September 1, 2008

Doctor Web presents you a virus activity review for August 2008.

Even though the last summer month hasn’t challenged virus analysts with samples of new malware, it doesn’t mean that malicious programs decided to take a break.

A new modification of Trojan.Encoder - Trojan.Encoder.19 that was discussed in our news earlier came into existence in August. This malicious program encrypted user data, deleted itself and offered a user to pay a moderate sum of money for a decryption tool. However, Doctor Web promptly responded to the new threat offering a decryption utility free of charge to any user.

E-mail remains the basic means of transport for malware that get to user machines with mailings that offer links to malicious files or web-pages with embedded scripts that initiate automatic downloading of malware or lure a user into downloading and launching such a file. As a rule a user gets a link to adult content involving a celebrity or may come as a so called storm spam. Such a message informs a user about breaking news published by a respected news agency and offers a link to a video related to an event. All of these files are executables with a new packer (also called polymorphic packer) used for each new variation. Such malicious programs are detected by Dr.Web as modifications of Trojan.Fakealert, Trojan.DownLoad or Trojan.Packed. Depending on goals of virus makers they can start downloading or launch another malware on a computer. Virtually all messages containing links to the Trojans are detected as spam by a filter built in anti-virus products from Doctor Web.

Below we will take a look at certain evil-doing species that also spread with spam but deserve special attention.

Political events receiving a wide response worldwide never pass unnoticed on the web. In august virus writers exploited events related to the conflict in South Ossetia. An example is a mailing with the subject “Journalists shot in Georgia” and an attachment Georgia.zip. The content of the archive was detected by Dr.Web anti-virus as Trojan.Packed.151.

Malefactors also exploit quite a natural urge of users for security of their information. Offering the best free anti-virus or a critical update is becoming one of the most popular ways to spread Trojans. A mailing offering to download Anti-virus XP 2008 is one of the latest examples. If a user decides to download and launch the program, he will surely get a Trojan detected by Dr.Web as Trojan.Fakealert.995.

Nowadays malicious code in attachment is a rare case. Meanwhile, August did bring several mailings with infected attachments detected by Dr.Web as Trojan.Click.19861 as Trojan.Click.19769. On some days such messages amounted to 90 per cent of the total malicious mail traffic.

A notable virus
According to the virus laboratory of Doctor Web a new variation of Backdoor.Haxdoor - BackDoor.Haxdoor.559 – emerged at the end of August. This new variant of the backdoor steals certificates and passwords of banking client software of KETEFinance (a Russian bank) and a popular Russian Internet banking resource factura.ru working with 134 banks of Russia.

The virus spreads via ICQ as a GIF-file being an encrypted script. Opening the file starts automatic download of other components of the malicious program.

Viruses detected in e-mail traffic

Viruses detected on workstations