November 2007 virus activity review by Doctor Web, Ltd.
December 1, 2007
Virus monitoring service of Doctor Web, Ltd. analyzed activity of viruses in November 2007.
Starting at the end of October the Storm Worm spam was being sent for 10 days in November. E-mail messages had an
intriguing subject — “Dancing Skeleton”. Such messages were devoted to Halloween and offered a user to take a
look at a dancing skeleton. When a user followed a link using Internet Explorer, it triggered a download script
embedded in a page code which in turn activated installation of executable modules of the worm. However, it
functioned the same way as before: a driver was installed on the infected system, the machine became a member of a
P2P-network and was used to send out spam messages.
We’d like to remind you that Storm Worm emerged in January 2007 and was distributed using e-mail messages containing
information about a weather disaster in Europe. A user launched an attached executable to get more details on the
event. As the result a Trojan programme exploiting a system backdoor was installed on a computer. Polymorphic
packers are used in executables of the malware, that’s why Dr.Web Anti-virus uses entreis like Trojan.Packed
(e.g. Trojan.Packed.142, Trojan.Packed.200, Trojan.Packed.230) to detect them.
However, let’s get back to the survey. The ”Dancing skeleton” mailing was stopped after a while, mailing messages
like described above were not detected later in November. Meanwhile, as nature abhors a void, so virus activity
didn’t get lower.
As the Storm Worm propagation had stopped, creators of the Win32.HLLM.Limar worm came into place. The worm
wasn’t that active in the previous month but it propagated via e-mail, ICQ and Skype. Launch of a file a user was
prompted to download resulted in infection of the system, interruption of routines of some anti-viruses and other IT-security
programmes, and usage of the infected system as a zombi spam distributor.
And this is not the end yet. Another spam mailing wave was monitored for the whole month: a user was promised
to learn how to improve his/her health and welfare but if followed a link placed in the message body a
downloading script was executed and a malicious programme detected by Dr.Web Anti-virus as Win32.HLLM.Graz was installed.
Given that in most cases a user has to follow a link to be infected by a malicious programme, Doctor Web, Ltd.
offers the free service to check links. The service is implemented as a browser plug-in that can be used to scan any
web-page for viruses before it is actually opened, or to check a file one is going to download. When a page is checked, links
to scripts and frames present in the page code are also checked. More details on the service you can get on the Dr.Web free services web-site of Doctor Web, Ltd.
The launch of the Dr.Web AV-Desk™ anti-virus service targeting ISPs and IT-security service providers gives Virus
monitoring service of Doctor Web, Ltd. even more info on viruses that are infecting machines of end-users. Of
course, the statistics provided here is not final, but even now we can say that top malware leaders are the
password stealers. Dr.Web AV-Desk™ has been running on servers of some of Russian providers for
three weeks and scan results for 6.5 billions of files show that 3.5 millions of them are related to malicious
programmes and the absolute leaders are Trojan.PWS.Wsgame.origin, detected using the state of the art
non-signature Origins Tracing™ technology, and Win32.HLLP.Jeefo.36352 virus, and Trojans Trojan.Recycle,
Trojan.PWS.LDPinch.2468,Trojan.Proxy.1824.
November 2007 spam activity summary
Apart from traditional commercial spam it should be mentioned that the number of messages proposing various
cultural events such as exhibitions, concerts, etc, has increased.
13403 entries were added to Dr.Web virus database in November, 2007.
A brief table illustrating November scan results:
| Virus name |
Number |
| VBS.Psyme.239 |
1 181 |
| Trojan.Peflog.148 |
464 |
| Worm.Sifiliz |
309 |
| Trojan.DownLoader.8132 |
295 |
| Trojan.Peflog.168 |
264 |
| Trojan.Peflog.155 |
241 |
| Trojan.SCKeyLog |
139 |
| VBS.Psyme.377 |
85 |
| BackDoor.Bulknet |
71 |
| Trojan.Spambot |
55 |
You can also have a look at the summary of viruses that were detected most often on mail servers:
| Virus name |
% from the total |
| Win32.HLLM.Netsky.35328 |
28.18 |
| Win32.HLLM.Netsky |
9.70 |
| Win32.HLLM.Netsky.based |
6.78 |
| Win32.HLLM.Limar.based |
5.47 |
| Win32.HLLM.Beagle |
5.41 |
| Win32.HLLM.Limar.2228 |
4.19 |
| Win32.HLLM.MyDoom.based |
4.12 |
| Win32.HLLP.Sector |
3.92 |
| Win32.HLLM.Perf |
3.63 |
| Win32.HLLM.Limar |
2.95 |
| Exploit.MS05-053 |
2.62 |
| Win32.HLLM.Oder |
2.18 |
| Trojan.DownLoader.36219 |
1.77 |
| Win32.HLLM.MyDoom.33808 |
1.65 |
| Win32.HLLW.Autoruner.437 |
1.61 |
| BackDoor.Bulknet |
1.32 |
| Win32.HLLM.Netsky.24064 |
1.16 |
| Win32.HLLM.MyDoom.49 |
1.10 |
| Win32.HLLM.Graz |
1.08 |
| Win32.HLLM.Netsky.41985 |
0.99 |
| Прочие вредоносные программы |
10.17 |
Other news
|
 |
My five cents
|
 |
| |
What is the screen size of your monitor?
|
 |
|
 |
|
 |
|
