Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

April sees a position change for the most prevalent generic detections: Trojan.Win32.Generic!BT and Win32.Trojan.Agent. Compared to March, new modifications of Sality Virus.Win32.Sality.r and Virus.Win32.Sality.am entered the Top 20 at positions 4 and 10 respectively. A new generic detection for Trojans written in the AutoIt script language – Trojan.Win32.AutoIt.gen.1 – entered the Top 20. A new Worm.Win32.Pykspa, a worm that can provide an attacker remote access to a compromised system, also appears in the Top 20. The worm spreads via Skype, Twitter network shares and removable drives, prevents users from visiting internet resources belonging to antivirus companies, and ends processes belonging to various utilities for diagnosing infected system,including antivirus products.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

New malicious programs entered the Top 20

April sees two new families, TrojanPWS.Win32.OnLineGames.ahj and Trojan.Win32.Urelas.a, at position 17 and 20 respectively.

TrojanPWS.Win32.OnLineGames.ahj is a dynamic-link library (DLL). It is an Internet Explorer Browser Helper Object (BHO) that is run when Internet Explorer launches. It collects data users enter on online game web sites sending the stolen data to attackers’ servers.

Trojan.Win32.Urelas.a provides an attacker with remote access to the infected computer. Taking commands from the CC server, the Trojan downloads its updates and other malicious programs, steals user’s confidential data, and collects information about the system.

This month our automatic analysis system detected an increase of ransom Trojans among Trojan.Win32.Generic!BT generic detections. Let’s consider some of them as well as options for manually removing these threats from the infected computer.

Example 1. This is what the malicious program preventing the computer from performing properly looks like:

Ransomware (MD5: 627e226a5924634651c264f033b1ba33) is detected by Ad-Aware as Trojan.Win32.Generic!BT

The Trojan is easily removed in Windows Safe Mode. The Trojan body needs to be removed from the current user's Windows directory:

%Documents and Settings%\%CurrentUser%\%AppData%\top1.exe

As well as autorun registry key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"top" = "%Documents and Settings%\%CurrentUser%\%AppData%\top1.exe"

The attackers’ server, from which an html-page blocking the computer performance is loaded, is located in Germany:

Example 2. This is what the malicious program preventing the computer from performing properly looks like:

Ransomware (MD5: 2a1864a89a64b3617fc5f233ed3f604c) is detected by Ad-Aware as Trojan.Win32.Generic!BT

It is more complicated to remove this Trojan. This is because the Trojan makes reference to itself in a more obscure registry value:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "%Documents and Settings%\%CurrentUser%\%AppData%\Battleshield.exe"

To prevent the Trojan from launching automatically in safe mode, Windows can be started in safe mode with command line support using the following commands to remove the autorun capability:

reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell

del "%Documents and Settings%\%CurrentUser%\%AppData%\Battleshield.exe"

The attackers’ server from which an html-page blocking the computer performance is loaded is located in Germany:

Example 3. This is how the malicious program preventing the computer from performing properly looks like:

Ransomware (MD5: b4cb159208511637ca06e78dbfb0af97) is detected by Ad-Aware as Trojan.Win32.Generic!BT

It is much complicated to remove this Trojan as attackers have made efforts to prevent deleting the malicious program in safe mode. After infection, the Trojan removes all keys from the registry branch:

[HKLM\System\CurrentControlSet\Control\SafeBoot]

This leads to BSOD when attempting to start Windows in safe mode:

The Trojan copies itself to the current user's Windows temporary folder:

%Temp%\WindowsUpdate.exe

If more than one user have access to the infected computer, it is possible to use the "Win+L" hot key to sign in Windows from different accounts. Afterwards, it is possible to remove the worm body and autorun registry key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdate.exe" = "%Temp%\WindowsUpdate.exe"

And restore the registry branch:

[HKLM\System\CurrentControlSet\Control\SafeBoot]

Otherwise, it is required to use CD or USB flash drive to restore the system or cure infected HDD on another system by scanning it with an antivirus program, or manually removing the Trojan body.

The attackers’ server from which an html-page blocking the computer performance is loaded is located in UK:

Ad-Aware antivirus is capable of detecting ransom Trojans infections, as described above. If  your computer is infected by ransom Trojan of this type, do not panic and pay attackers a fee to unlock your computer. It is always possible to cure your system: "Fortune favours the brave".

Skyper

In April, the activity of "Skyper" IRCBot was observed. "Skyper" used social engineering techniques to spread itself using instant messaging services:

Malware memory damp fragment

If any instant messaging software was installed on the infected computer, the malware sent messages containing a link to its body to all contacts from the list. The malware works out the locale of the infected OS and sends random phrases in the corresponding language.

Text message sample for the Italian locale

Afterwards, a link created using Goo.gl service was added to the text.

http://www.goo.gl/***?image=IMG0540240-JPG

A peculiarity of the worm is installing a module designed to launch a bitcoin generator on the infected computer. The process used for bitcoin mining calculations generates significant load on the affected machine.

A process of malware module responsible for bitcoin generation

Attackers continue using various social engineering techniques to spread malware. This effective technique allows for the creation huge botnets. The chances are very high that someone receiving from a friend a message that contains the "You look so beautiful on this picture" text, along with a link, will click that link for sure.

Bitcoin mining remains a profitable business for attackers. Bitcoin currency rates help demonstrate this; the price of one BTC recently reached 260$. Sensing easy money, criminals surreptitiously install Bitcoin mining software on zombie machines in botnets.

Bitcoin Charts, resource: Mtgox

 You can read a more detailed description of spreading techniques and payload of this malware in our Malware Encyclopedia.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.