Avast WEBforum

Other => General Topics => Topic started by: Abraxas on October 02, 2006, 05:14:35 PM

Title: September virus review by Doctor Web
Post by: Abraxas on October 02, 2006, 05:14:35 PM
My monthly virus news subscription from Dr.Web. May be of interest to some of you .I have no affiliation with them , use their link checker and recommend it.

October 1, 2006 .
Compared to the previous two months September 2006 was pretty rich for
virus attacks. The most remarkable events were the emergence of a new
modification of Win32.HLLM.Perf mail worm spread as an attached file with
*.hta extension. Such a technology had been borrowed from the
representatives of Win32.HLLM.Graz, another mail worm family. In
comparison with its previous modifications, the new version of
Win32.HLLM.Perf was supplemented with the function of spreading via file
exchange networks. The spreading of that modification got epidemic
features almost immediately.

Another notable event was the emergence and spreading of  Win32.HLLM.Limar
mass-mailing worm. The topics of the infected messages were not
distinctively new, the most frequent were Mail server report, Server
report, Error, or Mail Delivery System, in other words an imitation of
mail delivery error. Such ways of user misleading had been met in various
modifications of the Win32.HLLM.MyDoom mail worm. Win32.HLLM.Limar has the
functions of updating its program modules, uploading other malicious
software, as well as counteraction to some network security software. The
Dr.Web base was updated with the Win32.HLLM.Limar.based entry, which
allowed detecting a wide range of this worm's modifications.

The Virus Monitoring Service of Doctor Web, Ltd. observed various phishing
attacks throughout the month. The most massive was the attack in the name
of the Fifth Third Bank. The e-mail messages informed about the software
updates and users were suggested to confirm their personal data. Clicking
on the links shown in the messages resulted in the loss of the careless
user’s money. Other phishing techniques used messages from the PayPal
banking system, as well as from the Visa payment system. The Dr.Web
antivirus software detects such messages as Trojan.Bankfraud.380 –
Trojan.Bankfraud.388.

A specific but not too strong "troublemaker" appeared to be
Trojan.Encoder.9, an attempt of reincarnating the once sensational
modifications of the Trojan.Encoder family. But, unlike its earlier
modifications, Trojan.Encoder.9 was just a feeble attempt of the hacker to
use the "fame" of this family's previous modifications. It encrypts
the files with the help of XOR algorithm with the key length of 8 bytes.
The Trojan renames the encrypted files with the "_CRYPTED_" prefix. In the
process of encryption it rounds the file size to a multiple of 8 by means
of adding 1 to 8 zero bytes. It should be remembered that earlier members
of the Trojan.Encoder family encrypted files with the use of the RSA
encryption algorithm.

The fashion for the trend of virus distribution by means of spam messages
was confirmed by the appearance of the Win32.HLLW.Ci worm masked with an
intimate clip of Daniela Cicarelli. Upon its start by a careless user the
worm downloaded another harmful software to the victim's computer
purposed at stealing bank system passwords, which was titled
Trojan.PWS.Banker.5094 under Dr.Web classification.

Lots of noise was made by the "appearance" of the Trojan.Webser mobile
phone Trojan, a clone of Trojan.RedBrowser. This Trojan is a Java
application (J2ME), which allows erasing it with mobile phone without the
use of any antivirus applications. Yet last May Dr.Web anti-virus lab
found an application titled Adware.Freesms under Dr.Web classification,
which served as the base for Trojan.Webser and which was, probably,
author's first "masterpiece", as Trojan software of that type
couldn’t independently distribute and perform its functions on a mobile
phone. In order to start such Trojan’s functioning the user had to set up
that application by him-/herself and allow it starting up and network
accessing.

Another representative of harmful software worth noticing is
Trojan.Popuper distributed mainly as a codec for various multimedia files.
To hamper detecting its “child” by antivirus software the authors of
Trojans often modify them on the source text level.

Also, in September 2006 the number of harmful software purposed at
stealing target PC passwords increased. Here, the main emphasis was put on
bank system passwords. The most popular way of setting up harmful software
on the user’s computer is still the use of various loading machines.

The Dr.Web company is presenting its September 2006 virus statistics for
20 most widespread viruses.

Virus name
Win32.HLLM.Beagle
17.09

Win32.HLLM.Netsky.35328
13.57

Win32.HLLM.Perf
10.63

Win32.HLLM.Netsky.based
9.31

Win32.HLLM.MyDoom.based
8.41

Trojan.Bankfraud.272
6.00

Win32.HLLM.Beagle.pswzip
4.24

Win32.HLLM.Graz
3.83

Win32.HLLM.MyDoom
3.15

Win32.HLLM.MyDoom.33808
2.47

Win32.HLLM.MyDoom.49
1.87

Win32.HLLM.Beagle.19802
1.31

Win32.HLLM.Netsky
1.22

Exploit.IframeBO
1.16

Win32.HLLM.Limar.based
1.15

Program.RemoteAdmin
1.05

Win32.HLLM.Bagz
0.96

Win32.HLLM.Perf.based
0.75

Win32.HLLM.Lovgate.9
0.74

EICAR Test File (NOT a Virus!)
0.70

Other malware
10.39

Doctor Web, Ltd.