Lavasoft Security Bulletin: July 2012
Top20 Blocked Malware
| Position | Ad-Aware detection | % of all threats | |
| 1 | Win32.Trojan.Agent | 30.55% | +13.07% |
| 2 | Trojan.Win32.Generic!BT | 23.37% | +0.12% |
| 3 | Trojan.Win32.Generic.pak!cobra | 2.66% | +2.42% |
| 4 | Malware.JS.Generic | 2.10% | -0.15% |
| 5 | Email-Worm.Win32.Brontok.a | 2.02% | +0.52% |
| 6 | Virus.Win32.Sality.ah | 1.76% | -1.45% |
| 7 | Virus.Win32.Ramnit.a | 1.52% | +0.67% |
| 8 | Heur.HTML.MalIFrame | 1.52% | -0.89% |
| 9 | Virus.Win32.Ramnit.b | 1.30% | -0.13% |
| 10 | Trojan.Win32.Jpgiframe | 1.23% | +0.51% |
| 11 | Trojan.Win32.Generic!SB.0 | 1.22% | new |
| 12 | Virus.VBS.Ramnit.a | 1.19% | -0.97% |
| 13 | Virus.Win32.Sality.at | 1.19% | -1.34% |
| 14 | Worm.Win32.Chir.D | 1.00% | new |
| 15 | Email-Worm.Win32.Brontok.ik | 0.78% | new |
| 16 | INF.Autorun | 0.69% | -0.22% |
| 17 | HackTool.Win32.Keygen | 0.67% | new |
| 18 | Win32.Sality.ek | 0.64% | -0.5% |
| 19 | Trojan-Clicker.HTML.Iframe | 0.62% | -1.3% |
| 20 | Win32.Backdoor.Zaccess | 0.72% | new |
The Top 20 malicious programs blocked on PCs
Compared to the previous month, July sees the changes in the positions of generic detections and viruses.
A new modification of Email-Worm.Win32.Brontok.ik entered the Top 20 in June, as well as Win32.Backdoor.Zaccess we talked about in our previous post and new generic detection – Trojan.Win32.Generic!SB.0.
Worm.Win32.Chir.D is an oldbie. The worm has virus-like capabilities to infect Windows executable files. It spreads via email attachments as well as all available logical and network drives. In addition, it exploits incorrect MIME header causing IE to execute e-mail attachment (MS01-020). Attackers search the infected PC for htm and html files and write javascript to run an eml file with the worm’s body to the end of the files found. The eml file is located in the folder htm and html files have been found in.
HackTool.Win32.Keygen. The family of malicious programs presents hacker utilities to generate the activation code for different paid programs. As a rule, attackers embed additional malicious functionality into such programs to ensure the user will unknowingly run a malicious program on the PC if he/she does not want to use legal software.
HackTool.Win32.Keygen
New Incomings to the Lab
Let’s review and consider information on the number of unique files with the same detection name.
| Position | Ad-Aware detection | % of all threats | |
| 1 | Trojan.Win32.Generic!BT | 63.09% | -21.35% |
| 2 | Virus.Win32.Ramnit.a | 8.81% | new |
| 3 | Virus.Win32.Sality.ah | 4.88% | -2.49% |
| 4 | Trojan.Win32.Generic.pak!cobra | 3.58% | -1.92% |
| 5 | Trojan.Win32.Generic!SB.0 | 3.13% | -1.47% |
| 6 | Virus.Win32.Sality.at | 3.12% | -3.65% |
| 7 | not-a-virus:AdWare.Win32.iBryte.x | 2.95% | -0.44% |
| 8 | Virus.Win32.Virut.ce | 2.12% | -0.73% |
| 9 | Trojan.Win32.Winwebsec.fd | 1.56% | new |
| 10 | Worm.Win32.Mabezat.b | 1.30% | -1.27% |
| 11 | Malware.JS.Generic | 1.25% | new |
| 12 | Worm.Win32.Socks.bt | 1.25% | new |
| 13 | Trojan.Win32.PWS.gz | 1,00% | new |
| 14 | TrojanDropper.Win32.Saldrop.a | 0.42% | new |
| 15 | Trojan.Win32.Vobfus.paa | 0.39% | new |
| 16 | Backdoor.Win32.Hupigon | 0.33% | new |
| 17 | Trojan-Downloader.Win32.Beebone.bs | 0.27% | new |
| 18 | Trojan-Clicker.HTML.IFrame | 0.24% | new |
| 19 | Trojan.Win32.Fakeav.rm | 0.20% | -0.21% |
| 20 | MyWebSearch.J | 0.10% | -0.31% |
New malicious programs entered the Top 20
The top positions are still occupied by fake antiviruses: Trojan.Win32.Winwebsec.fd and Trojan.Win32.Fakeav.rm. They belong to the family of Trojan programs imitating legitimate antivirus program. Such programs ask the user to pay money to register the software to remove non-existing threats. All fake antiviruses are designed to resemble legitimate antivirus programs. See the examples below:
Example 1: FakeAV
Example 2: FakeAV
Nrgbot (Trojan.Win32.Generic!BT) is a multifunctional irc bot. The number of the bots has started to increase in 2011. When the Dorkbot builder became open to the public, the bot popularity among attackers continued to increase.
Dorkbot builder
According to ESET researchers in Latin America, 81000 computers are infected by Dorkbot (Nrgbot).
Hacking Yahoo
In July, the D33Ds Co hacker team (supposedly originated from Ukraine) published a text file containing 453 491 emails with user passwords for a wide Internet audience to prove their penetration to Yahoo! Voice service. The hack was done by union-based sql injection. In the report, the hackers noticed an interesting fact that the stolen passwords had been stored in a database unencrypted. It sounds strange if talking about the security of Yahoo! online services.
The Middle East Cyberwar
In July 2012 Kaspersky Lab and Seculert announced that they had discovered a new malicious program called "Mahdi" (a spiritual and temporal leader who will rule before the end of the world and restore religion and justice) that is involved in The Middle East cyberwar.
We already have heard about such malware as Stuxnet written in June 2009, Duqu appeared in November 2010 and Flame which was detected in May 2012.
According to New York Times , the Stuxnet project was initiated by US and Israel government within George W. Bush "Olympic Games" project to spin Iran’s nuclear centrifuges at Natanz nuclear plant out of control.
The Duqu virus was designed to steal nuclear program documentation and has the same program platform as Stuxnet. Thus, it might be created by the same team of programmers.
Like Duqu, Flame is a sophisticated backdoor tool designed to steal confidential data being able to eavesdrop using an internal microphone. The peculiarity of Flame is its huge size – around 20 MB and ability to use Bluetooth to collect information about nearby devices. But American officials state that the virus is not a part of "Olympic Games".
According to Kaspersky Lab researchers, the new "Mahdi" makes screenshots from the users who are visiting websites with "USA" and "gov" keywords. The list of keywords also contains the popular social services, such as: facebook, google, yahoo!, gmail, myspace, msn messenger, and even Russian social network vkontakte. It uploads stolen data without any command received from the server to C&C in Montreal, Canada.
Mahdi also uses social engineering techniques to spread and hide dropper’s activity. One of such evasive technique is sending PowerPoint presentations with active content to start downloading malicious files while a user is looking at wild nature pictures and listening to music "Ernesto Cortazar - You are my Destiny". For instance, Moses_pic1.pps (1556992 bytes in size, MD5: 362600f55f0266b38bbdb5af68ede3aa) contains the following pictures:
Another example "Magic_Machine1123.pps"(2340352 bytes in size, MD5: 87161e29401aea799ae4cbbabcc3be17) presents math puzzle:
Sometimes it shows video to draw user’s attention away from downloading malicious files.
In addition, F-Secure has recently published a letter from an anonymous scientist working at the Atomic Energy Organization of Iran (AEOI). He noticed that Iranian nuclear systems were attacked by yet another worm. The interesting fact is that infected machines were playing AC/DC "Thunderstruck" song at midnight.
It is hard to say whether all these attacks to Iran are connected and sponsored by governments within the "Olympic Games" project, but it is obvious that Iran’s nuclear infrastructure is targeted by very sophisticated malware for the last couple of years. And such attempts seem to have been succeeded so far. We can expect appearing new malware that will continue attacking nuclear plants and academic institution in Iran to slow down their efforts in national nuclear program.
Top20 Potentially Unwanted Programs
Below is Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.
| Position | Ad-Aware detection | % of all threats | |
| 1 | MyWebSearch | 31.49% | -0.5% |
| 2 | Win32.Toolbar.Iminent | 16.72 | +0.2% |
| 3 | SweetIM | 12.75% | +0.22% |
| 4 | Win32.PUP.Bandoo | 10.50% | -0.19% |
| 5 | Win32.Toolbar.SearchQU | 3.58% | +0.51% |
| 6 | Win32.Toolbar.Mediabar | 2.06% | -0.63% |
| 7 | GamePlayLabs | 1.83% | +0.23% |
| 8 | Win32.PUP.Predictad | 1.80% | -0.36% |
| 9 | Artua Vladislav | 1.78% | new |
| 10 | Win32.Adware.Agent | 1.62% | +0.15% |
| 11 | Click run software | 1.59% | -0.55% |
| 12 | Win32.Adware.ShopAtHome | 1.32% | -0.14% |
| 13 | Yontoo | 1.11% | -0.01% |
| 14 | Via Advertising | 1.05% | new |
| 15 | GameVance | 0,96% | +,57% |
| 16 | RelevantKnowledge | 0.91% | -0.05% |
| 17 | Win32.Adware.Offerbox | 0.72% | -0.1% |
| 18 | Adware.Eorezo.a | 0.35% | -0.06% |
| 19 | Zango | 0,23% | +0,01% |
| 20 | Hotbar | 0,06% | -0,01% |
Top20 PUPs detected on user’s PC
See below examples of PUPs collected by our laboratory:
Example1: PUPs
Example 2: PUPs
Example 3: PUPs
Operating Systems
Infections by OS
Geographic Location
Infections by country of origin
We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.
Share this post:
Twitter
Facebook