Lavasoft Security Bulletin: November 2012

Top20 Blocked Malware

Position Ad-Aware detection % of all threats Change in ranking
1 Trojan.Win32.Generic!BT 29.51% +8.96%
2 Win32.Trojan.Agent 21.32% -20.53%
3 Virus.Win32.Sality.at 3.36% +2.02%
4 Malware.JS.Generic 2.88% +0.69%
5 Trojan.Win32.Generic.pak!cobra 2.64% +0.41%
6 Email-Worm.Win32.Brontok.a 2.37% +1.17%
7 Virus.VBS.Ramnit.a 1.98% +1.51%
8 Trojan.Win32.Ramnit.c 1.92% +0.33%
9 Virus.Win32.Ramnit.b 1.39% +0.84%
10 Virus.Win32.Sality.ah 1.28% -0.36%
11 Virus.Win32.Xpaj.ab 1.27% new
12 Trojan.Win32.Jpgiframe 1.14% +0.59%
13 Virus.Win32.Virut.ce 1.12% +0.62%
14 Heur.HTML.MalIFrame 1.09% +0.14%
15 Worm.Win32.Сhir.b 1.07% new
16 Trojan.Win32.Generic!SB.0 1.01% +0.38%
17 Trojan-Downloader.Win32.VB.pqr 0.87% new
18 Trojan-Spy.Win32.Agent 0.84% new
19 Virus.Win32.Neshta.a 0.76% new
20 HackTool.Win32.Keygen 0.74% -0.06%

The Top 20 malicious programs blocked on PCs

November sees generic detections and viruses sharing the top positions, a new modification of the Xpaj virus mentioned earlier in Lavasoft Security Bulletin, such malicious programs as Worm.Win32.Сhir.b, Trojan-Downloader.Win32.VB.pqr and Virus.Win32.Neshta.a possessing destructive functionality as described in previous bulletins.

A new generic detection Trojan-Spy.Win32.Agent has entered the Top 20. Such malicious programs are designed to steal confidential information from compromised machines and include various user activity tracking systems, keyboard spies, network traffic analyzers, programs for capturing desktop screen shots and stealing clipboard data. An interesting peculiarity of the malware is the legal spread of some data through the Internet. Below are examples of Google trends for the following search requests: "keylogger download" and "ardamax keylogger download":

Google trends "keylogger download"

Google trends "ardamax keylogger download"

According to trends, monitoring software with potentially malicious functionality is of great interest amongst internet users.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

Position Ad-Aware detection % of all threats Change in ranking
1 Trojan.Win32.Generic!BT 69.37% +2.52%
2 Virus.Win32.Xpaj.ab 6.46% +5.08%
3 Trojan.Win32.Generic.pak!cobra 5.65% -1.07%
4 Malware.JS.Generic 4.05% -2.66%
5 Virus.Win32.Virut.ce 3.60% -1.43%
6 Trojan.Win32.Winwebsec.fd 1.70% -0.73%
7 Trojan.Win32.Vobfus.paa 1.49% +1.03
8 Worm.Win32.Mabezat.b 1.51% new
9 Trojan-Downloader.Win32.Harnig 0.78% -0.51%
10 Trojan.Win32.Medfos.r 0.76% -0.39%
11 Trojan.Win32.VB.qms 0.68% +0.11%
12 Virus.Win32.PatchLoad.d 0.63% -0.3%
13 Trojan.Win32.Ransom.jc 0.56% new
14 Trojan.JS.IFrame.i 0.53% new
15 Trojan.Win32.Ransomer.afh 0.48% -0.29%
16 Trojan.Win32.PWS.gz 0.47% new
17 Trojan-Downloader.Win32.Vundo.jd 0.46% new
18 Trojan-Clicker.HTML.RemoteScript 0.44% -0.16%
19 Trojan.Win32.VBInject.pcc 0.37% new
20 Worm.Win32.Esfury.ta 0.33% -0.23%

New malicious programs entered the Top 20

Except for Worm.Win32.Mabezat.b, a multifunctional worm, and Trojan.Win32.PSW.gz, a Trojan that targets account information for the game “Dungeon Fighter” and the Tencent QQ service to transmit instant messages, more new malicious families appear.

Trojan.Win32.Ransom.jc belongs to a malicious family that disrupts normal computer performance or blocks access to users’ confidential data. Attackers hold machines to ransom until users pay a fee to unlock their computers, although making the payment to an attacker guarantees nothing. Below is an example of the pop-up window which locks the computer, the multi locker "Nertra":

Nertra multi locker pop-up windows updated in November https://www.botnets.fr/index.php/Nertra

Trojan.JS.IFrame.i describes malicious JavaScript contained in an "iframe" tag on a compromised/booby-trapped website. As a rule, attackers plant the Trojan code on legitimate internet sites that redirect the user’s browser to servers hosting exploits that allow for the execution of random code on the target system.

Trojan-Downloader.Win32.Vundo.jd is a multifunctional Trojan downloader which disguises itself as "Symantec Shared Component Scanner Stub" using the file name: "Navmt.exe".

File info for Trojan-Downloader.Win32.Vundo.jd

The Trojan not only downloads other malicious programs to the compromised PC but blocks Internet access, increases website traffic, as well as injecting html into web pages a user visits.

Trojan.Win32.VBInject.pcc is written in Visual Basic. A specific feature of this malicious family is to inject malicious code into the address space of processes specified by an attacker. Among them can be system processes, as well as process run by the current Windows user. The technique is used by attackers to evade proactive security.

Persian Trojan

Last week Symantec published a report where they describe a new piece of malware, called “Narilam”, which appears to be localized to Iran. Several days later Kaspersky Lab revealed more information about the threat.

There is no evidence of any connection with infamous Stuxnet/Duqu/Flame/Gauss government Trojans. It is compiled with Borland C++ unlike the mentioned Trojans. Narilam provides a targeted attack against specific corporate databases with the following Persian names: alim, maliran and shahd, which coincide with corresponding products by TarrahSystem:


Maliran – Integrated Financial and Industrial Applications,
Amin – Banking and Loans Software,
Shahd (“Nectar”) – Integrated Financial / Commercial Software.



According to the SQL requests mined from the threat code, the Trojan can delete and modify data in database. The company warns visitors of the website about that threat.

The message inform users about a necessity to prepare a backup of financial information stored in database due to Narilam threat.
To launch itself every time the system starts up, the Trojan copies itself to the Startup folder:


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DATA.EXE


It can also propagate via standard CD/DVD burning folder. This propagation technique is not used so often nowadays:

Blackhole Exploit Kit Renewal

The beginning of November sees updates to the popular Black Hole Exploit Kit. A Java exploit (CVE-2012-5076) is added to the latest version, 2.0.1. To be executed, the Java exploit uses the vulnerability in Java Runtime Environment. In spite of the fact that the vulnerability was found at the end of September, infections caused by the exploit are still widespread in November. Microsoft presented a detailed analysis of the vulnerability in the blog. Malicious applets which exploit the vulnerability are not detected by the majority of antivirus software.

The exploit can evade the security model in Java VM and execute some privileged instructions.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position Ad-Aware detection % of all threats Change in ranking
1 MyWebSearch 32.75% +2.36%
2 SweetIM 13.76% +2.36%
3 Win32.Toolbar.Iminent 12.81% -2.94%
4 Win32.PUP.Bandoo 8.44% -1.91%
5 BPProtector 3.51% new
6 Babylon 3.17% new
7 Win32.Toolbar.SearchQU 2.26% -0.79%
8 Win32.Toolbar.Mediabar 1.58% -0.64%
9 GamePlayLabs 1.57% +0.42%
10 Click run software 1.52% +0.49%
11 Win32.Adware.Offerbox 1.42% +0.44%
12 Win32.Adware.ShopAtHome 1.34% -0.71%
13 Win32.PUP.Predictad 1.25% -0.92%
14 Yontoo 1.07% -0.04%
15 Artua Vladislav 1.01% +0.05%
16 Via Advertising 1.01% +0.16%
17 Wajam 0.93% new
18 RelevantKnowledge 0.85% -0.82%
19 InstallBrain 0.70% -0.03%
20 Adware.Eorezo.a 0.67% -0.16%

Top20 PUPs detected on user’s PC

Below are examples of PUPs collected by our laboratory:

Example 1. PUPs GamePlayLabs

Example 2. PUPs Artua Vladislav

Example 3. Click run software

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook