My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

December virus review by Doctor Web, Ltd.

January 1, 2007

Virus Monitoring Service of Doctor Web, Ltd. reports the virus review for December, 2006.

The last month of the year several vulnerabilities in MS Outlook Express and Internet Explorer were discovered. New flaws allowed computer criminals to execute an arbitrary code in the target computer, overrun the buffer and read remotely files in the Temporary Internet Files directory. Microsoft rated all the flaws as "critical". Despite the released patches, there is a high possibility a full-functional virus program can be created to exploit the vulnerabilities. Quite often the patches are installed after the computer is infected. Read more about vulnerabilities in Internet Explorer and Outlook Express here.

During December there was a large-scale distribution of spam messages inviting users to visit some web-site or see hot pics. A link where the archive could be downloaded pointed at the Trojan downloader detected by Dr.Web as Trojan.DownLoader.15512. Being infected, computers become a source of distribution of spam executed by another Troj – Trojan.Spambot.

This month new Trojan Horse named by Dr.Web as Trojan.Encoder.10appeared. It has a destructive function – it encrypts files on hard drives (*.jpg, *.doc, *.txt, *.gif, *.rar, *.bmp) by XOR algorithm with the key of 1 byte length. We remember, that its predecessor Trojan.Encoder.9 used 8-byte key, and Trojan.Encoder.6 encrypted files with RSA algorithm. Trojan.Encoder.10 infects files by adding itself at their beginning and adds the *.exe extension. The infected file is run by the operating system as executable and displays the message

"file_name" was infected with dangerous and destructive virus or spyware.
CPS Anti-Spyware 2.0 deleted "file_name" from this path on your computer
C:\ - now your system is fully protected CPS Anti-Spyware 2.0 
allow you to recover all infected files with 100 guarantee.
Purshase full version CPS Anti-Spyware and restore "file_name"

and opens Internet Explorer with the target web-site page. By no means, this Troj is used for advertising purpose only.

Trojan.Promo can be used as another example of advertising programs. Having installed itself, the Troj registers at a definite web-site and receives unique identification number. After that, it downloads advertisements from time to time . Its icon is displayed in the system tray. When a user clicks the icon, a message is generated asking the user to send a paid SMS to remove the Trojan horse.

This month new modification of mass-mailing worm labeled Win32.HLLM.Limar was released, but it had a minor impact and did not cause a large-scale epidemics, as it was this autumn. At the end of the month a spam distribution of malicious "Christmas cards" was registered. The viral attachments contained new variant of the notorious Win32.HLLM.Limar and those users who opened these attachment received a real "present" from virus writers. These malware were added to Dr.Web virus database as Trojan.DownLoader.16958, Trojan.DownLoader.16984 and Trojan.DownLoader.16985


8290 entries were added to Dr.Web virus database in December.

Find below a short summary table of online check results in December:

Virus name Quantity
Win32.HLLM.Limar 415
Win32.HLLM.Limar.based 279
Trojan.Spambot 201
Win32.HLLM.Beagle 173
Win32.HLLM.Wukill 165
Trojan.Popuper 162
Trojan.PWS.LDPinch.1217 156
Trojan.Peflog.52 137
BackDoor.Generic.1138 127
Trojan.Mezzia 74

Below goes a table of the most frequently detected viruses in mail servers and networks protected by Dr.Web Enterprise Suite:

Virus name Percentage rate
Trojan.Bankfraud.272 14.37
Win32.HLLM.Limar.based 12.35
Win32.HLLM.Perf 11.16
Win32.HLLM.Beagle 9.25
Win32.HLLM.Netsky.35328 8.90
Win32.HLLP.Sector 7.00
Win32.Dref 6.30
Win32.HLLM.Netsky.based 4.89
Win32.HLLM.MyDoom.based 4.69
Win32.HLLM.MyDoom.33808 2.19
Win32.HLLM.Limar 2.19
Trojan.DownLoader.16958 2.16
Win32.HLLM.Graz 1.85
Win32.HLLM.MyDoom.49 1.14
Exploit.MS05-053 0.89
Win32.HLLM.Netsky 0.74
Win32.HLLM.Oder 0.72
Exploit.MS05-053 0.70
Exploit.IframeBO 0.63
Win32.HLLM.MyDoom 0.51
Other malware 7.37

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments