December virus review by Doctor Web, Ltd.

January 4, 2007

Virus Monitoring Service of Doctor Web, Ltd. reports the virus review for December, 2006.

The last month of the year several vulnerabilities in MS Outlook Express and Internet Explorer were discovered. New flaws allowed computer criminals to execute an arbitrary code in the target computer, overrun the buffer and read remotely files in the Temporary Internet Files directory. Microsoft rated all the flaws as "critical". Despite the released patches, there is a high possibility a full-functional virus program can be created to exploit the vulnerabilities. Quite often the patches are installed after the computer is infected. Read more about vulnerabilities in Internet Explorer and Outlook Express here.

During December there was a large-scale distribution of spam messages inviting users to visit some web-site or see hot pics. A link where the archive could be downloaded pointed at the Trojan downloader detected by Dr.Web as Trojan.DownLoader.15512. Being infected, computers become a source of distribution of spam executed by another Troj – Trojan.Spambot.

This month new Trojan Horse named by Dr.Web as Trojan.Encoder.10appeared. It has a destructive function – it encrypts files on hard drives (*.jpg, *.doc, *.txt, *.gif, *.rar, *.bmp) by XOR algorithm with the key of 1 byte length. We remember, that its predecessor Trojan.Encoder.9 used 8-byte key, and Trojan.Encoder.6 encrypted files with RSA algorithm. Trojan.Encoder.10 infects files by adding itself at their beginning and adds the *.exe extension. The infected file is run by the operating system as executable and displays the message

"file_name" was infected with dangerous and destructive virus or spyware.
CPS Anti-Spyware 2.0 deleted "file_name" from this path on your computer
C:\ - now your system is fully protected CPS Anti-Spyware 2.0 
allow you to recover all infected files with 100 guarantee.
Purshase full version CPS Anti-Spyware and restore "file_name"

and opens Internet Explorer with the target web-site page. By no means, this Troj is used for advertising purpose only.

Trojan.Promo can be used as another example of advertising programs. Having installed itself, the Troj registers at a definite web-site and receives unique identification number. After that, it downloads advertisements from time to time . Its icon is displayed in the system tray. When a user clicks the icon, a message is generated asking the user to send a paid SMS to remove the Trojan horse.

This month new modification of mass-mailing worm labeled Win32.HLLM.Limar was released, but it had a minor impact and did not cause a large-scale epidemics, as it was this autumn. At the end of the month a spam distribution of malicious "Christmas cards" was registered. The viral attachments contained new variant of the notorious Win32.HLLM.Limar and those users who opened these attachment received a real "present" from virus writers. These malware were added to Dr.Web virus database as Trojan.DownLoader.16958, Trojan.DownLoader.16984 and Trojan.DownLoader.16985

8290 entries were added to Dr.Web virus database in December.

Find below a short summary table of online check results in December:

Virus name	Quantity
Win32.HLLM.Limar	415
Win32.HLLM.Limar.based	279
Trojan.Spambot	201
Win32.HLLM.Beagle	173
Win32.HLLM.Wukill	165
Trojan.Popuper	162
Trojan.PWS.LDPinch.1217	156
Trojan.Peflog.52	137
BackDoor.Generic.1138	127
Trojan.Mezzia	74

Below goes a table of the most frequently detected viruses in mail servers and networks protected by Dr.Web Enterprise Suite:

Virus name	Percentage rate
Trojan.Bankfraud.272	14.37
Win32.HLLM.Limar.based	12.35
Win32.HLLM.Perf	11.16
Win32.HLLM.Beagle	9.25
Win32.HLLM.Netsky.35328	8.90
Win32.HLLP.Sector	7.00
Win32.Dref	6.30
Win32.HLLM.Netsky.based	4.89
Win32.HLLM.MyDoom.based	4.69
Win32.HLLM.MyDoom.33808	2.19
Win32.HLLM.Limar	2.19
Trojan.DownLoader.16958	2.16
Win32.HLLM.Graz	1.85
Win32.HLLM.MyDoom.49	1.14
Exploit.MS05-053	0.89
Win32.HLLM.Netsky	0.74
Win32.HLLM.Oder	0.72
Exploit.MS05-053	0.70
Exploit.IframeBO	0.63
Win32.HLLM.MyDoom	0.51
Other malware	7.37

2008-05-13	April 2008 virus activity review from Doctor Web, Ltd.
2008-05-13	Twenty five thousand subscribers of Eltel get protection by Dr.Web AV-Desk™
2008-05-07	Dr.Web AV-Desk shields four hundred educational institutions of the Russian university network RUNNet
2008-05-06	New version of Dr.Web anti-virus scanner for Windows released
2008-05-06	Win32.Ntldrbot (aka Rustock.C) no longer a myth, no longer a threat. New Dr.Web scanner detects and cures it for real
2008-05-05	Another 17 Russian cities get anti-virus as a service with Dr.Web AV-Desk
2008-05-04	Protection against viruses and spam from Doctor Web, Ltd. and Sun Microsystems thoroughly tested
2008-05-04	Another Russian ISP launches Dr.Web AV-Desk
2008-05-02	Doctor Web – Central Asia Kazakhstan market summary 2007
2008-05-02	Doctor Web came to China at the eve of Olympics
2008-04-08	PC Magazine Russia: Dr.Web AV-Desk – the best product-as-a-service of 2007
2008-04-07	Dr.Web for IBM Lotus Domino – a new product by Doctor Web, Ltd. protecting application servers of enterprises and corporations
2008-04-03	Updated Dr.Web Shell Extension library released
2008-04-03	Dr.Web for Unix Mail servers and Dr.Web Mail Gateway have been updated to version 4.44.1
2008-04-02	March 2008 virus activity review from Doctor Web, Ltd.
2008-04-01	Updated version of Dr.Web Enterprise Suite 4.44.2 released
2008-04-01	Dr.Web scanner vanquishes BackDoor.MaosBoot once again
2008-04-01	Updated modules of Dr.Web anti-virus for Windows workstations released