August`07 virus and spam review by Doctor Web, Ltd.

September 6, 2007

Virus Monitoring Service of Doctor Web, Ltd. reports on virus events in August 2007.

In the second decade Virus Monitoring Service of Doctor Web, Ltd. detected in downloadable executable modules a dangerous polymorphic virus classified by Dr.Web as Win32.Virut.5, affecting all executable files and capable of taking control over infected computers via IRC channels. Some variants of the executable files of Trojan.Packed.142 infected by Win32.Virut.5 spread around for a few days. Dr.Web Anti-virus, in contrast to many other anti-viruses, not only detects, but, which is most important, cures files infected with Win32.Virut.5. The scale of the “storm worm” makes any delay in detecting the malware and curing computers really fatal. A similar case occurred last year when the Win32.Polipos file virus spread over peering networks and Dr.Web was the only anti-virus to detect and curу the infected machines.

Later the propagation of the Trojan.Packed.142 variants infected by Win32.Virut.5 stopped. We observed almost the same in May`07, when there was a mass distribution of the Win32.HLLM.Limar worm infected by Win32.Virut.

There was also detected another file virus labeled Win32.Scproj.7573. This one infects all the .exe files on hard disks and movable carriers. It doesn’t modify, as a rule, the file volume writing itself to a zero byte section. There’s no visible sign of infection, except for Explorer errors, messages of some programs on the integrity damages of their .exe files, etc. The virus intercepts the network access via the infected attachments and can avoid firewalls` security policies for trusted attachments. Its body comprises links from which it can receive instructions on its further action. In a definite time after the start of the infected Explorer, the virus scans the network for the network shares with write access and, having found them, infects all their .exe files.

Modifications of the notorious Win32.HLLM.Beagle mass-mailing worm should be noted on the list as well, although their distribution was far from being an epidemic.

August 2007, spam review

A few spam distributions were detected this month. The first one, the “storm worm” distribution mentioned above, was the most scalable one. The second comprised the messages with PDF files attached. The third contained e-mails with Here is the news you have been waiting for. subjects distributed from computers infected by Trojan.Packed.142. Spam seems to have taken over the basic viruses’ traits: alarming subjects, offers to read a document or important data (characteristic of Win32.HLLM.Netsky), Delivery Failure reports (typical of Win32.HLLM.MyDoom, Win32.HLLM.Limar mail worms), ZIPed attachments, etc.

14 474 entries were added in August 2007 to Dr.Web virus database.

Below goes a short summary table of online check for this month:

Virus name	Quantity
VBS.Psyme.239	469
Trojan.Packed.142	415
BackDoor.Bulknet	322
VBS.PackFor	284
Trojan.SCKeyLog.20	124
Win32.Virut	107
Trojan.Virtumod	81
Trojan.Peflog.30	56
Trojan.Peflog.31	56
Trojan.DownLoader.29530	33

Below is a summary table of 20 top viruses detected in August 2007:

Virus name	% of the total quantity
Win32.HLLM.Graz	19.16%
Trojan.DownLoader.30541	16.31%
Win32.HLLM.Netsky.35328	15.05%
Win32.HLLM.MyDoom.based	8.03%
Win32.HLLM.Beagle	7.21%
Win32.HLLM.Netsky	4.30%
Win32.HLLM.Netsky.based	3.67%
Win32.HLLM.Perf	2.88%
Win32.HLLP.Sector	2.70%
Exploit.MS05-053	2.49%
Win32.HLLM.Limar.based	2.40%
BackDoor.Bulknet.52	1.92%
Trojan.DownLoader.29243	1.75%
Win32.HLLM.Limar	1.41%
Win32.HLLM.MyDoom.33808	1.35%
Win32.HLLM.Oder	1.01%
Win32.HLLM.MyDoom.49	0,70%
Win32.HLLM.Netsky.24064	0.56%
Win32.HLLM.Beagle.pswzip	0.47%
Win32.HLLM.Generic.391	0.44
Other malware	6.18%

2008-09-05	Doctor Web against extortion
2008-09-04	One of the key players of Telecom market in Smolensk adopts Dr.Web AV-Desk
2008-09-02	Subscribers of leading ISP in Belgorod shielded by Dr.Web AV-Desk
2008-09-01	August virus activity review from Doctor Web
2008-08-28	Intersvyaz starts public testing of the Dr.Web anti-virus service
2008-08-25	Leading Russian manufacturer of weapons chooses Dr.Web
2008-08-22	Comprehensive protection from Dr.Web for subscribers of Teleos-1
2008-08-19	Improved version of GUI-scanner for Dr.Web for Windows released
2008-08-18	Dr.Web for Windows standard of anti-virus protection for executive bodies of Permskiy Kray
2008-08-13	Doctor Web has released a free decryption utility to counteract the new extortion Trojan.Encoder.19
2008-08-13	Dr.Web AV-Desk anti-virus covering for subscribers of Bashinformsvyaz
2008-08-08	Doctor Web: statement on Virus Bulletin comparative reviews
2008-08-08	Telnet secures its subscribers with Dr.Web anti-virus
2008-08-05	July 2008 virus activity review by Doctor Web
2008-08-01	Dr.Web AV-Desk now in Ulyanovsk region
2008-07-31	Dr.Web AV-Desk deployment summary by Eltel
2008-07-31	Dr.Web AV-Desk moves on in Moscow region
2008-07-24	Three regions of Moscow protected by Dr.Web AV-Desk
2008-07-23	Doctor Web releases new LinkChecker for Mozilla Firefox
2008-07-22	Dr.Web AV-Desk chosen by ISP "Hazynet" in Krasnoyarsk
2008-07-18	Doctor Web, Ltd. releases Active Directory installer for Dr.Web Enterprise Suite 4.44.3
2008-07-16	Dr.Web anti-virus now accessible to subscribers of Infocentre
2008-07-16	Doctor Web launches the beta-testing of Dr.Web for MIMEsweeper
2008-07-15	Anti-virus protection is delivered to subscribers of Lintecs by Dr.Web AV-Desk
2008-07-15	”Nauka-Sviaz” deployed Dr.Web AV-Desk
2008-07-15	Dr.Web AV-Desk adopted by three ISPs in Krasnoyarsk
2008-07-15	Dr.Web will protect Internet users of GlavSET
2008-07-14	Dr.Web anti-virus is the new service for subscribers of SZT
2008-07-14	Dr.Web AV-Desk deployed by MajaNet in Estonia
2008-07-12	Dr.Web AV-Desk will secure networks of Maginfo
2008-07-11	Corrected verson of Dr.Web SpIDer Guard 4.44 released
2008-07-11	Dr.Web for IBM Lotus Domino validated by IBM