May 1, 2010
Fake torrent-trackers and file sharing sites
Doctor Web’s virus analysts uncovered an entire network of fake torrent-trackers and file sharing resources located in different parts of the globe and yet targeting Russian-speaking users. Criminals exploited wide popularity of such resources and carelessness of many people who search for necessary information using search engines and posted links to music, books, moves and other contents on such web-sites.
Fake torrent-trackers and file sharing resources appeared at the top of search results lists returned to users by search engines. Apparently criminals performed search engine optimization and perform other preliminary activities to improve efficiency of their schemes.
A user obtaining a download link on such a web-site downloaded a 16 megabyte executable file instead of a supposed archive with desired content. Dr.Web detects such files as Tool.SMSSend.2.
Launching the file brings up a window prompting the user to send several paid short messages that will allow him to gain access to a downloaded archive. In truth such malicious files do not contain any useful data. Similar schemes are known to target users from other countries where instead of an SMS would-be victims are offered to use their credit cards to pay for their downloads before they actually download anything.
Currently Doctor Web’s statistics server registers around 6 000 instances of detection of Tool.SMSSend.2 per 24 hours.
Copyright protection virus
Apart from techniques listed above criminals also attempted to intimidate torrent users.Trojan.Fakealert.14886 (as classified by Doctor Web) spread in quite large numbers over the Internet in April. In an infected system the Trojan displayed a message warning a victim that illegally obtained content protected by copyright was detected on the computer which would result in prosecution.
Trojan.Fakealert.14886 spreads as a software installer. If a user doesn’t remove the program using standard Windows tools for adding and removing software and simply reboots the system, the Trojan will block access to the system similarly to Trojan.Winlock malware. The highest number of detections of this program was registered in Europe.
A new modification of Trojan.Winlock that warned a user of his violation of copyright law also emerged in April. It offered users to send a paid SMS-message in order to continue downloading files via torrent through a backup communication channel.
Fake anti-viruses
Fake anti-viruses enhanced with new or updated look and feel continued there broad-scale offensive in English-speaking countries. Their spreading techniques didn’t change while the number of their detections registered by Doctor Web’s statistics server declined and reached 750 000 against an approximate 1 000 000 in March.
Trojan.Fakealert gallery
Windows blockers
The rate of spreading of Trojan.Winlock in Russia also went down in April and reached 720 instances of detection per 24 hours compared with 1 300 registered in March. However, the number of new modifications of Trojan.Winlock increased. Doctor Web’s technical support received requests related to such Trojans on a daily basis.
Trojan.Winlock gallery
Dialler for smart phones
Virus analysts registered spreading of the WinCE.Dialer.1 malicious program, that targeted pocket PCs running Windows Mobile. Once installed, it started making calls at paid phone numbers registered in different countries.
The program springs into action in 48 hours following a successful infection of the system. WinCE.Dialer.1 spreads as a supposed game for pocket PCs.
The share of malicious programs in e-mail traffic scanned by Dr.Web software in April 2010 increased by 28 %. The share of malicious files among all files scanned on user machines increased by 2.12. The figures show that in April criminals mainly focused on spreading malware over infected web-sites, using PDF, Flash and browser exploits and other techniques rather than e-mail.
Malware detected in mail traffic in April
| 01.03.2010 00:00 – 01.04.2010 00:00 | ||
| 1 | Trojan.DownLoad.41551 | 11193316 (13.64%) |
| 2 | Trojan.DownLoad.37236 | 9927963 (12.10%) |
| 3 | Trojan.DownLoad.47256 | 7320678 (8.92%) |
| 4 | Trojan.Botnetlog.zip | 5865274 (7.15%) |
| 5 | Trojan.MulDrop.40896 | 5147022 (6.27%) |
| 6 | Trojan.Fakealert.5115 | 5100040 (6.22%) |
| 7 | Trojan.Packed.683 | 4148051 (5.06%) |
| 8 | Trojan.Fakealert.5238 | 3808296 (4.64%) |
| 9 | Trojan.DownLoad.50246 | 2921645 (3.56%) |
| 10 | Trojan.Fakealert.5825 | 2484216 (3.03%) |
| 11 | Trojan.Fakealert.5437 | 1834890 (2.24%) |
| 12 | Trojan.Fakealert.5356 | 1659867 (2.02%) |
| 13 | Trojan.Fakealert.5784 | 1445121 (1.76%) |
| 14 | Trojan.Fakealert.5229 | 1338146 (1.63%) |
| 15 | Trojan.PWS.Panda.122 | 1332036 (1.62%) |
| 16 | Trojan.Fakealert.11956 | 1267041 (1.54%) |
| 17 | Trojan.Fakealert.5457 | 1162458 (1.42%) |
| 18 | Trojan.Siggen.18256 | 1106066 (1.35%) |
| 19 | Trojan.Packed.19694 | 1099122 (1.34%) |
| 20 | Trojan.MulDrop.46275 | 1058813 (1.29%) |
| Total scanned: | 17,689,058,602 |
| Infected: | 82,042,532 (0.464%) |
Malicious files detected on user machines in April
| 01.04.2010 00:00 - 01.05.2010 00:00 | ||
| 1 | Win32.HLLW.Shadow | 834227 (2.84%) |
| 2 | Trojan.AuxSpy.187 | 829685 (2.82%) |
| 3 | VBS.Sifil | 525939 (1.79%) |
| 4 | Trojan.Starter.516 | 438173 (1.49%) |
| 5 | ACAD.Pasdoc | 419684 (1.43%) |
| 6 | Win32.HLLW.Gavir.ini | 364819 (1.24%) |
| 7 | Win32.HLLW.Shadow.based | 339566 (1.16%) |
| 8 | Trojan.DownLoad.32973 | 330055 (1.12%) |
| 9 | Trojan.AuxSpy.111 | 283554 (0.97%) |
| 10 | Trojan.AntiAV.6 | 231204 (0.79%) |
| 11 | Win32.HLLW.Autoruner.9410 | 170593 (0.58%) |
| 12 | Win32.Dref | 162827 (0.55%) |
| 13 | IRC.Apulia.1215 | 155887 (0.53%) |
| 14 | BackDoor.Tdss.2459 | 153602 (0.52%) |
| 15 | Trojan.PWS.GoldSpy.3382 | 148201 (0.50%) |
| 16 | Win32.HLLW.Autoruner.5555 | 143042 (0.49%) |
| 17 | HTTP.Content.Malformed | 132141 (0.45%) |
| 18 | Win32.Alman.1 | 119085 (0.41%) |
| 19 | Win32.HLLW.Share | 102652 (0.35%) |
| 20 | Trojan.PWS.Siggen.2674 | 85937 (0.29%) |
| Total scanned: | 77,991,983,505 |
| Infected: | 22,880,659 (0.0293%) |
