February 2007 virus review by Doctor Web
March 01, 2007
Last February was marked by a confrontation between two teams of virus writers: Win32.Dref creators competed with those of Win32.HLLM.Limar for access to users’ computers.
Win32.HLLM.Limar, a mail worm, which peaked in autumn 2006 with its modifications springing up every other day, is gradually giving way to Win32.Dref. When Win32.Dref attacks an infected system, it sets up a driver, detected by Dr.Web Antivirus as BackDoor.Groan, and a number of other malware for self-dissemination and DdoS attacks, targeting both anti-spam adherents’ web-sites and Win32.HLLM.Limar spreaders.
In addition, Win32.Dref modules are regularly upgraded by modification of packers that make their detection even more difficult. To cope with this, special signature records have been added to Dr.Web virus definitions database thus allowing the detection of Win32.Dref regardless of the packer’s modification.
On the other hand, Win32.HLLM.Limar’s creators had to resort to frequent changes of their modules’ download links. Win32.HLLM.Limar became more active by the end of February, but triggered no large outbreak in the long run.
This confrontation reminds of a notorious competition of Win32.HLLM.Beagle, Win32.HLLM.Netsky and Win32.HLLM.MyDoom, fighting for virus Olympus all through years 2003-2004.
It’s only natural that virus writers couldn’t but contribute to St. Valentine’s Day. A few modifications of Trojans, classified by Dr.Web as Trojan.MulDrop.5549 and Trojan.MulDrop.5550 have been sent to users as holiday postcards. When opened, they resulted in a leak of all system passwords.
As Secunia reports, numerous vulnerabilities were found in the Microsoft Internet Explorer, Microsoft Malware Protection and Microsoft Word. These breaches are regarded as critical since they allow for any code to be run on a targeted desktop. On the whole, virus situation like this is no longer out of the ordinary. It keeps timely correction of the vulnerable components in the focus of counteraction.
Virus statistics by Doctor Web, Ltd. in February, 2007
6990 entries have been added to Dr.Web virus database in February, 2007. Find below a short summary table of on-line monthly virus scan at online.drweb.com.
| Virus name | Quantity |
|---|---|
| Trojan.Isbar.13 | 289 |
| Win32.HLLM.Limar | 273 |
| Win32.HLLM.Wukill | 141 |
| Trojan.Virtumod | 96 |
| VBS.Psyme.239 | 92 |
| Trojan.Peflog.31 | 77 |
| Trojan.Peflog.30 | 70 |
| Win32.HLLM.Beagle | 69 |
| Win32.HLLW.MyBot | 35 |
| Trojan.Packed.14 | 31 |
Virus detection in February '07 at mail servers and in networks protected by Dr.Web Anti-virus:
| Virus name | % of the overall quantity |
|---|---|
| Trojan.Bankfraud.272 | 21.44 |
| Win32.HLLM.Beagle | 11.11 |
| Win32.HLLM.Perf | 7.84 |
| Win32.HLLP.Sector | 7.65 |
| Win32.HLLM.Netsky.35328 | 6.32 |
| Trojan.Packed.8 | 6.12 |
| Trojan.Packed.14 | 5.04 |
| Win32.HLLM.MyDoom.based | 4.43 |
| Win32.HLLM.Netsky.based | 3.53 |
| Win32.HLLM.Limar | 3.44 |
| Trojan.Packed.11 | 2.67 |
| Trojan.Packed.10 | 2.64 |
| Win32.HLLM.MyDoom.49 | 2.62 |
| Win32.HLLM.MyDoom.33808 | 1.86 |
| Trojan.Packed.12 | 1.48 |
| Win32.HLLM.Graz | 1.31 |
| Win32.Parite.1 | 0.93 |
| Win32.HLLM.Limar.based | 0.66 |
| Exploit.IframeBO | 0.52 |
| Trojan.Packed.18 | 0.43 |
| Other malware | 7.96 |
Rate
Repost
![[VK]](http://st.drweb.com/static/new-www/social/no_radius/vkontakte.png)
![[Twitter]](http://st.drweb.com/static/new-www/social/no_radius/twitter.png)
Like
![[facebook]](http://st.drweb.com/static/new-www/social/no_radius/facebook.png)
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments