Lavasoft Security Bulletin: June 2012
Top20 Blocked Malware
| Position | Ad-Aware detection | % of all threats | |
| 1 | Trojan.Win32.Generic!BT | 23.25% | +2.93% |
| 2 | Win32.Trojan.Agent | 17.48% | -13.43% |
| 3 | Trojan.Win32.Generic.pak!cobra | 5.62% | +2.42% |
| 4 | Virus.Win32.Sality.ah | 3.21% | +0.54% |
| 5 | Virus.Win32.Sality.at | 2.53% | +0.81% |
| 6 | Heur.HTML.MalIFrame | 2.41% | new |
| 7 | Malware.JS.Generic | 2.25% | +0.35% |
| 8 | Virus.VBS.Ramnit.a | 2.16% | +1.1% |
| 9 | Trojan-Clicker.HTML.Iframe | 1.92% | new |
| 10 | Trojan.Win32.Ramnit.c | 1.57% | -0.13% |
| 11 | Email-Worm.Win32.Brontok.a | 1.50% | +0.73% |
| 12 | Virus.Win32.Ramnit.b | 1.43% | -0.69% |
| 13 | MSIL.Backdoor.Agent | 1.29% | new |
| 14 | Virus.Win32.Neshta.a | 1.27% | new |
| 15 | Virus.Win32.Virut.ce. | 1.17% | -0.08% |
| 16 | Trojan.Win32.Vobfus.paa | 1.16% | +0.12% |
| 17 | Win32.Sality.ek | 1.14% | new |
| 18 | INF.Autorun | 0.91% | new |
| 19 | Virus.Win32.Ramnit.a | 0.85% | -0.46% |
| 20 | Trojan.Win32.Jpgiframe | 0.72% | new |
The Top 20 malicious programs blocked on PCs
June sees minor changes in the top positions compared to the previous month: Virus.Win32.Neshta.a and Trojan.Win32.Jpgiframe families which appeared in the Top 20 malicious programs in March continue to appear in the current Top 20. Several new families entered the Top 20 in June.
Trojan-Clicker.HTML.Iframe is designed to increase site visitor statistics. The Trojan programs themselves are contained in fake HTML pages with encrypted links to the sites being promoted. When users unknowingly surf to an infected page, unsolicited connections are made to certain URLs, fraudulently generating revenue for the attacker.
MSIL.Backdoor.Agent. Backdoors give an attacker remote unauthorized access to the infected system. This backdoor is written in .Net. Thus, computers with .NET Framework installed are infected.
INF.Autorun. INF files are used by Microsoft Windows to automatically run or install applications. An attacker stores inf files in the root directory of the logical, portable and network drives together with the worm’s executive files. This activates the worm each time a user opens the infected disk using Windows Explorer.
New Incomings to the Lab
Let’s review and consider information on the number of unique files with the same detection name.
| Position | Ad-Aware detection | % of all threats | |
| 1 | Trojan.Win32.Generic!BT | 42.71% | +3.02% |
| 2 | Virus.Win32.Sality.ah | 7.37% | +0.42% |
| 3 | Virus.Win32.Sality.at | 6.77% | +0.21% |
| 4 | Trojan.Win32.Generic.pak!cobra | 5.5% | new |
| 5 | Trojan-Dropper.VBS.Agent.bp | 4.63% | new |
| 6 | not-a-virus:AdWare.Win32.iBryte.x | 3.39% | new |
| 7 | Virus.Win32.Virut.ce | 2.85% | -2.58% |
| 8 | Worm.Win32.Mabezat.b | 2.57% | +2.02% |
| 9 | Trojan-Downloader.Win32.VB.ardt | 2.32% | new |
| 10 | Trojan.Win32.Generic!SB.0 | 1.66% | new |
| 11 | Packed.Win32.Krap.iu | 2.18% | new |
| 12 | Trojan-Clicker.HTML.IFrame.aga | 1.71% | new |
| 13 | Virus.Win32.Xpaj.A | 1.05% | -2.81% |
| 14 | Trojan.Win32.Starter.yy | 0.78% | new |
| 15 | Trojan.Win32.Jpgiframe | 0.76% | -2.48% |
| 16 | Trojan.Win32.Fakeav.rm | 0.41% | new |
| 17 | MyWebSearch.J | 0.41% | -1% |
| 18 | Worm.LNK.Autorun.bqj | 0.23% | new |
| 19 | LooksLike.Win32.Malware!vb | 0.16% | -2.62% |
| 20 | Pinball Corporation | 0.15% | -2.27% |
New malicious programs entered the Top 20
A new generic detect Trojan.Win32.Generic.pak!cobra has entered the Top 20. The top positions are still occupied by viruses and generic detects as the majority of signatures belong to these categories. Let’s consider some of them.
Virus.Win32.Xpaj.A infects x86 pe-exe and pe-dll files. In addition, the virus contains backdoor and bootkit-like behavior. It uses a special technique to counteract antivirus applications. The virus installs system notifiers to create processes using the PsCreateProcessNorifyRoutine functions. Thus, the antivirus is blocked. Once the process runs on the system, the virus calculates checksum of the process name and compares it with its internal checksum list. If the checksum of the name coincides with the list inside of the virus body, it inserts a code to the Entry Point which ends the process.
To hide a bootkit and its data in the last sections of the drive, the virus intercepts the NTReadFile and NTWriteFile functions.
Diagnosing the system for the installed interceptors and MBR infection using the Gmer anti-rootkit
A peculiarity of the virus lies in the ability to run on the Windows x64 when Kernel Patch Protection (KPP) known as “PatchGuard” is on. KPP protects infected MBR from being read and modified.
Trojan.Win32.Carberp (Trojan.Win32.Generic.pak!cobra) is used by an attacker to steal confidential data from trade and online banking platforms. The latest versions of the Trojan contain bootkit-like features. The Trojan supports a plugin system. Plugins are used to counteract antivirus products, rival’s botnets, to perform DdoS attacks and steal confidential data. Below is an example of how the bankbot is sold on blackhat forums:
Offer for Multifunctional Carberp Bankbot
According to the latest news from ESET, all botnet creators have been arrested.
Backdoor.Win32.Shiz (Trojan.Win32.Generic!BT) has a wide range of features. A peculiarity of this malicious program lies in counteracting antivirus detections using server-side polymorphism. A polymorphic mutator engine is installed on the attacker’s server and updates itself periodically:
Comparison of two modifications of Backdoor.Win32.Shiz
Worm.LNK.Autorun.bqj uses vulnerability in Lnk-files. Attackers continue to exploit a vulnerability discovered in June 2010 when investigating Stuxnet. In spite of MS10-046 updates issued by Microsoft which closes the vulnerability, LNK files which exploit this vulnerability increase in number:
Received LNK samples
Top20 Potentially Unwanted Programs
Below is Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.
| Position | Ad-Aware detection | % of all threats | |
| 1 | MyWebSearch | 30.99% | +0.09% |
| 2 | Win32.Toolbar.Iminent | 16.52% | -2.96% |
| 3 | SweetIM | 12.53% | +5.39% |
| 4 | Win32.PUP.Bandoo | 10.69% | -3.22% |
| 5 | Win32.Toolbar.SearchQU | 3.07% | +1.19% |
| 6 | Win32.Toolbar.Mediabar | 2.69% | -0.79% |
| 7 | Win32.PUP.Predictad | 2.16% | -1.66% |
| 8 | GamePlayLabs | 1.60% | +0.72% |
| 9 | Win32.Adware.Agent | 1.47% | +0.19% |
| 10 | Win32.Adware.ShopAtHome | 1.46% | -1,46% |
| 11 | Yontoo | 1.12% | +0.64% |
| 12 | Click run software | 1.04% | new |
| 13 | RelevantKnowledge | 0.96% | -0.08% |
| 14 | Win32.Adware.Offerbox | 0.82% | -0.34 |
| 15 | Adware.Eorezo.a | 0.41% | +0.06% |
| 16 | GameVance | 0.39% | +0.07% |
| 17 | Zango | 0.22% | -0.65% |
| 18 | Possible Browser Hijack attempt | 0.19% | -0.02% |
| 19 | Win32.Adware.Altnet.GEN | 0.17% | -0.11% |
| 20 | Hotbar | 0.07% | -0.08% |
Top20 PUPs detected on user’s PC
Operating Systems
Infections by OS
Geographic Location
Infections by country of origin
We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.
Share this post:
Twitter
Facebook