October 5, 2009
September is the time when children get back to their computers to do their homework and adults return from holiday trips to their office desks. As the number of Internet users increases, so does the number of viral threats and victims of a cyber fraud or virus attack. Increased activity of Trojan.Encoder that encrypted data in compromised systems, fake anti-viruses and social networking account crack guides became the most notable events of the past month. Doctor Web presents its review of these events and other malicious trends of September.
Another Trojan.Encoder surge
In September Doctor Web registered an increased number of Russian users that fell victims of Trojan.Encoder that encrypted users’ documents and demanded a ransom for decryption. The demanded amount of money increased, however, transferring the money never guaranteed that a victim would receive a decryption tool or that such a tool would actually work. Every day dozens of users get help from Doctor Web to restore their encrypted files.
The last week saw three new modifications of the Trojan.Encoder featuring new encryption keys and different cyber criminal's contact information. Doctor Web promptly provided users with decryption utilities for each of them. . However, the most interesting modification of this piece of ransomware turned out to be the latest one. It added the drweb extension to encrypted files. Obviously successful neutralisation of the ransomware by Dr.Web anti-viruses drove its author towards playing a mean trick on Doctor Web by using its brand as a part of a filename.
Doctor Web analysts also got hold of a link to a malicious site maintained by the author of the late Trojan.Encoder modifications. It should be noted that the cyber-criminal adopted images of a spider and doctor to trick users into thinking that he was in some way related to Doctor Web which certainly is not true. Apparently such a design aims to confuse users and discredit Doctor Web.
The criminal does its best to present himself as a good doer that helps people to restore their data. His web-site provides users with a demonstration video showing how the utility a user is offered to pay for works.
Based on available information we can suggest that there is only one man behind the extortion of money from users whose documents have been encrypted.
Some anti-viruses are good, others aren’t
Fake anti-viruses have been a cause of problems and worries to many users worldwide. Various techniques ranging from traditional spam mailings and up to special advertisement web-sites were adopted to trick users into downloading and installing such programs.
Trojan.Fakealert.5115 was one of fake anti-viruses found in large numbers on the Internet reaching its highest detection figure on September 27 when 800 000 detections of this malicious program were registered by Doctor Web statistics servers.
As Trojan.Fakealert.5115 is launched, an infection alert appears in the notification area and a user is prompted to download special software to avoid possible data losses. A user has to click on the message to allow “Windows” to download required software automatically.
After that other components of the Trojan.Fakealert.5115 detected by Dr.Web as Trojan.Fakealert.4709 and Trojan.Fakealert.5112 are downloaded from servers set up by cyber criminals. Another visual manifestation of Trojan.Fakealert.5115 is a window of a fake anti-virus product called Antivirus Pro 2010.
New modifications of this fake anti-virus – Trojan.Fakealert.5229 and Trojan.Fakealert.5238 – have been registered recently. Unlike other variations of the fake anti-virus, Trojan.Fakealert.5229 reboots a compromised system during its operation.
Trojan.Fakealert.5238 in its turn displays a modified Windows Security Centre window informing a user that his computer is supposedly protected by Antivirus Pro 2010 but the user needs to purchase a license.
Someone wants to crack a social networking web-site?
One of virus makers made an unusual proposition to potential victims. On his web-page he described a method that would enable users to gain access to registered user accounts of a Russian social networking web-site and at the same time protect their own accounts from unauthorized access.
Naturally, the method never brought would-be hackers a success. But in case of a failure the cyber-criminal also offered users to download a program that would perform all required actions automatically. Yet downloading and running the application would lead to disappointment once again. And it is hardly surprising since the program is a piece of malware detected by Dr.Web anti-viruses as Trojan.DownLoad.47503.
Statistics show that hundreds of users decided on joining the ranks of hackers. This malicious program can still be found in the wild with the highest number of detections registered on September 28.
Trojan.Winlock once again. Now over ICQ together with the pinch
A new Trojan.Winlock modification – Trojan.Winlock.252 – and Trojan.PWS.LDPinch.1941 were spread using ICQ in the last September week.
An ICQ user received a message prompting him to follow a link to look at a photograph. Following the link resulted in downloading of the lock.ex file compressed with a viral packer. This file stored four other files in the compromised system: explorerr.ex, svcoost.ex, 43.jpg, а также 154.bat The bat file was used to remove the dropper. Explorer.ex is detected by Dr.Web anti-viruses as Trojan.PWS.LDPinch.4308 compressed with + FSG packer. When extracted, the object is detected as Trojan.PWS.LDPinch.1941 while the svcoost.ex file is defined as Trojan.Winlock.252. Spreading of a Trojan.Winlock program together with a “pinch” makes the threat even more dangerous because a compromised system will not simply be blocked but also all passwords found on the computer will be stolen.
Mail viruses persist
Currently Trojan.DownLoad.47256 is the most frequently detected malware in e-mail traffic. The peak of its outbreak has already passed however, Doctor Web’s statistics servers still register hundreds of thousands of Trojan.DownLoad.47256 detections.
August review from Doctor Web) spread with messages supposedly sent by DHL Express.
The outbreak of Trojan.Packed.2915 reached its maximum on September 25. Now it is likely to decline but the number of detections is still measured in dozens of thousands per day.
Viruses detected in e-mail traffic in September
01.09.2009 00:00 - 01.10.2009 00:00
Viruses detected on user machines in September
01.09.2009 00:00 - 01.10.2009 00:00
View the article
The endless story of Trojan.Encoder, fake anti-viruses on the offensive and other malicious trends of September 2009
Нет ответов в данной теме
Читают тему: 1
0 пользователей, 1 гостей, 0 скрытых