March virus review by Doctor Web, Ltd.

April 1, 2007

Virus Monitoring Service of Doctor Web, Ltd. reports on virus events in March 2007.

In the whole, March 2007 turned out to be quiet enough. Yet, it spared a surprise. Quietness like this is often expected to be followed by a storm: in practice all epidemics arise spontaneously. Competition between mail worms Win32.Dref (known as Storm Worm) and Win32.HLLM.Limar (also Email-Worm.Win32.Warezov or Win32/Stration), which seemed to have reached its climax in February 2007 slowed down in March. Creators of Win32.HLLM.Limar made two attempts to mass spread the worm, but both times their efforts were more of a local character and didn’t result in epidemics. Win32.Dref writers have followed their usual way launching frequent updates of program modules with polymorphic packers.

In the middle of March some worms of the Chinese origin outburst – the notorious Win32.HLLW.Whboy, Win32.HLLW.Gavir, Win32.HLLW.Hang and some new ones, such as Win32.HLLW.Bush and Win32.HLLM.Cobas. Besides, Win32.HLLM.Graz kept being modified all month long.

As for the surprise mentioned above it came to be an amazing mass diffusion of a newly-born script virus classified by Dr.Web as VBS.Igidak. Both Virus Monitoring Service of Doctor Web, Ltd. and Technical Support Team were reported on numerous virus events caused by VBS.Igidak. Strange as it might seem, in most cases the source of infection turned to be flash carriers. With web worms, mail worms and Trojans to compete for the Olive-branch of infection diffusion motor this new source of vulnerability can’t but puzzle. Yet, as statistics says, this epidemics was short enough to arise unrest:

In addition, the malware classified by Dr.Web as Trojan.Plastix spread out again. It was registered in the end of 2005 for the first time, when it was disseminated as the universal add funds code generator of mobile operators. Those who didn’t hesitate to take up such a "useful" program ended in disappointment pretty soon: numerous changes in system’s log actually disabled their computers by blocking both the log and windows options, deleting all the labels from the screen etc. When starting Windows, a warning appeared on the screen claiming that the computer was infected and its recovery required transferring of a fee to a certain e-mail account. Such cyber blackmail is not a frequent thing in the web. The latest wave of it was registered in January 2007 along with Trojan.Encoder.6 diffusion. Yet, every time it recovers strength it results in local epidemics. Users should be well aware that money transactions are out of question in situations like these. And they furthermore should be more careful when it comes to downloading of unknown programs. The check for viruses is strongly recommended before any such download. And if your PC still didn’t escape Trojan.Plastix, you are welcome to contact Technical Support Team of Doctor Web, Ltd. to recover your computer.

Virus statistics by Doctor Web, Ltd. in March, 2007

Virus name	Quantity
Win32.HLLM.Limar	274
Trojan.Virtumod	210
Trojan.Peflog.31	199
Trojan.Packed.69	149
Trojan.Peflog.30	141
VBS.Psyme.239	138
Win32.HLLM.Wukill	125
Trojan.Peflog.52	104
Trojan.PWS.GoldSpy	74
Trojan.Spambot	67

Virus detection in March, 2007 at mail servers and in networks protected by Dr.Web Anti-virus:

Virus name	% of the overall quantity
Win32.HLLP.Sector	18.23
Win32.HLLM.Beagle	13.32
Win32.HLLM.Netsky.35328	11.76
Win32.HLLM.Perf	10.49
Win32.HLLM.MyDoom.based	6.96
Trojan.Bankfraud.272	6.46
Win32.HLLM.Netsky.based	5.93
Win32.HLLM.MyDoom.49	5.61
Win32.HLLM.MyDoom.33808	2.69
Win32.HLLM.Graz	2.01
Win32.HLLM.Limar.based	1.55
Win32.HLLM.Limar	1.21
Trojan.Spambot	0.84
Win32.HLLM.Netsky	0.80
Exploit.IframeBO	0.79
Exploit.MS05-053	0.56
Win32.Grum	0.49
Program.RemoteAdmin	0.49
Win32.HLLM.MyDoom	0.45
Exploit.IFrame	0.44
Other malware	8.82

2008-09-05	Doctor Web against extortion
2008-09-04	One of the key players of Telecom market in Smolensk adopts Dr.Web AV-Desk
2008-09-02	Subscribers of leading ISP in Belgorod shielded by Dr.Web AV-Desk
2008-09-01	August virus activity review from Doctor Web
2008-08-28	Intersvyaz starts public testing of the Dr.Web anti-virus service
2008-08-25	Leading Russian manufacturer of weapons chooses Dr.Web
2008-08-22	Comprehensive protection from Dr.Web for subscribers of Teleos-1
2008-08-19	Improved version of GUI-scanner for Dr.Web for Windows released
2008-08-18	Dr.Web for Windows standard of anti-virus protection for executive bodies of Permskiy Kray
2008-08-13	Doctor Web has released a free decryption utility to counteract the new extortion Trojan.Encoder.19
2008-08-13	Dr.Web AV-Desk anti-virus covering for subscribers of Bashinformsvyaz
2008-08-08	Doctor Web: statement on Virus Bulletin comparative reviews
2008-08-08	Telnet secures its subscribers with Dr.Web anti-virus
2008-08-05	July 2008 virus activity review by Doctor Web
2008-08-01	Dr.Web AV-Desk now in Ulyanovsk region
2008-07-31	Dr.Web AV-Desk deployment summary by Eltel
2008-07-31	Dr.Web AV-Desk moves on in Moscow region
2008-07-24	Three regions of Moscow protected by Dr.Web AV-Desk
2008-07-23	Doctor Web releases new LinkChecker for Mozilla Firefox
2008-07-22	Dr.Web AV-Desk chosen by ISP "Hazynet" in Krasnoyarsk
2008-07-18	Doctor Web, Ltd. releases Active Directory installer for Dr.Web Enterprise Suite 4.44.3
2008-07-16	Dr.Web anti-virus now accessible to subscribers of Infocentre
2008-07-16	Doctor Web launches the beta-testing of Dr.Web for MIMEsweeper
2008-07-15	Anti-virus protection is delivered to subscribers of Lintecs by Dr.Web AV-Desk
2008-07-15	”Nauka-Sviaz” deployed Dr.Web AV-Desk
2008-07-15	Dr.Web AV-Desk adopted by three ISPs in Krasnoyarsk
2008-07-15	Dr.Web will protect Internet users of GlavSET
2008-07-14	Dr.Web anti-virus is the new service for subscribers of SZT
2008-07-14	Dr.Web AV-Desk deployed by MajaNet in Estonia
2008-07-12	Dr.Web AV-Desk will secure networks of Maginfo
2008-07-11	Corrected verson of Dr.Web SpIDer Guard 4.44 released
2008-07-11	Dr.Web for IBM Lotus Domino validated by IBM