Solutions Buy Download Information Partners Support Forum About us «Doctor Web» company news (RSS channel)

Look out for malicious Valentine greetings!

February 14, 2008

A malicious programme that entered Dr.Web malware database as BackDoor.Groan came into existence over a year ago. It was spread with a spam mailing and constituted 80% of infected mail traffic. BackDoor.Groan was detected in spam messages throughout 2007 and it looks like its authors want it to move into 2008. The creators of the malware are constantly changing packers for an executable and apply social engineering techniques to spread it. Almost every world holiday or tragic event was exploited by a spam mailing from criminals. It should also be mentioned that after a while when the first variation of the malware appeared the authors changed the method used to spread it: it was not attached to a mail message any longer but the message provided a link. Following it using the Internet Explorer executed a downloading script and the backdoor programme got into the system unnoticed.

The St. Valentine's day has also been used by the creators of the programme who distributed a spam mailing with messages containing Valentine Friends, You are My Valentine, Powerful Love as a subject. A message offered a link to download a "Valentine greeting" - valentine.exe (included into Dr.Web virus database as Trojan.Packed.357). When launched the programme installs a driver with a random name (detected by Dr.Web as Trojan.Spambot.2569) and places it to the Windows system directory along with a P2P configuration file. It places its code to %systemroot%\system32\services.exe and starts sending requests using random UDP ports. Upon receiving a reply it starts sending out spam.

Users of solutions by Doctor Web, Ltd. don't need to worry about the threat - SpIDerMail anti-spam filter successfully filters out Trojan.Packed.357 mailings. Dr.Web Mozilla Thunderbird link checker allows checking a page the link points to for embedded malicious scripts (visit http://www.freedrweb.com for more details about free link-checker browser plug-in).

However, if you believe that your machine has been infected by Trojan.Packed.357, you can download a free Dr.Web CureIt! utility and use it to scan all your logical disks. Apply the "Cure" option to all detected objects.


   Information





Doctor Web, Ltd. © 2012 Doctor Web, Ltd. - a Russian company developing and distributing Dr.Web® Anti-virus solutions.
Our customers can be found among home users from all regions of the world and in large enterprises, small companies and nationwide corporations. We thank all of them for support and long-term devotion to our product. State certificates and awards received by the Dr.Web Anti-virus, as well as the geography of our users are the best evidence of exceptional trust to the products created by the talented Russian programmers.