Службы   Корзина  Мой счет   Контакты  
English Русский Italiano    
Поиск продукта
 

Выберите валюту
News Detail

  
03.07.2008
June virus activity review from Doctor Web, Ltd.    от  Doctor Web, Ltd.

Concerning viruses

The increased spreading of a dangerous file virus classified by Dr.Web as Win32.Sector.5 (aka Sality) is not something to be omitted. The number of requests to the helpdesk from system administrators regarding malicious activates of the virus turned out to be so large that one could call it as much as an epidemics. As stated by those affected by the malware the present modification of Sector started causing problems in February this year. By now the epidemics has escalated and reached an astounding level. Banks, audit companies, retail chains, software developers, engineering companies, research facilities and federal cultural institutions were affected by activities of the file virus.

First samples of the sector family appeared in early 2003. In five years the malware mutated but retained its destructive capabilities and acquired new ones. Each subsequent variant of the virus tended to be less overt concerning its presence in the system. Experts of Doctor Web, Ltd. anti-virus laboratory think that the mutation provides an evidence that Win32.Sector.5 may now be used to hide other less complex but equally malicious programs stealing sensitive information or sending out spam.

As soon as Win32.Sector.5 gets into a system it injects its code in all processes currently present in RAM and removes certain branches of the system registry so booting in the safe mode becomes impossible. After that the file virus infects all .exe and .scr files on all available disks or network resources. In order to spread faster it also infects autoarun and most frequently launched files. Besides, Win32.Sector.deletes files and processes related to most known anti-virus programs and blocks access to web-sites of the anti-virus vendors preventing updating. Unlike other anti-viruses that either block access to an infected file or delete it, Dr.Web cures files infected by the file virus. The malware is not a threat to users of Dr.Web anti-virus performing regular updates of the virus database. If you are using some other anti-virus but for some reason you believe that your computer may be infected by Win32.Sector.5, you can check your system using the free curing utility called Dr.Web CureIt!.

On Trojans

The news of another modification of an encoder family Trojan –Trojan.Encoder.18 (aka Gpcode) – stirred the Internet at the beginning of June. Having infiltrated into the system the Trojan searches for files with certain extensions (typically Micosoft Office files) and encrypts the data. After that an owner of the files is offered to pay for decryption. Restoring data after activities of this malware is somewhat complicated for the malefactor uses 1024 bit long encryption key. Users of Dr.Web had been protected against Trojan.Encoder.18 even before a sample entered the virus database. The unique Origins Tracing™ technology allowed detecting the malware as Trojan.Sespy.origin.

In the previous year when the author of the Trojan used shorter keys for encryption it was pretty obvious that eventually it would become more complex. Meanwhile, some anti-virus vendors rushed to boast their decryption capabilities even though it was clear that they were bound to lose this sort of contest. Sooner or later the key would get long enough to set the decryption time frame beyond the boundaries of reason. Anti-virus experts of Doctor Web, Ltd. focused on prompt detection of the dangerous program so it would not be able to put to use its destructive capabilities. This approach turned out to be more efficient than rasing a worldwide call for decryption of a kilobit RSA key.

Curious

Surely a contact entry with the UIN 12111 that caused panic among users of ICQ instant messaging service became quite an incident. The technical support service of Doctor Web, Ltd. received lots of questions from users concerned about the “viral” contact list entry even though a contact entry itself could not do any harm. The turmoil calmed down only when the 12111 entry was explained at the ICQ web-site.

A few words about spam

In June spam tended to become smaller and shorter. Messages with a catchy subject line and a link supplemented with a brief comment in the body were sent in ten waves. Links become one of the common ways to evade spam filters. Besides the trick can also be dangerous as a provided link can direct to an infected web-page so a user can get a Trojan along with the content. Doctor Web, Ltd. described one of such mailings in the previous month. The virus monitoring service registered over 50 mailing like this. Many of them lasted for quite a while.

Dr.Web AV-Desk virus top 20

 01.06.2008 00:00 - 01.07.2008 00:00 
1 Trojan.Starter.516 601730 (28.08%)
2 Win32.HLLM.Generic.440 241884 (11.29%)
3 Win32.HLLW.Gavir.ini 220720 (10.30%)
4 BackDoor.Bulknet.214 142402 (6.65%)
5 BackDoor.Aimbot 133710 (6.24%)
6 Trojan.NtRootKit.425 127033 (5.93%)
7 Adware.SaveNow.128 46982 (2.19%)
8 Win32.Expiro.7 22141 (1.03%)
9 Exploit.IFrame.41 19108 (0.89%)
10 VBS.Igidak 18492 (0.86%)
11 Win32.HLLP.Jeefo.36352 18149 (0.85%)
12 Program.RemoteAdmin 17512 (0.82%)
13 Win32.Sector.20480 15938 (0.74%)
14 Trojan.DownLoader.42350 15816 (0.74%)
15 Win32.Alman 14665 (0.68%)
16 Trojan.Recycle 13752 (0.64%)
17 Win32.HLLP.Sector 13714 (0.64%)
18 VBS.Generic.548 13675 (0.64%)
19 Win32.HLLW.Gavir.54 13503 (0.63%)
20 Win32.HLLP.Whboy 13191 (0.62%)

June virus top 20 in e-mail

 01.06.2008 - 30.06.2008 
1 Win32.HLLW.Autoruner.437 245788 (17.85%)
2 Win32.HLLM.Netsky.35328 163596 (11.88%)
3 BackDoor.Bulknet.214 78683 (5.72%)
4 Trojan.PWS.Lich 70877 (5.15%)
5 Win32.HLLP.PissOff.36864 65000 (4.72%)
6 Win32.HLLM.Netsky.based 62291 (4.52%)
7 Win32.HLLW.Autoruner.2147 53621 (3.89%)
8 Trojan.NtRootKit.425 45741 (3.32%)
9 Win32.HLLM.MyDoom.based 34515 (2.51%)
10 Win32.HLLM.Beagle 33763 (2.45%)
11 Win32.Virut 25187 (1.83%)
12 Trojan.Recycle 22821 (1.66%)
13 Win32.HLLW.Autoruner.1831 22218 (1.61%)
14 Exploit.MS05-053 21490 (1.56%)
15 VBS.Igidak 18517 (1.34%)
16 Trojan.MulDrop.16727 18420 (1.34%)
17 Win32.HLLP.Sector 16092 (1.17%)
18 Win32.HLLM.Oder 16056 (1.17%)
19 Trojan.Nsanti.Packed 15774 (1.15%)
20 Win32.HLLM.Netsky.24064 15516 (1.13%)
Designed by mixer ®, 2006

Sign up for PayPal and start accepting credit card payments instantly.
© Copyright 2006-18 MotleySoft.com, a service of MediaPro (p.iva 09509960010). All rights reserved
All prices listed are subject to change without notice. Not responsible for typographical errors.
   Privacy Policy