April virus review by Doctor Web

May 1, 2007

Virus Monitoring Service of Doctor Web, Ltd. reports on virus events in April 2007.

April 2007 virus events stirred a good deal of unrest in the web environment. E-mail worms Win32.Dref and Win32.HLLM.Limar have kept the palm they shared before. This time, however, their confrontation was marked by new peculiarities - Win32.Dref switched into diffusion as a ZIP-archive with a password in the graphic file. It’s an old trick derived from another mail worm Win32.HLLM.Beagle. Yet, it served Win32.Dref really good over the first few days, as far from all well-known anti-viruses managed to detect it at mail-servers. Finally a special record Win32.Dref.pswzip assuring the worm's detection as a modification of Win32.Dref and archives alike solved the problem.

Win32.HLLM.Limar in its turn gave a troublesome surprise – the worm’s basic body was additionally infected by a polymorphic file virus Win32.Virut, which came to its victims as extra "bonus". Besides, in the midst of April Win32.HLLM.Limar restated again its undisputable leadership in mail traffic infecting, with peaks as high as 80%.

As the graphic analysis shows, the outbreak of Win32.HLLM.Limar proved to be short-term. But notorious ability of Win32.HLLM.Limar to catch unawares and spread widely shouldn’t be disregarded anyway.

A new modification of Win32.HLLM.Graz is worth attention too, although it passed rather imperceptibly and didn’t seem to attempt at mass diffusion.

As if to make up for this the script worm VBS.Igidak went on its triumphal way. Comparing to the previous months it didn’t spread that much, but its auto launching in the infected system, provided by creation of autorun.inf configuration file with the scripted path to the executable part of the worm, turned to be really tendentious. Both the executable part of the worm and the configuration file are hidden. It makes its visual detection even more difficult because display of files with system or hidden attributes in the standard Windows Explorer and most file managers is disabled by default. Other malware - Trojan.Recycled и Trojan.Corruptor for instance – use the same tricks for system infection.

The number of malware downloading online banking password stealers (Trojan.PWS.Banker) and spam distributors Trojan.Spambot this month increased by 20%.

April 2007 Spam Record

The bulk of spam analyzed by Doctor Web, Ltd. comprises adware, offering different services. 80% of spam are graphic files. Spammers use this form as well as other mixed forms of spam (text decimation, colored letters etc) to avoid spam-filters based on Bayes’s algorithm of unwanted correspondence detection.

Spam of English origin is limited for the most part to medical services advertising, while Russian one covers a wide range of services:

• business offers
• tourist tours
• surname derivation service
• household utilities

General statistics

Virus name	Quantity
Win32.HLLM.Limar	591
VBS.Psyme.239	268
Trojan.Virtumod	240
Trojan.Spambot	177
Trojan.Peflog.31	147
Win32.HLLM.Wukill	128
VBS.Igidak	79
Win32.HLLM.Graz	65
Trojan.PWS.Maran	53
Win32.HLLP.Jeefo.36352	47

Virus detection in April, 2007 at mail servers and in networks protected by Dr.Web Anti-virus:

Virus name	% of the overall quantity
Win32.HLLM.Limar	35.11
Win32.HLLM.Beagle	11.88
Win32.HLLM.Netsky.35328	9.91
Win32.HLLM.Perf	6.83
Win32.HLLM.MyDoom.based	5.45
Win32.HLLM.Netsky.based	4.61
Win32.HLLP.Sector	4.42
Win32.Hazafi.30720	3.61
Win32.HLLM.Graz	2.29
Win32.HLLM.MyDoom.49	2.26
Win32.HLLM.MyDoom.33808	2.09
Win32.HLLM.Limar.based	1.13
Trojan.Spambot	1.01
Win32.Grum	0.85
Exploit.IframeBO	0.70
Win32.HLLM.Netsky	0.54
Exploit.MS05-053	0.53
Win32.HLLM.Beagle.pswzip	0.50
Exploit.IFrame	0.40
Win32.HLLM.Oder	0.33
Other malware	5.55

2008-05-13	April 2008 virus activity review from Doctor Web, Ltd.
2008-05-13	Twenty five thousand subscribers of Eltel get protection by Dr.Web AV-Desk™
2008-05-07	Dr.Web AV-Desk shields four hundred educational institutions of the Russian university network RUNNet
2008-05-06	New version of Dr.Web anti-virus scanner for Windows released
2008-05-06	Win32.Ntldrbot (aka Rustock.C) no longer a myth, no longer a threat. New Dr.Web scanner detects and cures it for real
2008-05-05	Another 17 Russian cities get anti-virus as a service with Dr.Web AV-Desk
2008-05-04	Protection against viruses and spam from Doctor Web, Ltd. and Sun Microsystems thoroughly tested
2008-05-04	Another Russian ISP launches Dr.Web AV-Desk
2008-05-02	Doctor Web – Central Asia Kazakhstan market summary 2007
2008-05-02	Doctor Web came to China at the eve of Olympics
2008-04-08	PC Magazine Russia: Dr.Web AV-Desk – the best product-as-a-service of 2007
2008-04-07	Dr.Web for IBM Lotus Domino – a new product by Doctor Web, Ltd. protecting application servers of enterprises and corporations
2008-04-03	Updated Dr.Web Shell Extension library released
2008-04-03	Dr.Web for Unix Mail servers and Dr.Web Mail Gateway have been updated to version 4.44.1
2008-04-02	March 2008 virus activity review from Doctor Web, Ltd.
2008-04-01	Updated version of Dr.Web Enterprise Suite 4.44.2 released
2008-04-01	Dr.Web scanner vanquishes BackDoor.MaosBoot once again
2008-04-01	Updated modules of Dr.Web anti-virus for Windows workstations released