Doctor Web, Ltd. Virus Review — July, 2006

August 1, 2006

July of 2006 turned out to be rather calm for viruses, not counting several latent epidemics of Win32.HLLM.Netsky and Win32.HLLM.MyDoom mail worms.

Still, it is worth to mention here the propagation of a "new" modification of Win32.HLLM.Beagle started late in June. We call it "new", as the propagation technique of the worms from this family remains unchanged since 2004 — they are spread in attachments to mail messages in a password protected ZIP-archives and the password is displayed in the body of the infected message as a graphic image. Such propagation technique was designed to make it as difficult as possible their detection by av-filters. The "new" modification of Win32.HLLM.Beagle has an important peculiarity — rootkit-components. Utilization of rootkits has become the dominating tendency in creation of ill-intention codes and numerous variants of BackDoor.Haxdoor and BackDoor.HackDef are the proofs of it.

The malicious goals of cyber criminals remain the same — spam distribution via users’ computers, stealing of confidential user data. And the main "assistants" of malefactors are vulnerabilities in software and careless users. Another example of users’ carelessness – contamination of more than a million computers via the banner at MySpace.com. The banner exploited the flaw in Windows Metafile (WMF) disclosed in January, 2006. The vulnerable systems downloaded malicious programs classified by Doctor Web, Ltd. as Trojan.PurityAd and Adware.ClickSpring. (read news about this incident here).

"Trojanized downloaders" (classified by Doctor Web, Ltd. as Trojan.DownLoader) remain the most popular way of distribution of virus codes. They download additional malicious codes from the Internet imperceptibly for users.

Another event of this month — detection of malicious codes exploiting newly discovered vulnerability in MS Power Point. The vulnerability allows to secretly launch arbitrary codes in a victim system.

It is also worth to mention the short-term increase of activity (approximately by 12%) in mid of July of the so-called fishers. Fishing techniques include sending counterfeit messages to potential victims, pretending to written by some bank. A user is asked to visit a forged web-site and confirm its banking details — PIN codes and other sensitive information used by criminals for stealing money from a victim’s account. Analysts of Virus monitoring service of Doctor Web, Ltd. have added a special entry to the virus base allowing to detect a wide spectrum of modifications of such malicious codes – Trojan.Bankfraud.272

In July, 2006 the world saw the birth of another kind of a fraud — vishing — an Internet fraud technique, a kind of a fishing technique. It uses for malicious purposes "war diallers" and VoIP technology to steal personal sensitive data, such as passwords, banking details, identification cards details, etc. Potential victims receive telephone calls, as if made by legitimate companies and institutions. They are asked to confirm PIN-codes or passwords from keyboards of their smart phones or PDAs which are used in future by criminals to steal money from bank accounts and in other crimes.

The end of month saw new variant of a Trojan program labeled by Doctor Web, Ltd. as Trojan.PWS.LDPinch.1061, which propagates via instant messaging networks (ICQ). This Troj was designed to intercept and then to send to a remote server all passwords collected in the compromised systems: icq, ftp, mail services, dialup, trilian, miranda, etc. Read more about this Troj here.

Below goes virus statistics for July, 2006 by Doctor Web, Ltd. presenting 20 most spread viruses:

2008-09-05	Doctor Web against extortion
2008-09-04	One of the key players of Telecom market in Smolensk adopts Dr.Web AV-Desk
2008-09-02	Subscribers of leading ISP in Belgorod shielded by Dr.Web AV-Desk
2008-09-01	August virus activity review from Doctor Web
2008-08-28	Intersvyaz starts public testing of the Dr.Web anti-virus service
2008-08-25	Leading Russian manufacturer of weapons chooses Dr.Web
2008-08-22	Comprehensive protection from Dr.Web for subscribers of Teleos-1
2008-08-19	Improved version of GUI-scanner for Dr.Web for Windows released
2008-08-18	Dr.Web for Windows standard of anti-virus protection for executive bodies of Permskiy Kray
2008-08-13	Doctor Web has released a free decryption utility to counteract the new extortion Trojan.Encoder.19
2008-08-13	Dr.Web AV-Desk anti-virus covering for subscribers of Bashinformsvyaz
2008-08-08	Doctor Web: statement on Virus Bulletin comparative reviews
2008-08-08	Telnet secures its subscribers with Dr.Web anti-virus
2008-08-05	July 2008 virus activity review by Doctor Web
2008-08-01	Dr.Web AV-Desk now in Ulyanovsk region
2008-07-31	Dr.Web AV-Desk deployment summary by Eltel
2008-07-31	Dr.Web AV-Desk moves on in Moscow region
2008-07-24	Three regions of Moscow protected by Dr.Web AV-Desk
2008-07-23	Doctor Web releases new LinkChecker for Mozilla Firefox
2008-07-22	Dr.Web AV-Desk chosen by ISP "Hazynet" in Krasnoyarsk
2008-07-18	Doctor Web, Ltd. releases Active Directory installer for Dr.Web Enterprise Suite 4.44.3
2008-07-16	Dr.Web anti-virus now accessible to subscribers of Infocentre
2008-07-16	Doctor Web launches the beta-testing of Dr.Web for MIMEsweeper
2008-07-15	Anti-virus protection is delivered to subscribers of Lintecs by Dr.Web AV-Desk
2008-07-15	”Nauka-Sviaz” deployed Dr.Web AV-Desk
2008-07-15	Dr.Web AV-Desk adopted by three ISPs in Krasnoyarsk
2008-07-15	Dr.Web will protect Internet users of GlavSET
2008-07-14	Dr.Web anti-virus is the new service for subscribers of SZT
2008-07-14	Dr.Web AV-Desk deployed by MajaNet in Estonia
2008-07-12	Dr.Web AV-Desk will secure networks of Maginfo
2008-07-11	Corrected verson of Dr.Web SpIDer Guard 4.44 released
2008-07-11	Dr.Web for IBM Lotus Domino validated by IBM