My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

August virus activity review from Doctor Web

September 1, 2008

Doctor Web presents you a virus activity review for August 2008.

Even though the last summer month hasn’t challenged virus analysts with samples of new malware, it doesn’t mean that malicious programs decided to take a break.

A new modification of Trojan.Encoder - Trojan.Encoder.19 that was discussed in our news earlier came into existence in August. This malicious program encrypted user data, deleted itself and offered a user to pay a moderate sum of money for a decryption tool. However, Doctor Web promptly responded to the new threat offering a decryption utility free of charge to any user.

E-mail remains the basic means of transport for malware that get to user machines with mailings that offer links to malicious files or web-pages with embedded scripts that initiate automatic downloading of malware or lure a user into downloading and launching such a file. As a rule a user gets a link to adult content involving a celebrity or may come as a so called storm spam. Such a message informs a user about breaking news published by a respected news agency and offers a link to a video related to an event. All of these files are executables with a new packer (also called polymorphic packer) used for each new variation. Such malicious programs are detected by Dr.Web as modifications of Trojan.Fakealert, Trojan.DownLoad or Trojan.Packed. Depending on goals of virus makers they can start downloading or launch another malware on a computer. Virtually all messages containing links to the Trojans are detected as spam by a filter built in anti-virus products from Doctor Web.

Below we will take a look at certain evil-doing species that also spread with spam but deserve special attention.

Political events receiving a wide response worldwide never pass unnoticed on the web. In august virus writers exploited events related to the conflict in South Ossetia. An example is a mailing with the subject “Journalists shot in Georgia” and an attachment The content of the archive was detected by Dr.Web anti-virus as Trojan.Packed.151.

Malefactors also exploit quite a natural urge of users for security of their information. Offering the best free anti-virus or a critical update is becoming one of the most popular ways to spread Trojans. A mailing offering to download Anti-virus XP 2008 is one of the latest examples. If a user decides to download and launch the program, he will surely get a Trojan detected by Dr.Web as Trojan.Fakealert.995.

Nowadays malicious code in attachment is a rare case. Meanwhile, August did bring several mailings with infected attachments detected by Dr.Web as Trojan.Click.19861 as Trojan.Click.19769. On some days such messages amounted to 90 per cent of the total malicious mail traffic.

A notable virus
According to the virus laboratory of Doctor Web a new variation of Backdoor.Haxdoor - BackDoor.Haxdoor.559 – emerged at the end of August. This new variant of the backdoor steals certificates and passwords of banking client software of KETEFinance (a Russian bank) and a popular Russian Internet banking resource working with 134 banks of Russia.

The virus spreads via ICQ as a GIF-file being an encrypted script. Opening the file starts automatic download of other components of the malicious program.

Viruses detected in e-mail traffic

 01.08.2008 00:00 - 01.09.2008 00:00 
1Trojan.Click.19861229735 (44.54%)
2Trojan.Click.1976968445 (13.27%)
3Win32.HLLM.Beagle37641 (7.30%)
4Trojan.MulDrop.1672719324 (3.75%)
5Win32.HLLM.MyDoom.based15435 (2.99%)
6Trojan.MulDrop.1833515234 (2.95%)
7Win32.Virut12030 (2.33%)
8Trojan.MulDrop.1828011368 (2.20%)
9Win32.Alman8601 (1.67%)
10Trojan.MulDrop.134088401 (1.63%)
11Win32.HLLM.Netsky.353287891 (1.53%)
12Program.RemoteAdmin7227 (1.40%)
13Trojan.Proxy.37476314 (1.22%)
14Win32.HLLM.Alaxala3771 (0.73%)
15Win32.HLLM.MyDoom.338083359 (0.65%)
16Trojan.MulDrop.182903217 (0.62%)
17Trojan.MulDrop.184023066 (0.59%)
18Trojan.Starman.1003014 (0.58%)
19Trojan.MulDrop.175302735 (0.53%)
20Trojan.DownLoad.35802523 (0.49%)

Viruses detected on workstations

 01.08.2008 00:00 - 01.09.2008 00:00 
1Win32.HLLW.Gavir.ini1225356 (21.80%)
2Win32.HLLM.Generic.440400789 (7.13%)
3Win32.Alman252514 (4.49%)
4Trojan.MulDrop.6474151756 (2.70%)
5Win32.HLLW.Autoruner.437149373 (2.66%)
6Win32.HLLP.Whboy140085 (2.49%)
7BackDoor.IRC.Sdbot.55134476 (2.39%)
8VBS.Generic.548124833 (2.22%)
9Win32.HLLW.Autoruner.1874118801 (2.11%)
10Win32.HLLP.Jeefo.36352110430 (1.96%)
11Win32.HLLW.Krepper105703 (1.88%)
12Win32.HLLW.Whboy103159 (1.83%)
13BackDoor.Bulknet.23399968 (1.78%)
14Win32.HLLM.Lovgate.293992 (1.67%)
15Win32.HLLP.Neshta77261 (1.37%)
16Win32.HLLW.Autoruner.233971152 (1.27%)
17Win32.HLLM.Limar.253670664 (1.26%)
18Trojan.Siggen.17266007 (1.17%)
19Win32.HLLW.Autoruner.146960004 (1.07%)
20Trojan.Starter.21754101 (0.96%)

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments