Solutions Buy Download Information Partners Support Forum About us «Doctor Web» company news (RSS channel)

June virus activity review from Doctor Web, Ltd.

July 3, 2008

Concerning viruses

The increased spreading of a dangerous file virus classified by Dr.Web as Win32.Sector.5 (aka Sality) is not something to be omitted. The number of requests to the helpdesk from system administrators regarding malicious activates of the virus turned out to be so large that one could call it as much as an epidemics. As stated by those affected by the malware the present modification of Sector started causing problems in February this year. By now the epidemics has escalated and reached an astounding level. Banks, audit companies, retail chains, software developers, engineering companies, research facilities and federal cultural institutions were affected by activities of the file virus.

First samples of the sector family appeared in early 2003. In five years the malware mutated but retained its destructive capabilities and acquired new ones. Each subsequent variant of the virus tended to be less overt concerning its presence in the system. Experts of Doctor Web, Ltd. anti-virus laboratory think that the mutation provides an evidence that Win32.Sector.5 may now be used to hide other less complex but equally malicious programs stealing sensitive information or sending out spam.

As soon as Win32.Sector.5 gets into a system it injects its code in all processes currently present in RAM and removes certain branches of the system registry so booting in the safe mode becomes impossible. After that the file virus infects all .exe and .scr files on all available disks or network resources. In order to spread faster it also infects autoarun and most frequently launched files. Besides, Win32.Sector.deletes files and processes related to most known anti-virus programs and blocks access to web-sites of the anti-virus vendors preventing updating. Unlike other anti-viruses that either block access to an infected file or delete it, Dr.Web cures files infected by the file virus. The malware is not a threat to users of Dr.Web anti-virus performing regular updates of the virus database. If you are using some other anti-virus but for some reason you believe that your computer may be infected by Win32.Sector.5, you can check your system using the free curing utility called Dr.Web CureIt!.

On Trojans

The news of another modification of an encoder family Trojan –Trojan.Encoder.18 (aka Gpcode) – stirred the Internet at the beginning of June. Having infiltrated into the system the Trojan searches for files with certain extensions (typically Micosoft Office files) and encrypts the data. After that an owner of the files is offered to pay for decryption. Restoring data after activities of this malware is somewhat complicated for the malefactor uses 1024 bit long encryption key. Users of Dr.Web had been protected against Trojan.Encoder.18 even before a sample entered the virus database. The unique Origins Tracing™ technology allowed detecting the malware as Trojan.Sespy.origin.

In the previous year when the author of the Trojan used shorter keys for encryption it was pretty obvious that eventually it would become more complex. Meanwhile, some anti-virus vendors rushed to boast their decryption capabilities even though it was clear that they were bound to lose this sort of contest. Sooner or later the key would get long enough to set the decryption time frame beyond the boundaries of reason. Anti-virus experts of Doctor Web, Ltd. focused on prompt detection of the dangerous program so it would not be able to put to use its destructive capabilities. This approach turned out to be more efficient than rasing a worldwide call for decryption of a kilobit RSA key.

Curious

Surely a contact entry with the UIN 12111 that caused panic among users of ICQ instant messaging service became quite an incident. The technical support service of Doctor Web, Ltd. received lots of questions from users concerned about the “viral” contact list entry even though a contact entry itself could not do any harm. The turmoil calmed down only when the 12111 entry was explained at the ICQ web-site.

A few words about spam

In June spam tended to become smaller and shorter. Messages with a catchy subject line and a link supplemented with a brief comment in the body were sent in ten waves. Links become one of the common ways to evade spam filters. Besides the trick can also be dangerous as a provided link can direct to an infected web-page so a user can get a Trojan along with the content. Doctor Web, Ltd. described one of such mailings in the previous month. The virus monitoring service registered over 50 mailing like this. Many of them lasted for quite a while.

Dr.Web AV-Desk virus top 20

 01.06.2008 00:00 - 01.07.2008 00:00 
1Trojan.Starter.516601730 (28.08%)
2Win32.HLLM.Generic.440241884 (11.29%)
3Win32.HLLW.Gavir.ini220720 (10.30%)
4BackDoor.Bulknet.214142402 (6.65%)
5BackDoor.Aimbot133710 (6.24%)
6Trojan.NtRootKit.425127033 (5.93%)
7Adware.SaveNow.12846982 (2.19%)
8Win32.Expiro.722141 (1.03%)
9Exploit.IFrame.4119108 (0.89%)
10VBS.Igidak18492 (0.86%)
11Win32.HLLP.Jeefo.3635218149 (0.85%)
12Program.RemoteAdmin17512 (0.82%)
13Win32.Sector.2048015938 (0.74%)
14Trojan.DownLoader.4235015816 (0.74%)
15Win32.Alman14665 (0.68%)
16Trojan.Recycle13752 (0.64%)
17Win32.HLLP.Sector13714 (0.64%)
18VBS.Generic.54813675 (0.64%)
19Win32.HLLW.Gavir.5413503 (0.63%)
20Win32.HLLP.Whboy13191 (0.62%)

June virus top 20 in e-mail

 01.06.2008 - 30.06.2008 
1Win32.HLLW.Autoruner.437245788 (17.85%)
2Win32.HLLM.Netsky.35328163596 (11.88%)
3BackDoor.Bulknet.21478683 (5.72%)
4Trojan.PWS.Lich70877 (5.15%)
5Win32.HLLP.PissOff.3686465000 (4.72%)
6Win32.HLLM.Netsky.based62291 (4.52%)
7Win32.HLLW.Autoruner.214753621 (3.89%)
8Trojan.NtRootKit.42545741 (3.32%)
9Win32.HLLM.MyDoom.based34515 (2.51%)
10Win32.HLLM.Beagle33763 (2.45%)
11Win32.Virut25187 (1.83%)
12Trojan.Recycle22821 (1.66%)
13Win32.HLLW.Autoruner.183122218 (1.61%)
14Exploit.MS05-05321490 (1.56%)
15VBS.Igidak18517 (1.34%)
16Trojan.MulDrop.1672718420 (1.34%)
17Win32.HLLP.Sector16092 (1.17%)
18Win32.HLLM.Oder16056 (1.17%)
19Trojan.Nsanti.Packed15774 (1.15%)
20Win32.HLLM.Netsky.2406415516 (1.13%)



     Other news

2008-07-03June virus activity review from Doctor Web, Ltd.
2008-07-032000 companies using services of OBLTELECOM experience reliable anti-virus protection with Dr.Web
2008-06-30Dr.Web AV-Desk guards information of corporate customers of Newcom Port
2008-06-27Doctor Web, Ltd. establishes a subsidiary company in France
2008-06-27Dr.Web AV-Desk will remove malware from networks of Volkhov-Online
2008-06-26Dr.Web AV-Desk comes to Kyrgyzstan
2008-06-26Deployment of Dr.Web AV-Desk reduced the workload of Ufanet support service
2008-06-23Dr.Web AV-Desk will deliver "clean" Internet to 50 000 users in Moscow region
2008-06-19STREAM-TV Izhevsk employs Dr.Web AV-Desk
2008-06-18Dr.Web Enterprise Suite protects UAZ
2008-06-10Doctor Web, Ltd. releases SpIDer Mail 4.44.2.
2008-06-05May 2008 virus activity review by Doctor Web, Ltd.
2008-06-04AKADO chooses Dr.Web AV-Desk and recommends Dr.Web to its subscribers
2008-06-04Spam doesn’t always mean "malware”
2008-05-29Yandex recommends Dr.Web CureIt! to tackle malware faking web-pages
2008-05-27The new version of Dr.Web for Windows anti-virus scanner released
2008-05-26Izhevsk.net launches Dr.Web AV-Desk
2008-05-13April 2008 virus activity review from Doctor Web, Ltd.
2008-05-13Twenty five thousand subscribers of Eltel get protection by Dr.Web AV-Desk™
2008-05-07Dr.Web AV-Desk shields four hundred educational institutions of the Russian university network RUNNet
2008-05-06New version of Dr.Web anti-virus scanner for Windows released
2008-05-06Win32.Ntldrbot (aka Rustock.C) no longer a myth, no longer a threat. New Dr.Web scanner detects and cures it for real
2008-05-05Another 17 Russian cities get anti-virus as a service with Dr.Web AV-Desk
2008-05-04Protection against viruses and spam from Doctor Web, Ltd. and Sun Microsystems thoroughly tested
2008-05-04Another Russian ISP launches Dr.Web AV-Desk
   Information



   My five cents
 
What is the screen size of your monitor?

12''
14''
15''
17''
19''
more than 19''
other


Doctor Web, Ltd. © 2008 Doctor Web, Ltd. - a Russian company developing and distributing Dr.Web® Anti-virus solutions.
Our customers can be found among home users from all regions of the world and in large enterprises, small companies and nationwide corporations. We thank all of them for support and long-term devotion to our product. State certificates and awards received by the Dr.Web Anti-virus, as well as the geography of our users are the best evidence of exceptional trust to the products created by the talented Russian programmers.