My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

First epidemic in 2010 and other virus events of January

February 1, 2010

In January 2010 a large number of user requests regarding neutralization of active infections related to Trojan.Winlock programs while the vast majority of fraud schemes employed by cyber-criminals in January were based on paid short messages. The last month also saw introduction of new malware spreading techniques and more sophisticated monetizing methods employed by cyber-criminals for money-laundering.

Windows blockers

The wide spreading of a variety of Trojan.Winlock programs became the most noticeable event of January. In a compromised system this malicious program displays its own window on top of all other windows and won't close it unless an unlock code is entered. It also disrupts operation of some programs installed on the machine. Criminals offer a victim to retrieve an unlock code by means of a paid SMS. In January the SMS charge varied between EURO 7-14 per each computer.

The statistics server of Doctor Web registered over 850 000 instances of detection of Trojan.Winlock in systems protected by Dr.Web software (Dr.Web Enterprise Suite and Dr.Web anti-virus service included). This figure is 2.15 times larger than the number registered in December 2009 and 23.4 higher than in November 2009 thus indicating the ongoing epidemics in Russia and Ukraine. In the last month several millions of users got infected by this malicious program.

The epidemic caused a stir in the Russian-speaking internet community with providers of short numbers offering unlocking codes free of charge and anti-virus vendors supplying users with free tools to counter Trojan.Winlock programs.

On January 22 Doctor Web set up a special web-page for generation of unlocking codes (over one million visits to the page were registered in a week). Doctor Web also released several versions of Dr.Web CureIt! designed specifically to neutralize such Trojans.


Easy monetizing of profits generated by paid SMS served as a good incentive for many cyber criminals. Along with blockers of Windows numerous web-sites were created to promote non-existing services and software with incredible features.

Users were offered online fake anti-viruses that found the same viruses in the same files on all machines, ICQ and SMS sniffers, remote mobile phone control, see-through scanners allowing to see people nude and other similar programs.

Typically users paid for such services and software with short messages. However, as telecom operators and police started to monitor SMS payment systems closely in the face of the winlock epidemic, using such systems has become troublesome for criminals. That’s why they reintroduced means of payments they used before (e.g. WebMoney) and invented new fraud schemes.

New ways for monetizing illegal money

Another scheme that has been gaining popularity among fraudsters in January allows criminals to withdraw funds from accounts of users of mobile phones. Users enter their phone numbers on a web-site that promoted a service and receive short messages with a link for activation of their subscriptions. Once activated, the service charge is withdrawn from an account automatically.

The malicious design allows a person to submit someone else's number on the web-site while messages with an activation link don't explain to a user what the service is about, instead, they provide misleading information to encourage the user to click on the link even if he doesn’t mean to subscribe for a service. For example, a message can say that the link will lead the user to an image or a video clip.

In recent weeks criminals have also offered users to pay for services with a paid call that has a minimum duration limit.

New ways to spread malware and spam

In January virus makers used new means to deliver malicious programs to user machines. In particular, Doctor Web virus analysts registered a spam mailing with messages containing attached torrent-files for downloading supposed e-cards that in truth were malicious programs. Mail servers do not block such messages since attached torrent-files do not contain malicious code.

Spammers also adopted new ways to transfer large amounts of data. Spam mailings were registered where e-mails contained attached mp3 files providing around 60 minutes of playback. Users also received messages with links to video clips located on web-sites of cyber-criminals and available on YouTube.

Below you can find a few tips that may help you prevent infection of your system by Trojan.Winlock programs or by other similar pieces of malware

  1. Install a licenses anti-virus application and updated as recommended by the vendor.
  2. Use alternative web-browsers (Mozilla Firefox, Opera or Google Chrome) and install corresponding security updates as they released by developers.
  3. Install latest security updates for your operating system as soon as they are released.
  4. Do not use services promoted by web-sites displayed as ad pop-ups – such pop-ups are at risk.
  5. If you are offered to download a codec or any other software to view content of the web-site, decline the offer and search for the official web-site of the codec's developer, download it and install on your computer. In many cases Trojan.Winlock programs are downloaded as software required for viewing content of web-sites.

Trojan.Winlock curing recommendations

If a window with a message demanding to send an SMS at a short number is displayed on top of other windows, won’t close and appears even when the system is started in the safe mode, your system has been infected by one of the modifications of Trojan.Winlock.

  1. Under no circumstances should you send messages as demanded by criminals. Every sent message provides criminals with financial support to develop new modifications of the malware.
  2. Go to the unlocking page.
  3. Download the special version of Dr.Web CureIt! and use the utility to cure your system of Trojan.Winlock.
  4. Go to и скачайте Dr.Web LiveCD and download Dr.Web LiveCD. Once the system is cured with Dr.Web LiveCD it is recommended to scan it again using Dr.Web CureIt!
  5. Ask for assistance on the official forum of Doctor Web.
  6. Contact the provider of the specified short number and ask for the unlocking code to be given to you free of charge since you have become a victim of cyber crime.

The number of malicious programs in e-mail traffic in January decreased by 30% compared with December 2009. The share of malicious files in the total number of files scanned on user machines dropped by 35%. Most probably this decline is a correction following two times increase of malicious traffic among scanned objects.

Viruses detected in e-mail traffic in January

 01.01.2010 00:00 - 01.02.2010 00:00 
1Trojan.DownLoad.3723613268129 (12.99%)
2Trojan.DownLoad.4725610044467 (9.84%)
3Trojan.MulDrop.408967096903 (6.95%)
4Trojan.Fakealert.51157023800 (6.88%)
5Win32.HLLM.MyDoom.446490377 (6.36%)
6Trojan.Packed.6835749108 (5.63%)
7Trojan.Fakealert.52385261760 (5.15%)
8Win32.HLLM.Netsky.353284772813 (4.67%)
9Trojan.DownLoad.502464051880 (3.97%)
10Trojan.Botnetlog.zip3758307 (3.68%)
11Trojan.Fakealert.58253442880 (3.37%)
12Trojan.Fakealert.54372517200 (2.47%)
13Win32.HLLM.MyDoom.338082392000 (2.34%)
14Trojan.Fakealert.53562281720 (2.23%)
15Trojan.Fakealert.57841973160 (1.93%)
16Trojan.PWS.Panda.1221851377 (1.81%)
17Trojan.Fakealert.52291835120 (1.80%)
18Trojan.Fakealert.54571607760 (1.57%)
19Trojan.Siggen.182561526581 (1.49%)
20Win32.HLLM.Beagle1505664 (1.47%)

Infected:102,115,886 (0.07%)

Viruses detected on user machines in January

 01.01.2010 00:00 - 01.02.2010 00:00 
1Win32.HLLM.MyDoom.494020788 (16.80%)
2Win32.HLLM.Netsky.353281637229 (6.84%)
3Win32.HLLW.Gavir.ini1081250 (4.52%)
4Trojan.WinSpy.4401053086 (4.40%)
5Trojan.AppActXComp907785 (3.79%)
6Trojan.AuxSpy.137734318 (3.07%)
7Win32.HLLM.Beagle656944 (2.74%)
8Win32.HLLM.MyDoom.33808646730 (2.70%)
9Trojan.PWS.Gamania.23481623699 (2.61%)
10Trojan.MulDrop.16727584477 (2.44%)
11Win32.HLLW.Shadow513252 (2.14%)
12Win32.Virut.5493248 (2.06%)
13Win32.HLLW.Shadow.based380166 (1.59%)
14Trojan.MulDrop.13408325488 (1.36%)
15JS.Popup.1316857 (1.32%)
16Win32.Virut.14295463 (1.23%)
17Win32.HLLW.Kazaa.17263143 (1.10%)
18Win32.Alman.1261298 (1.09%)
19Exploit.MySql.11260470 (1.09%)
20Trojan.Winlock.715256356 (1.07%)

Infected:23,938,315 (0.01%)

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments