Службы   Корзина  Мой счет   Контакты  
English Русский Italiano    
Поиск продукта
 

Выберите валюту
News Detail

  
01.12.2008
November 2008 virus activity review from Doctor Web    от  Doctor Web, Ltd.

The closure of McColo Corporation responsible for 75 per cent of world wide spam traffic divided the reported month into two equal parts. Even though e-mail remains the most common means to spread malware virus makers also find other ways to bring malicious code to user machines

AutoIt-worms

A freeware automation language for Windows called AutoIt is very easy to learn and provides wide opportunities for virus makers. The last month showed their growing interest in this scripting language. Even though an AutoIt program is written as a script, such a script can be compiled into a packed executable with its shrouded code being very hard to analyze. November saw an AutoIt worm spreading via removable data storage devices instead of e-mail.

Viruses spreading on removable devices are especially dangerous for companies and governmental institutions forced to introduce special measures to contain the infection. Companies adopt software that allows them to restrict usage of removable devices and sometimes impose a temporary ban on use of removable drives.

Dr.Web anti-virus 5.0 currently undergoing open beta-testing allows to unpack files of an AutoIt worm and to analyze its scripts. Viruses written in this script language enter the Dr.Web database as Win32.HLLW.Autoruner.

Mail viruses

Prior to the closure of McColo spam mailings distributing malware came in high numbers. Below we will take a closer look at diverse methods used to lure a user to launch a malicious file.

Trojan.PWS.GoldSpy.2454 was disguised as an e-card. Even though fake cards have long been known to Internet community they still remain efficient. The name of a malicious file is card.exe. Messages with a link to a malicious file were used to spread another modification of the malware – Trojan.PWS.GoldSpy.2466.

 

 

Trojan.DownLoad.3735 was spread as a file with a double extension – the attached active_key.zip contained the active_keys.zip.exe file. The message informed a user that his account was suspended upon a corresponding request supposedly sent by the victim. A user was also offered to activate the account. However, the message didn’t provide any reference to a service related to the blocked account. No wonder that details of the activation were said to be found in the attached document which turned out to be an executable file containing malicious code. Other messages spreading the same Trojan informed a user upon changes in certain clauses of an agreement.

 

 

Messages with attached Trojan.PWS.GoldSpy.2456 threatened a user with a forced disconnection from the Internet caused by a violation of the copyright. Activates of a victim related to the alleged violation for the last six months were said to be listed in an attached file (user-EA49945X-activities.exe) which was nothing more than another malicious program. The U.S presidential election was also used as a message topic in e-mails spreading the Trojan.

 

 

Another mailing notified a user upon a failed delivery of a package caused by an incorrect recipient address. An attached invoice was detected by Dr.Web as Trojan.PWS.Panda.31

 

 

.Our analysts also registered several mailings advertising easy money on eBay. An html-file attached to a message was detected by Dr.Web as Trojan.Click.21795. The file contained an encrypted script that directed a user to a web-site advertising training courses. Another similar mailing advertised a new way of advertising using RSS and free promotion of web-sites using services by Google and Yahoo

The closure of McColo Corporation reduced spam traffic significantly but was only a short outage. Now mailings related to malware have been short-term though the spam traffic sometimes has been rather high. Such mailings included Trojan.PWS.Panda.31 spam e-mails and messages containing an encrypted script detected by Dr.Web as Trojan.Click.21795.

Authors of Trojan.DownLoad.4419 applied a new technique offering a link to download a beta version of Internet Explorer 8 from a bogus web-site.

 

 

A mailing in German described in the previous review from Doctor Web also reemerged. It prompted a user to view important financial information provided in an attached file. Earlier a shortcut and a piece of malicious code had been placed on one folder contained in the attachment while in November they were separated with the link placed outside the folder. Dr.Web detects this Trojan program as Trojan.DownLoad.16843.

 

 

Phishing

November 2008 also saw a wave of phishing targeting users of online payment systems, Internet banking and other paid services in several countries. In particular customers of JPMorgan Chase Bank, RBC Royal Bank and usrs of AdWards and PayPal became victims of the phishing attack.

 

 

 

 

Specialists of the virus monitoring service of Doctor Web added 25 461 entries to the virus database in November with average 850 new entries per each day. Mind that one entry in the Dr.Web database allows the software to detect numerous modifications of one virus. The figures show that regular updating of anti-virus software as often as once per hour becomes a necessity. Dr.Web automatic updating provides such an updating frequency quite easily. In addition a good anti-spam module becomes indispensable for normal work protecting against irrelevant and harmful e-mail messages.

Malware detected in e-mail traffic in November

 01.11.2008 00:00 - 01.12.2008 00:00 
1 Win32.HLLM.MyDoom.based 13741 (15.33%)
2 Win32.Virut 13036 (14.55%)
3 Win32.HLLM.Alaxala 5705 (6.37%)
4 Trojan.MulDrop.13408 4534 (5.06%)
5 Win32.HLLM.Beagle 4426 (4.94%)
6 Trojan.MulDrop.16727 4206 (4.69%)
7 Trojan.PWS.GoldSpy.2456 4145 (4.63%)
8 Win32.HLLW.Autoruner.2640 3032 (3.38%)
9 Trojan.MulDrop.18280 2580 (2.88%)
10 Trojan.PWS.Panda.31 2228 (2.49%)
11 Trojan.DownLoad.16843 2192 (2.45%)
12 Win32.HLLM.Netsky.35328 1888 (2.11%)
13 Win32.Virut.5 1497 (1.67%)
14 Win32.HLLM.MyDoom.33 1442 (1.61%)
15 Win32.HLLM.Netsky 1361 (1.52%)
16 Trojan.PWS.GoldSpy.2454 1328 (1.48%)
17 Trojan.MulDrop.19648 1310 (1.46%)
18 Win32.HLLW.MyDoom.43010 1306 (1.46%)
19 Win32.HLLM.Mailbot 1305 (1.46%)
20 Trojan.DownLoad.3735 1212 (1.35%)

Malware detected on user machines in November

 01.11.2008 00:00 - 01.12.2008 00:00 
1 Win32.HLLW.Gavir.ini 2039696 (21.98%)
2 Win32.HLLM.Lovgate.2 414507 (4.47%)
3 VBS.Autoruner.7 310657 (3.35%)
4 Win32.HLLM.Generic.440 288404 (3.11%)
5 VBS.Autoruner.8 277825 (2.99%)
6 Win32.Alman 275230 (2.97%)
7 DDoS.Kardraw 252853 (2.72%)
8 Win32.HLLP.Whboy 198018 (2.13%)
9 Trojan.Recycle 192769 (2.08%)
10 Win32.HLLP.Neshta 177445 (1.91%)
11 Win32.HLLP.Jeefo.36352 168291 (1.81%)
12 Win32.Virut.5 154206 (1.66%)
13 Win32.HLLW.Autoruner.274 147315 (1.59%)
14 Trojan.DownLoader.42350 132782 (1.43%)
15 Win32.HLLW.Autoruner.3631 120982 (1.30%)
16 VBS.Generic.548 110152 (1.19%)
17 Win32.HLLO.Black.2 97456 (1.05%)
18 Win32.HLLW.Autoruner.2805 89892 (0.97%)
19 Win32.HLLW.Cent 88296 (0.95%)
20 Trojan.MulDrop.18538 86521 (0.93%)
Designed by mixer ®, 2006

Sign up for PayPal and start accepting credit card payments instantly.
© Copyright 2006-18 MotleySoft.com, a service of MediaPro (p.iva 09509960010). All rights reserved
All prices listed are subject to change without notice. Not responsible for typographical errors.
   Privacy Policy