News archive about antivirus software, virus threats, trojans

February 2007

A new Nurech worm exploits Valentine’s Day to infect computers -- Posted by Igor_Donchenko on Thursday, February 15 2007
PandLabs has detected the Nurech.B worm, which arrives under the guise of Valentine's messages.Its predecessor, Nurech.A, caused an orange alert status some days ago using the same means

The email messages carrying Nurech.B have a variable subject. These include: "Happy Valentine's Day", "Valentines Day Dance", "The Valentines Angel". The email sender also varies, although it is always a woman's name such as Sandra, Willa, Wendy or Vicky.

The message attachment containing the worm simulates an e-greeting card, using names like "Greeting Postcard.exe", "Greeting card.exe" or "Postcard.exe".

If users run the attached file, the worm creates various files on the computer. One of them is a copy of itself, while another is a rootkit that conceals Nurech.B's presence. The worm also disables various security applications that could be installed on the system.

"The author of this worm is determined to cause an epidemic by exploiting Valentine's Day. It would seem that as its predecessor, Nurech.A, provoked an alert some days ago, they are giving it another try on Valentine's Day in order to be more effective" confirms Luis Corrons, technical director of PandaLabs, who warns: "Do not open any Valentine greetings or other messages without scanning them previously with an up-to-date antivirus solution".

Source: http://www.pandasoftware.com

Top Ten viruses most frequently detected by Panda ActiveScan in January -- Posted by Igor_Donchenko on Wednesday, February 14 2007
As it does every month, PandaLabs has drawn up the list of the ten viruses most frequently detected by ActiveScan, the free online antivirus solution from Panda Software.

As happened throughout 2006, the January Top Ten is headed by Sdbot.ftp, a generic detection of the script used by some malicious code to exploit certain vulnerabilities and download a sample of the Sdbot family of worms to targeted computers. Torpig.A remains second in the list, a position it has held since last October. Torpig.A is a Trojan designed to steal confidential information from computers, including passwords saved by certain Windows services.

There has been some variation in the next few positions in the Top Ten, although not very significant. Puce.E, fourth last month, takes third place, whereas Abwiz.A has moved up from fifth place into fourth. The first major change in the ranking comes with the fifth position occupied by PcClient.DU, a backdoor Trojan that didn't make the Top Ten last month. This code allows attackers to take control of the victim's computer remotely.

Virus Name	Percentage
W32/Sdbot.ftp.worm	1.96
Trj/Torpig.A	1.46
W32/Puce.E.worm	1.17
Trj/Abwiz.A	1.16
Bck/PcClient.DU	0.99
W32/Brontok.H.worm	0.94
Tr j/QQPass.JZ	0.94
W32/Netsky.P.worm	0.87
W32/Nuwar.B.worm	0.68
W32/Bagle.HX.worm	0.63

Another major change is the fall of QQpass.JZ from third place to seventh, whereas Brontok.H takes sixth place, coming up from ninth position. In eight place remains the old-timer Netsky.P, a worm that exploits certain Internet Explorer vulnerabilities in order to spread.The last two places in the ranking are occupied by two malicious codes not present last month: Nuwar.B, a worm that had certain repercussion at the start of the month as it spread in emails trying to pass themselves off as Christmas greetings, and Bagle.HX, a worm that downloads files, malware included, to infected computers and has rootkit features to hide its processes.

"An aspect worth mentioning is the fact that the percentage of computers infected by the codes that occupy the top five positions in the ranking has increased this month. This shows that, despite the sense of security among most users, Internet threats are still present and very active. Moreover, there is the added danger that, lately, the great majority of threats aim at stealing users' money", explains Luis Corrons, Technical Director of PandaLabs.

Source: http://www.pandasoftware.com

Virus Top Twenty for January 2007 from Kaspersky Labs -- Posted by Igor_Donchenko on Monday, February 12 2007

Position	Change in position	Name	Percentage
1.	+5	Email-Worm.Win32.Bagle.gt	28,05
2.	+3	Email-Worm.Win32.NetSky.q	24,01
3.	+5	Email-Worm.Win32.NetSky.aa	14,63
4.	No Change	Email-Worm.Win32.NetSky.t	4,75
5.	Return	Email-Worm.Win32.Bagle.gen	4,30
6.	New!	Trojan-Downloader.Win32.Small.dam	3,07
7.	+5	Email-Worm.Win32.NetSky.b	2,56
8.	New!	Trojan-Downloader.Win32.Small.ciw	2,23
9.	-2	Net-Worm.Win32.Mytob.c	1,99
10.	Return	Email-Worm.Win32.Mydoom.l	1,99
11.	-1	Email-Worm.Win32.Scano.gen	1,44
12.	Return	Email-Worm.Win32.NetSky.d	1,43
13.	New!	Net-Worm.Win32.Mytob.bt	1,24
14.	Return	Worm.Win32.Feebs.gen	1,12
15.	New!	Trojan-Proxy.Win32.Lager.dp	0,74
16.	Return	Email-Worm.Win32.Mydoom.m	0,69
17.	-2	Email-Worm.Win32.Warezov.do	0,68
18.	Return	Email-Worm.Win32.NetSky.y	0,46
19.	+1	Email-Worm.Win32.NetSky.x	0,46
20.	-3	Exploit.Win32.IMG-WMF.y	0,37
Other malicious programs			3,99

When Bagle.gt appeared in our Top Twenty for December 2006, we believed that this might indicate an intensification of the struggle between virus writers to gain control of users' computers. Why? The end of 2006 was notable for the steady evolution of Warezov, another worm, which so far has more than 300 variants. Warezov and Bagle are in direct competition with each other: they both harvest databases containing email addresses, and make it possible to send spam via the infected machines. This type of business is extremely profitable, so the authors of Bagle could not fail to react to the appearance of a competitor. In December Bagle.gt took fifth place, and has since risen to first place. It currently makes up nearly 30% of mail traffic, showing that it will probably continue to cause problems for Internet users for some time to come.

For the moment at least, all Warezov variants are being beaten back by Bagle and other malicious programs. This is supported by the fact that only Warezov.do has remained in the ratings, and in seventeenth place at that. February will show whether or not Warezov has been dealt a mortal blow; it is, of course, possible, that we have not heard the last of this worm.

Usually when the viruses at the top of the ratings change places, the rest of the Top Twenty also undergoes a reshuffle in terms of new malicious programs and returnees. The newcomers in January were very interesting.

Most significant are the programs occupying sixth and eighth place in the rankings: Trojan-Downloader.Win32.Small.dam and .ciw. In spite of the fact that they have different variant names, these are effectively one and the same Trojan - the 'storm worm' which was widely written about by the media in January. This worm spreads via the Internet as an attachment to messages, allegedly bringing news of the terrible hurricane in Western Europe, the death of President Putin, and the resurrection of Saddam Hussein. This piece of malware was initially thought to be a new variant of Warezov. However, detailed analysis showed that the program was a totally new family which appeared to be of Asian origin. It may be that there will now be a third player joining the Bagle-Warezov contest. Incidentally, from February onwards we will categorize programs from this family as Email-Worm.Win32.Zhelatin, and we will be tracking its activity.

One of the numerous Mytob variants, Mytob.bt, comes in at thirteenth place. It has been circulating on the Internet for a while now, but has only just managed to make it into our rankings. Somewhat more interesting is fifteenth place, occupied by a Trojan program: Trojan-Proxy.Win32.Lager.dp. As this program is not a worm, and therefore unable to propagate on its own, the fact that it has managed to reach fifteenth place shows that it was spammed on a wide scale. And once again, Lager.dp confirms that virus writers want to use victim machines as spamming platforms - the Trojan functions as an email proxy server.

Given all the evidence above we can say for certain that spam will be on the increase in February 2007.

Other malicious programs made up a small - 3.99% - percentage of all malicious programs intercepted in mail traffic.

Source: http://www.viruslist.com

AntivirusWorld recommends:   Buy EZ Antivirus - automatic defense against the viruses eTrust EZ Antivirus detects and removes 100% of computer viruses "in the wild" - keeping you safe from virtually all known virus threats. Plus, with automatic software updates, new threats that emerge daily won't stand a chance.

	News archive

• May 2007
• April 2007
• March 2007
• February 2007
• May 2006
• April 2006
• March 2006
• January 2006
• October 2005
• September 2005
• August 2005
• July 2005
• June 2005
• May 2005
• April 2005
• March 2005
• February 2005
• January 2005
• December 2004
• November 2004
• October 2004
• September 2004
• August 2004
• July 2004
• June 2004
• May 2004
• April 2004
• March 2004
• February 2004
• January 2004
• December 2003
• November 2003
• October 2003
• September 2003
• August 2003
• July 2003
• June 2003
• May 2003
• March 2003
• February 2003
• January 2003
• December 2002
• November 2002
• October 2002
• September 2002
• August 2002
• July 2002
• June 2002
• May 2002
• April 2002
• March 2002
• February 2002