks protected by Dr.Web Anti-virus:

Virus name % of the overall quantity
Win32.HLLM.Limar 35.11
Win32.HLLM.Beagle 11.88
Win32.HLLM.Netsky.35328 9.91
Win32.HLLM.Perf 6.83
Win32.HLLM.MyDoom.based 5.45
Win32.HLLM.Netsky.based 4.61
Win32.HLLP.Sector 4.42
Win32.Hazafi.30720 3.61
Win32.HLLM.Graz 2.29
Win32.HLLM.MyDoom.49 2.26
Win32.HLLM.MyDoom.33808 2.09
Win32.HLLM.Limar.based 1.13
Trojan.Spambot 1.01
Win32.Grum 0.85
Exploit.IframeBO 0.70
Win32.HLLM.Netsky 0.54
Exploit.MS05-053 0.53
Win32.HLLM.Beagle.pswzip 0.50
Exploit.IFrame 0.40
Win32.HLLM.Oder 0.33
Other malware 5.55

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments