Lavasoft Security Bulletin: July 2012

Top20 Blocked Malware 

Position Ad-Aware detection % of all threats  
1 Win32.Trojan.Agent 30.55% +13.07%
2 Trojan.Win32.Generic!BT 23.37% +0.12%
3 Trojan.Win32.Generic.pak!cobra 2.66% +2.42%
4 Malware.JS.Generic 2.10% -0.15%
5 Email-Worm.Win32.Brontok.a 2.02% +0.52%
6 Virus.Win32.Sality.ah 1.76% -1.45%
7 Virus.Win32.Ramnit.a 1.52% +0.67%
8 Heur.HTML.MalIFrame 1.52% -0.89%
9 Virus.Win32.Ramnit.b 1.30% -0.13%
10 Trojan.Win32.Jpgiframe 1.23% +0.51%
11 Trojan.Win32.Generic!SB.0 1.22% new
12 Virus.VBS.Ramnit.a 1.19% -0.97%
13 Virus.Win32.Sality.at 1.19% -1.34%
14 Worm.Win32.Chir.D 1.00% new
15 Email-Worm.Win32.Brontok.ik 0.78% new
16 INF.Autorun 0.69% -0.22%
17 HackTool.Win32.Keygen 0.67% new
18 Win32.Sality.ek 0.64% -0.5%
19 Trojan-Clicker.HTML.Iframe 0.62% -1.3%
20 Win32.Backdoor.Zaccess 0.72% new

The Top 20 malicious programs blocked on PCs

Compared to the previous month, July sees the changes in the positions of generic detections and viruses.

A new modification of Email-Worm.Win32.Brontok.ik entered the Top 20 in June, as well as Win32.Backdoor.Zaccess we talked about in our previous post and new generic detection – Trojan.Win32.Generic!SB.0.

Worm.Win32.Chir.D is an oldbie. The worm has virus-like capabilities to infect Windows executable files. It spreads via email attachments as well as all available logical and network drives. In addition, it exploits incorrect MIME header causing IE to execute e-mail attachment (MS01-020). Attackers search the infected PC for htm and html files and write javascript to run an eml file with the worm’s body to the end of the files found. The eml file is located in the folder htm and html files have been found in.

HackTool.Win32.Keygen. The family of malicious programs presents hacker utilities to generate the activation code for different paid programs. As a rule, attackers embed additional malicious functionality into such programs to ensure the user will unknowingly run a malicious program on the PC if he/she does not want to use legal software.

HackTool.Win32.Keygen

 New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

Position Ad-Aware detection % of all threats  
1 Trojan.Win32.Generic!BT 63.09% -21.35%
2 Virus.Win32.Ramnit.a 8.81% new
3 Virus.Win32.Sality.ah 4.88% -2.49%
4 Trojan.Win32.Generic.pak!cobra 3.58% -1.92%
5 Trojan.Win32.Generic!SB.0 3.13% -1.47%
6 Virus.Win32.Sality.at 3.12% -3.65%
7 not-a-virus:AdWare.Win32.iBryte.x 2.95% -0.44%
8 Virus.Win32.Virut.ce 2.12% -0.73%
9 Trojan.Win32.Winwebsec.fd 1.56% new
10 Worm.Win32.Mabezat.b 1.30% -1.27%
11 Malware.JS.Generic 1.25% new
12 Worm.Win32.Socks.bt 1.25% new
13 Trojan.Win32.PWS.gz 1,00% new
14 TrojanDropper.Win32.Saldrop.a 0.42% new
15 Trojan.Win32.Vobfus.paa 0.39% new
16 Backdoor.Win32.Hupigon 0.33% new
17 Trojan-Downloader.Win32.Beebone.bs 0.27% new
18 Trojan-Clicker.HTML.IFrame 0.24% new
19 Trojan.Win32.Fakeav.rm 0.20% -0.21%
20 MyWebSearch.J 0.10% -0.31%

New malicious programs entered the Top 20

The top positions are still occupied by fake antiviruses: Trojan.Win32.Winwebsec.fd and Trojan.Win32.Fakeav.rm. They belong to the family of Trojan programs imitating legitimate antivirus program. Such programs ask the user to pay money to register the software to remove non-existing threats. All fake antiviruses are designed to resemble legitimate antivirus programs. See the examples below:

Example 1: FakeAV

Example 2: FakeAV

Nrgbot (Trojan.Win32.Generic!BT) is a multifunctional irc bot. The number of the bots has started to increase in 2011. When the Dorkbot builder became open to the public, the bot popularity among attackers continued to increase.

Dorkbot builder

According to ESET researchers in Latin America, 81000 computers are infected by Dorkbot (Nrgbot).

Hacking Yahoo

In July, the D33Ds Co hacker team (supposedly originated from Ukraine) published a text file containing 453 491 emails with user passwords for a wide Internet audience to prove their penetration to Yahoo! Voice service. The hack was done by union-based sql injection. In the report, the hackers noticed an interesting fact that the stolen passwords had been stored in a database unencrypted. It sounds strange if talking about the security of Yahoo! online services.

The Middle East Cyberwar

In July 2012 Kaspersky Lab and Seculert announced that they had discovered a new malicious program called "Mahdi" (a spiritual and temporal leader who will rule before the end of the world and restore religion and justice) that is involved in The Middle East cyberwar.

We already have heard about such malware as Stuxnet written in June 2009, Duqu appeared in November 2010 and Flame which was detected in May 2012.

According to New York Times , the Stuxnet project was initiated by US and Israel government within George W. Bush "Olympic Games" project to spin Iran’s nuclear centrifuges at Natanz nuclear plant out of control.

The Duqu virus was designed to steal nuclear program documentation and has the same program platform as Stuxnet. Thus, it might be created by the same team of programmers.

Like Duqu, Flame is a sophisticated backdoor tool designed to steal confidential data being able to eavesdrop using an internal microphone. The peculiarity of Flame is its huge size – around 20 MB and ability to use Bluetooth to collect information about nearby devices. But American officials state that the virus is not a part of "Olympic Games".

According to Kaspersky Lab researchers, the new "Mahdi" makes screenshots from the users who are visiting websites with "USA" and "gov" keywords. The list of keywords also contains the popular social services, such as: facebook, google, yahoo!, gmail, myspace, msn messenger, and even Russian social network vkontakte. It uploads stolen data without any command received from the server to C&C in Montreal, Canada.

Mahdi also uses social engineering techniques to spread and hide dropper’s activity. One of such evasive technique is sending PowerPoint presentations with active content to start downloading malicious files while a user is looking at wild nature pictures and listening to music "Ernesto Cortazar - You are my Destiny". For instance, Moses_pic1.pps (1556992 bytes in size, MD5: 362600f55f0266b38bbdb5af68ede3aa) contains the following pictures:

 Another example "Magic_Machine1123.pps"(2340352 bytes in size, MD5: 87161e29401aea799ae4cbbabcc3be17) presents math puzzle:

Sometimes it shows video to draw user’s attention away from downloading malicious files.

In addition, F-Secure has recently published a letter from an anonymous scientist working at the Atomic Energy Organization of Iran (AEOI). He noticed that Iranian nuclear systems were attacked by yet another worm. The interesting fact is that infected machines were playing AC/DC "Thunderstruck" song at midnight.

It is hard to say whether all these attacks to Iran are connected and sponsored by governments within the "Olympic Games" project, but it is obvious that Iran’s nuclear infrastructure is targeted by very sophisticated malware for the last couple of years. And such attempts seem to have been succeeded so far. We can expect appearing new malware that will continue attacking nuclear plants and academic institution in Iran to slow down their efforts in national nuclear program.

Top20 Potentially Unwanted Programs

Below is Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position Ad-Aware detection % of all threats  
1 MyWebSearch 31.49% -0.5%
2 Win32.Toolbar.Iminent 16.72 +0.2%
3 SweetIM 12.75% +0.22%
4 Win32.PUP.Bandoo 10.50% -0.19%
5 Win32.Toolbar.SearchQU 3.58% +0.51%
6 Win32.Toolbar.Mediabar 2.06% -0.63%
7 GamePlayLabs 1.83% +0.23%
8 Win32.PUP.Predictad 1.80% -0.36%
9 Artua Vladislav 1.78% new
10 Win32.Adware.Agent 1.62% +0.15%
11 Click run software 1.59% -0.55%
12 Win32.Adware.ShopAtHome 1.32% -0.14%
13 Yontoo 1.11% -0.01%
14 Via Advertising 1.05% new
15 GameVance 0,96% +,57%
16 RelevantKnowledge 0.91% -0.05%
17 Win32.Adware.Offerbox 0.72% -0.1%
18 Adware.Eorezo.a 0.35% -0.06%
19 Zango 0,23% +0,01%
20 Hotbar 0,06% -0,01%

Top20 PUPs detected on user’s PC

See below examples of PUPs collected by our laboratory:

Example1: PUPs

Example 2: PUPs

Example 3: PUPs

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook