Virus Monitoring Service of Doctor Web, Ltd. reports the virus review for December, 2006.

The last month of the year several vulnerabilities in MS Outlook Express and Internet Explorer were discovered. New flaws allowed computer criminals to execute an arbitrary code in the target computer, overrun the buffer and read remotely files in the Temporary Internet Files directory. Microsoft rated all the flaws as "critical". Despite the released patches, there is a high possibility a full-functional virus program can be created to exploit the vulnerabilities. Quite often the patches are installed after the computer is infected. Read more about vulnerabilities in Internet Explorer and Outlook Express here.

During December there was a large-scale distribution of spam messages inviting users to visit some web-site or see hot pics. A link where the archive could be downloaded pointed at the Trojan downloader detected by Dr.Web as Trojan.DownLoader.15512. Being infected, computers become a source of distribution of spam executed by another Troj – Trojan.Spambot.

This month new Trojan Horse named by Dr.Web as Trojan.Encoder.10appeared. It has a destructive function – it encrypts files on hard drives (*.jpg, *.doc, *.txt, *.gif, *.rar, *.bmp) by XOR algorithm with the key of 1 byte length. We remember, that its predecessor Trojan.Encoder.9 used 8-byte key, and Trojan.Encoder.6 encrypted files with RSA algorithm. Trojan.Encoder.10 infects files by adding itself at their beginning and adds the *.exe extension. The infected file is run by the operating system as executable and displays the message

"file_name" was infected with dangerous and destructive virus or spyware.
CPS Anti-Spyware 2.0 deleted "file_name" from this path on your computer
C:\ - now your system is fully protected CPS Anti-Spyware 2.0 
allow you to recover all infected files with 100 guarantee.
Purshase full version CPS Anti-Spyware and restore "file_name"

and opens Internet Explorer with the target web-site page. By no means, this Troj is used for advertising purpose only.

Trojan.Promo can be used as another example of advertising programs. Having installed itself, the Troj registers at a definite web-site and receives unique identification number. After that, it downloads advertisements from time to time . Its icon is displayed in the system tray. When a user clicks the icon, a message is generated asking the user to send a paid SMS to remove the Trojan horse.

This month new modification of mass-mailing worm labeled Win32.HLLM.Limar was released, but it had a minor impact and did not cause a large-scale epidemics, as it was this autumn. At the end of the month a spam distribution of malicious "Christmas cards" was registered. The viral attachments contained new variant of the notorious Win32.HLLM.Limar and those users who opened these attachment received a real "present" from virus writers. These malware were added to Dr.Web virus database as Trojan.DownLoader.16958, Trojan.DownLoader.16984 and Trojan.DownLoader.16985

8290 entries were added to Dr.Web virus database in December.

Find below a short summary table of online check results in December:

Below goes a table of the most frequently detected viruses in mail servers and networks protected by Dr.Web Enterprise Suite: