Lavasoft Security Bulletin: May 2012

Position Ad-Aware detection % of all threats Change in ranking
1 Win32.Trojan.Agent 30.91% +22.4%
2 Trojan.Win32.Generic!BT 20.32% -12.05%
3 Trojan.Win32.Generic.pak!cobra 3.20% -0.74%
4 Virus.Win32.Sality.ah 2.67% -2.02%
5 Exploit.AdobeReader.gen 2.61% new
6 Virus.Win32.Ramnit.b 2.12% +0.32%
7 Malware.JS.Generic 1.90% +0.8%
8 Trojan.Win32.Ramnit.c 1,70% 3.20%
9 Virus.Win32.Sality.at 1.72% -2.4%
10 Worm.Win32.Mabezat.b 1,23% 3.20%
11 Virus.Win32.Ramnit.a 1.31% +0.1%
12 Virus.Win32.Virut.ce 1.25% +0.57%
13 Virus.VBS.Ramnit.a 1.06% new
14 Trojan.Win32.Vobfus.paa 1.04% new
15 Trojan-Downloader.Win32.VB.pqr 0.97% new
16 Trojan.Win32.Jpgiframe 0.94% -0.76%
17 Trojan.JS.Generic 0.89% -1.32%
18 Trojan.Win32.AutoIT.gen 0.75% -0.48%
19 Email-Worm.Win32.Brontok.a 0.70% -0.06%
20 Virus.Win32.Ramnit.a!dam 0.68% -0.07%

 

The Top 20 malicious programs blocked on PCs

Top20 Blocked Malware

May sees some changes in the top positions compared to the previous month. Several new families also appeared in the Top 20 malicious programs.

Worm.Win32.Mabezat.b, a polymorphic worm, first appeared in 2009 but is still often seen in the wild. The worm is likely a virus and as such contains Windows executable files with the .exe and .scr extensions. The worm infects programs that are associated with the autorun registry keys.

Thus, the worm infects all programs installed on the PC as well as startup programs.

Mabezat worm spreads via shared logical drives as well as via CD-RW drives using embedded tools for Windows. The worm copies itself to network resources; even limited access to those resources does not prevent the worm from spreading. The worm tries to connect to them as administrator or anonymous user and constructs passwords by combining characters from the Latin alphabet (both upper and lower case), including spaces.

An interesting peculiarity for the worm is that even though it acts as an email worm, it does not send infected emails to email addresses that contain “MICROSOFT”, “KASPER” or ”PANDA” strings. The purpose of this approach is to remain undetected by antivirus laboratories.

Example of Infected Email

Virus.VBS.Ramnit.a. This malware is a common dropper which extracts an executable file from itself and injects its malicious code to the address space of the process associated with “Google Chrome” or “Internet Explorer”. The injected code then keeps infecting HTML files. The malware connects to a C&C server located in New Jersey, USA that is host for the SpyEye botnet according to https://spyeyetracker.abuse.ch/

Ramnit C&C Server Location

Trojan.Win32.Vobfus.paa downloads files via the Internet without the user’s knowledge or consent. Attackers continue to actively use the worm’s features to spread their Trojan program. The Trojan searches the root folder of the infected drive for files. It then copies itself to the same root folder using the name of the files and folders it discovers. Hidden and system attributes are assigned to those files. Upon opening the root folder of the infected drive with Windows Explorer, the user can see only Trojan files and is likely to inadvertently launch the Trojan program by double clicking on it. This is a reasonably effective spreading tactic - the malware comes fourteenth of the Top 20 malicious programs.

In addition, the Trojan modifies itself to counteract antivirus program signature analyzers. Malware creators can successfully avoid signatures applied to the byte sequence.

Comparison of Two Copies of the Trojan Programs

Trojan-Downloader.Win32.VB.pqr and Trojan.Win32.AutoIT.gen also make an appearance in the Top 20 malicious programs.

Trojan-Downloader.Win32.VB.pqr is a simple Trojan downloader written in Visual Basic. It is not a serious threat to the system as the URL from which it has been downloaded is blocked.

Trojan.Win32.AutoIT.gen is a generic signature which detects AutoIT script-compiled malicious programs. Such programs can be a serious threat to the system as they contain a set of various features, such as email worm, IRC bot, etc.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

Position Ad-Aware detection % of all threats Change in ranking
1 Trojan.Win32.Generic!BT 39.69% +33.59%
2 Virus.VBS.Ramnit.a 6.95% new
3 Virus.Win32.Sality.ah 6.95% -35.48%
4 Virus.Win32.Sality.at 6.56% -24.7%
5 Virus.Win32.Virut.ce 5.43% -0.04%
6 Trojan.Win32.PWS.gz 4.83% new
7 Trojan.Win32.Rimod.B 4.30% new
8 Virus.Win32.Xpaj.A 3.86% +3.64%
9 Trojan.Win32.Jpgiframe 3.24% new
10 Trojan-Downloader.JS.Agent.nwg 3.23% new
11 LooksLike.Win32.Malware!vb 2.78% new
12 Trojan-Dropper.Win32.Lebag.oub 2.59% new
13 Pinball Corporation 2.42% -2.53%
14 MyWebSearch.J 1.41% new
15 Trojan.Win32.Vobfus.paa 1.39% new
16 Trojan.Win32.OnLineGames.IZ 1.06% new
17 Trojan.Win32.Zbot.dkek 0.96% new
18 Trojan.Win32.FakeAV.oyb 0.95% new
19 Trojan.Win32.Lunam.a 0.66% new
20 Worm.Win32.Mabezat.b 0.55% new

 

New malicious programs entered the Top 20

The top positions are still occupied by known samples of the Sality virus - a generic signature which detects a large amount of malicious programs accounts for its high chart position. Let’s consider malware which has not been previously covered.

Trojan.Win32.PSW.gz and Trojan.Win32.OnLineGames.IZ occupy the sixth and sixteenth places respectively. These Trojans steal confidential data from World of Warcraft and Forsaken World user accounts. Malware creators take advantage of the summer season increase of the number of online gamers meaning these malicious programs enter the Top 20. The online gaming market attracts the attention of malware creators who make money by stealing online game artifacts.

World Of Warcraft Character Price List

Trojan.Win32.Rimod.b is a detection for files that change various security settings of the computer.

Trojan-Downloader.JS.Agent.nwg is a Trojan program which uses the MS06-014 vulnerability. The vulnerability is old but is still used to download and launch other malicious programs for execution without the user’s knowledge.

Trojan-Dropper.Win32.Lebag.oub is a Windows dynamic library containing virus-like features which allows it to infect PE-EXE and PE-DLL files. It also installs a backdoor on the compromised machine. Using the C&C commands, the Trojan downloads files on the victim’s machine and launches them for execution, sends collected data to the intruder server and blocks antivirus programs from running. The malware creators have paid a lot of attention to the autorun feature of the malicious program making sure that it runs even in safe mode.

Trojan.Win32.Zbot.dkek is a component of the Trojan program Zbot (Zeus). This family appeared in 2007 and is still a best-selling malware toolkit on the black market. Based on the Zbot programs, huge botnets are built. Attackers use the botnets to perform illegal activities. The main purpose of the Trojan is to steal credit card information. Attackers also can easily configure botnets to send spam or perform DDoS attacks.

According to Symantec statistics, machines infected with a new version of Zbot can function as a command server. The technology can make the battle against botnets more complicated. Previously C&C servers had to be disabled to get control over a botnet or the control could be intercepted by a fake C&C server. A list of the C&C servers was transferred between nodes. If a connection was lost, the network connected to the next server from the list. C&C servers now do not exist in the system, instead bots can receive commands and configuration files from other bots.

One more innovation is a partial shift to the communication via UDP, not TCP. Bots used to share configuration files and required information via TCP. Data is now transmitted via UDP.

Trojan.Win32.FakeAV.oyb is a Trojan program which imitates an antivirus program to trick users into paying for the removal of non-existent threats. FakeAV’s are very popular among attackers due to the large amount of money that can be scammed from unsuspecting users. Unlike other malicious programs that are installed using exploits, phishing or spam, fake antivirus programs take advantage of users' fear that their computer may be infected by offering a free computer virus scan which, upon completion, is designed to make the user think their machine is heavily infected. For a fee, the fake AV will “remove” these threats. Once a fake antivirus program is installed on the target system, malware creators do not need to use advanced techniques to avoid security systems: a user whose computer is at risk will allow the fake antivirus program to make changes to his/her computer. The main challenge for the malware authors is to develop and design a user friendly interface which includes components resembling real antivirus controls and then start the system scan giving fake alerts for non-existing threats.

Example of , fake antivirus program Trojan.Win32.FakeAV.oyb

Top20 Potentially Unwanted Programs

There are no significant changes to the Potentially Unwanted Programs statistics compared with those published in the previous Bulletin.

Position Ad-Aware detection % of all threats Change in ranking
1 MyWebSearch 30.97% -4.02
2 Win32.Toolbar.Iminent 19.48% +3.72
3 Win32.PUP.Bandoo 13.91% +1.44
4 SweetIM 7.14% -0.86
5 Win32.PUP.Predictad 3.82% +0.93
6 Win32.Toolbar.Mediabar 3.48% -2.73
7 Win32.Adware.ShopAtHome 2.92% +0.39
8 Adware.Win32. RelevantKnowledge 2.00% -0.46
9 Win32.Toolbar.SearchQU 1.88% -0.64
10 Win32.Adware.Agent 1.28% -0.54
11 Win32.Adware.Offerbox 1.16% -0.2
12 GamePlayLabs 0.88% -0.17
13 Zango 0.87% -0.29
14 Yontoo 0.48% -1.28
15 Adware.Eorezo.a 0.35% -0.42
16 Win32.Adware.Ftat 0.35% +0.12
17 GameVance (fs) 0.32% +0.09
18 Win32.Adware.Altnet.GEN 0.28% +0.06
19 Possible Browser Hijack attempt 0.21% +0.07
20 Hotbar 0.15% -0.02

 

Top20 PUPs detected on user’s PC

We would remind you that advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings without first securing the user’s affirmative consent belong to this category.

Operating Systems

Infections by OS

Geographic Location

 Infections by originating country

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook