Look out for malicious Valentine greetings!

February 14, 2008

A malicious programme that entered Dr.Web malware database as BackDoor.Groan came into existence over a year ago. It was spread with a spam mailing and constituted 80% of infected mail traffic. BackDoor.Groan was detected in spam messages throughout 2007 and it looks like its authors want it to move into 2008. The creators of the malware are constantly changing packers for an executable and apply social engineering techniques to spread it. Almost every world holiday or tragic event was exploited by a spam mailing from criminals. It should also be mentioned that after a while when the first variation of the malware appeared the authors changed the method used to spread it: it was not attached to a mail message any longer but the message provided a link. Following it using the Internet Explorer executed a downloading script and the backdoor programme got into the system unnoticed.

The St. Valentine's day has also been used by the creators of the programme who distributed a spam mailing with messages containing Valentine Friends, You are My Valentine, Powerful Love as a subject. A message offered a link to download a "Valentine greeting" - valentine.exe (included into Dr.Web virus database as Trojan.Packed.357). When launched the programme installs a driver with a random name (detected by Dr.Web as Trojan.Spambot.2569) and places it to the Windows system directory along with a P2P configuration file. It places its code to %systemroot%\system32\services.exe and starts sending requests using random UDP ports. Upon receiving a reply it starts sending out spam.

Users of solutions by Doctor Web, Ltd. don't need to worry about the threat - SpIDerMail anti-spam filter successfully filters out Trojan.Packed.357 mailings. Dr.Web Mozilla Thunderbird link checker allows checking a page the link points to for embedded malicious scripts (visit http://www.freedrweb.com for more details about free link-checker browser plug-in).

However, if you believe that your machine has been infected by Trojan.Packed.357, you can download a free Dr.Web CureIt! utility and use it to scan all your logical disks. Apply the "Cure" option to all detected objects.

2008-07-03	June virus activity review from Doctor Web, Ltd.
2008-07-03	2000 companies using services of OBLTELECOM experience reliable anti-virus protection with Dr.Web
2008-06-30	Dr.Web AV-Desk guards information of corporate customers of Newcom Port
2008-06-27	Doctor Web, Ltd. establishes a subsidiary company in France
2008-06-27	Dr.Web AV-Desk will remove malware from networks of Volkhov-Online
2008-06-26	Dr.Web AV-Desk comes to Kyrgyzstan
2008-06-26	Deployment of Dr.Web AV-Desk reduced the workload of Ufanet support service
2008-06-23	Dr.Web AV-Desk will deliver "clean" Internet to 50 000 users in Moscow region
2008-06-19	STREAM-TV Izhevsk employs Dr.Web AV-Desk
2008-06-18	Dr.Web Enterprise Suite protects UAZ
2008-06-10	Doctor Web, Ltd. releases SpIDer Mail 4.44.2.
2008-06-05	May 2008 virus activity review by Doctor Web, Ltd.
2008-06-04	AKADO chooses Dr.Web AV-Desk and recommends Dr.Web to its subscribers
2008-06-04	Spam doesn’t always mean "malware”
2008-05-29	Yandex recommends Dr.Web CureIt! to tackle malware faking web-pages
2008-05-27	The new version of Dr.Web for Windows anti-virus scanner released
2008-05-26	Izhevsk.net launches Dr.Web AV-Desk
2008-05-13	April 2008 virus activity review from Doctor Web, Ltd.
2008-05-13	Twenty five thousand subscribers of Eltel get protection by Dr.Web AV-Desk™
2008-05-07	Dr.Web AV-Desk shields four hundred educational institutions of the Russian university network RUNNet
2008-05-06	New version of Dr.Web anti-virus scanner for Windows released
2008-05-06	Win32.Ntldrbot (aka Rustock.C) no longer a myth, no longer a threat. New Dr.Web scanner detects and cures it for real
2008-05-05	Another 17 Russian cities get anti-virus as a service with Dr.Web AV-Desk