Doctor Web, Ltd. Virus Review — July, 2006

Viruses and worms
1

I found this email review I recieved a good concise overview of Malware activity over the last month.
I hope it will be of interest. I’m in no way affiliated with “Dr.Web” , only wishing to share information. :slight_smile:

Doctor Web, Ltd. Virus Review — July, 2006
August 1, 2006

July of 2006 turned out to be rather calm for viruses, not counting
several latent epidemics of Win32.HLLM.Netsky and Win32.HLLM.MyDoom mail
worms.

Still, it is worth to mention here the propagation of a “new” modification
of Win32.HLLM.Beagle started late in June. We call it “new”, as the
propagation technique of the worms from this family remains unchanged
since 2004 — they are spread in attachments to mail messages in a password
protected ZIP-archives and the password is displayed in the body of the
infected message as a graphic image. Such propagation technique was
designed to make it as difficult as possible their detection by
av-filters. The “new” modification of Win32.HLLM.Beagle has an important
peculiarity — rootkit-components. Utilization of rootkits has become the
dominating tendency in creation of ill-intention codes and numerous
variants of BackDoor.Haxdoor and BackDoor.HackDef are the proofs of it.

The malicious goals of cyber criminals remain the same — spam distribution
via users’ computers, stealing of confidential user data. And the main
“assistants” of malefactors are vulnerabilities in software and careless
users. Another example of users’ carelessness – contamination of more than
a million computers via the banner at MySpace.com. The banner exploited
the flaw in Windows Metafile (WMF) disclosed in January, 2006. The
vulnerable systems downloaded malicious programs classified by Doctor Web,
Ltd. as Trojan.PurityAd and Adware.ClickSpring. (read news about this
incident here).

“Trojanized downloaders” (classified by Doctor Web, Ltd. as
Trojan.DownLoader) remain the most popular way of distribution of virus
codes. They download additional malicious codes from the Internet
imperceptibly for users.

Another event of this month — detection of malicious codes exploiting
newly discovered vulnerability in MS Power Point. The vulnerability allows
to secretly launch arbitrary codes in a victim system.

It is also worth to mention the short-term increase of activity
(approximately by 12%) in mid of July of the so-called fishers. Fishing
techniques include sending counterfeit messages to potential victims,
pretending to written by some bank. A user is asked to visit a forged
web-site and confirm its banking details — PIN codes and other sensitive
information used by criminals for stealing money from a victim’s account.
Analysts of Virus monitoring service of Doctor Web, Ltd. have added a
special entry to the virus base allowing to detect a wide spectrum of
modifications of such malicious codes – Trojan.Bankfraud.272

In July, 2006 the world saw the birth of another kind of a fraud — vishing
— an Internet fraud technique, a kind of a fishing technique. It uses for
malicious purposes “war diallers” and VoIP technology to steal personal
sensitive data, such as passwords, banking details, identification cards
details, etc. Potential victims receive telephone calls, as if made by
legitimate companies and institutions. They are asked to confirm PIN-codes
or passwords from keyboards of their smart phones or PDAs which are used
in future by criminals to steal money from bank accounts and in other
crimes.

The end of month saw new variant of a Trojan program labeled by Doctor
Web, Ltd. as Trojan.PWS.LDPinch.1061, which propagates via instant
messaging networks (ICQ). This Troj was designed to intercept and then to
send to a remote server all passwords collected in the compromised
systems: icq, ftp, mail services, dialup, trilian, miranda, etc. Read more
about this Troj here.

Below goes virus statistics for July, 2006 by Doctor Web, Ltd. presenting
20 most spread viruses:

Virus name % of total quantity
Win32.HLLM.Beagle 25.08
Win32.HLLM.Netsky.35328 12.00
Win32.HLLM.MyDoom.based 9.94
Win32.HLLM.Beagle.pswzip 7.49
Win32.HLLM.Netsky.based 7.46
Trojan.Bankfraud.272 7.25
Win32.HLLM.MyDoom 3.92
Win32.HLLM.Graz 3.80
Win32.HLLM.Perf 2.69
Win32.HLLM.MyDoom.33808 2.23
Win32.HLLM.MyDoom.49 2.14
Win32.HLLM.Beagle.19802 1.42
Win32.HLLM.Lovgate.9 1.11
Win32.HLLM.Perf.based 1.08
Exploit.IframeBO 1.01
Win32.HLLM.Beagle.27136 0.85
Win32.HLLM.Netsky 0.81
Program.RemoteAdmin 0.75
Win32.HLLM.Bagz 0.73
Win32.HLLM.Generic.391 0.66
BackDoor.IRC.HellBot 0.63

Doctor Web, Ltd.
http://www.drweb.com