December 2007 spam and virus activity review by Doctor Web,Ltd.

January 15, 2008

Virus monitoring service of Doctor Web, Ltd. analyzed activity of viruses in December 2007.

December saw low activity of spammers. It was only the end of the month that was marked by typical pre- Christmas and New Year messages. Users received standard offerings to order printing production and holiday gifts. Messages that advertised pharmaceuticals, databases, etc. were in low demand in the face of holidays.

However, there was one event worth mentioning. It was a well planned phishing attack, apparently targeting customers of “Yandex.Money”. It occurred on December 22 and was rather short but dangerous for a sender e-mail address (qkd@boetticher.com) didn’t relate to Yandex web-portal. It is interesting that a similar phishing attack occurred in October, the only difference was that the message provided a link to YANCLEX.RU domain while a December phishing llink redirected one to YANREX.COM. See the domain info below:

Domain Name: YANREX.COM

Registrant:
N/A
Steven Lucas (steven_lucas_2000@yahoo.com)
5215/2 SW 152 Court, P.O. Box 1547
Beaverton
Oregon,97011
US
Tel. +9.9239278345

Creation Date: 11-Dec-2007
Expiration Date: 11-Dec-2008

Domain servers in listed order:
ns2.security4u.cn
ns1.security4u.cn

Respective rules to detect the spam messages were added to a respective module of anti-spam products of Doctor Web, Ltd.

The Storm Worm should also be mentioned in the review. This time the worm was disguised as a Secret Santa. At least two types of spam-messages containing “Your Secret Santa” and “Merry Christmas From your Secret Santa” in their Subject field have been discovered. Both types of messages asked a user to use a couple of minutes of their time to follow a link to a web-page that contained an installation script. The Santa appears to be similar to a well-known spam mailing programme BackDoor.Groan and is detected as Trojan.Packed.262.

And two more examples of spam mailing occurred in December. The first one is spreading of Win32.HLLM.Graz mail worm (it is also similar to BackDoor.Groan). It acts the same way as before: a message body contains a link to a web-page. Following the link in Internet Explorer infects the machine. The second example is a spam mailing of BackDoor.Bulknet malicious programmes that use rootkit technologies to hide in the system and modify registry keys, they also send out spam messages.

Besides, last days of December saw increased activity of spammers using new Spam channels - in particular spam was sent using ICQ, a popular instant message service. Messages offered access to adult content using paid SMS or it could be an ordinary offer to purchase a company database.

Finally we’d like to mention a spam mailing connected with activity of Trojan.Spambot 2386 and Trojan.Spambot 2387. Messages of the mailing had “New Year Postcard” subject, there were several variants of wording but the link was the same: http://happycards2008.com/. Since December 26 it was the second case of successful attack of users’ computers by Trojans. Doctor Web anti-virus has been able to detect and block attacks since they started.