The beginning of 2007 demonstrated that virus writers hadn’t meant to hang around during New Year holidays. They were inventing new traps for users – such as spam letters offering a video of Saddam Hussein’s execution which took place on December 30th, 2006 in secrecy. Later on there emerged some mobile-made shots of it. A few malware upgrades, classified by Doctor Web, Ltd. experts as Trojan.DownLoader.17224, spread over the world. Being run, these malware downloaded and executed confidential information stealers – Trojan.PWS.Banker.6321, Trojan.PWS.Banker.6322, Trojan.PWS.Banker.6276. Since the video is run by media-player, users may simply have no notion about the information leak.

Another spam video, detected by Dr.Web Anti-virus as BackDoor.Groan, Trojan.Spambot, has proved the increased popularity of spread in spam political plots. According to mail servers’ statistics, e-mails with BackDoor.Groan comprise 87-90% of the whole infected traffic. Being run, the attached file adds to the infected system a driver, which further on downloads other malware. In addition BackDoor.Groan is able to run in peering systems, formed to manage certain hosts of the web, as well as initiate unauthorized downloads and launch of files on infected computers.

The malware downloaded by BackDoor.Groan has been regularly upgraded during quite a long term. As statistics quotes, the upgrades took place twice a day, making their detection even more difficult.

Yet, showy political headlines are not out of the ordinary. Remember Internet worm Win32.Dref, which copies spread all over the world with nuclear war alarm in the headline in November 2006.

Creators of Win32.HLLM.Limar mail worm released new upgrades of their "off-spring" on January 15th and 23rd , as if congratulating users and anti-virus companies on the New Year and celebrating the malware 5 months anniversary in this way. Several versions of the network-aware worm of the Chinese origin infecting exe-files, classified by Dr.Web Anti-virus as Win32.HLLP.Whboy, were detected in January, too by experts of Doctor Web, Ltd. Some of the versions had only a propagating function, without exe-files infecting mechanism. The warm resulted in local epidemics all around of North Korea and in some USA and European regions. Win32.HLLP.Whboy propagates through vulnerabilities in browsers when a user visits a specially designed web-page. In addition to its diffusion on the web, the worm copies itself onto movable media, if there are any connected to it at the moment of infection.

Virus statistics by Doctor Web, Ltd. in January, 2007

6368 entries were added to Dr.Web virus database in January, 2007.

Find below a short summary table of online check in January:

Below goes a table of the most frequently detected viruses in mail servers and networks protected by Dr.Web Enterprise Suite in January, 2007: