Top20 Blocked Malware

The Top 20 malicious programs blocked on PCs

June sees the most prevalent generic detection for Trojans – Malware.JS.Generic - written in Java Script. The majority of threats come from the Internet. Ad-Aware successfully detects those threats and keeps users’ PCs safe.

Three new families entered the Top 20. Trojan-Clicker.HTML.Iframe, in thirteenth position, is designed to increase site visitor statistics, discussed previously in a Lavasoft whitepaper published in June 2012

Virus.Win32.Virut.ce, in sixteenth position, was discussed previously in a Lavasoft whitepaper published in April 2012, and a new generic detection for the multifunctional Trojans Zbot Packed.Win32.PWSZbot.gen.cy is in seventeenth position. Information about some modifications can be found here and here.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

New malicious programs entered the Top 20

June sees Trojan.Win32.PSW.gz entering the Top 20 and occupying the eighth position. The Trojan is designed to steal confidential data from World of Warcraft user accounts. It was mentioned for the first time in a whitepaper published in May 2012. Trojans were particularly active in stealing online game accounts during that time and this tend is likely to continue this summer.

FraudTool.Win32.FakeRean is in the nineteenth position, discussed previously in a Lavasoft whitepaper published in April 2012.

Worm.Win32.Gamarue.aa occupies the sixteenth position. The worm’s modifications can spread as email attachments and via removable drives; they can send information about the compromised system to the command server, download from the Internet and then launch other malicious programs. Depending on the attacker’s commands, the worm can steal confidential data.

The flood of ransomware blocking the computer performance shows no signs of dissipating. Our automated malware analysis system detected an interesting sample, Trojan.Win32.Generic!BT, among the generic detections. It was detected by the minority of antivirus vendors.

Detecting a malicious program MD5: b55cd45af00206933005d9eb1d5cfc4c on the online service virustotal.com

The sample was compiled in May 14, 2013. According to the detection ratio, it is detected only by 17 antivirus programs. Up to now the sample is topical.

File details MD5: b55cd45af00206933005d9eb1d5cfc4c virustotal.com

The original name the Trojan spreads is "visfx.exe":

Original Trojan name MD5: b55cd45af00206933005d9eb1d5cfc4c

The Trojan is written in .Net. The main program window that blocks the computer is presented below:

Ransomware (MD5: b55cd45af00206933005d9eb1d5cfc4c) is detected by Ad-Aware as Trojan.Win32.Generic!BT

The blocking window does not close when the following URL opens in your browser even after clicking the "Link1" or "Link2" button:

http://unlck.com/1md

You are then directed to proceed with the steps below to unlock your computer:

 http://unlck.com/1md Internet resource content

You may be asked to participate in online gambling, be presented with competitions to win an iPhone 5 by sending a paid text message to a short number, submit online application form indicating your confidential data, download a free application which is a malicious program, and other fraud schemes. Obviously, affected users should not participate.

A particularity of the Trojan is that all components of the blocking window are downloaded from the legal file sharing service Dropbox:

hxxps://dl.dropbox.com/s/zb9jt8hr5vfr525/1024X576.png
hxxps://dl.dropbox.com/s/id3z6oobm2a7gou/1366X768.png
hxxps://dl.dropbox.com/s/wh4pc80c5jl9iw4/1600X900.png
hxxps://dl.dropbox.com/s/xu929toh5cyid30/screen.png
hxxps://dl.dropbox.com/s/0ej33arbrxrndq1/lock-screen.png
hxxps://dl.dropbox.com/s/c8luiic5kqckr5x/link1.png
hxxps://dl.dropbox.com/s/1bfzv4c0njg58j1/link2.png
hxxps://dl.dropbox.com/s/plpofi8486lkung/verify.png

Being successfully downloaded, they are saved to the current user's Windows folder %Application Data%.

Attackers do not use any packers and crypters and download their components from Dropbox disguising the malware as legal one. The anomalies in the executable files and network activity make it difficult to detect for antivirus vendors.

To prevent the deletion, the Trojan ends the following processes: taskmgr.exe, regedit.exe, cmd.exe, msconfig, amongst others:

List of processes the Trojan ends MD5: b55cd45af00206933005d9eb1d5cfc4c

The Trojan can be easily removed in Windows Safe Mode. Deletion of the following key with the help of registry editor is required:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Audio Drivers" = "<original file name>.exe"

To remove the Trojan completely, it is required to remember the path to the Trojan original file taken from the "Audio Drivers" parameter before removing the autorun key.

In an effort to make removal more difficult, attackers built in a removal sequence that requires an activation code. It can be found in a resource of the Trojan executable file:

Audio_Drivers.Resources

When the "unlockmypcplease01" code is entered, the Trojan is removed from your PC showing the following message:

 Successful unlock message

Each successful unlock process is reported to the attacker’s server:

http://forcesurvey.3jelly.com

The server is located in the United States:

Attacker’s server location

Below are statistics we managed to retrieve from the attacker’s server:

Threat statistics from the server http://forcesurvey.3jelly.com

A majority of people tried to pass three steps to unlock their computers. Be careful to avoid these mistakes.

In June, our automated malware analysis system also revealed new fake antiviruses which did not enter the Top 20. Be careful! All "threats" detected by these programs are fake – they are designed to trick you into believing your machine is infected.

Fake AV (MD5: 83146ad25c67506c1e0ce3abd3bf0564) is detected by Ad-Aware as FraudTool.Win32.FakeRean.i

Fake AV (MD5: ca1ecf7e2a26fd8e9ca1b9326c9d1b57) is detected by Ad-Aware as LooksLike.Win32.Malware!D

 Fake AV (MD5: 15bc8488c79059cda1ef9197dbea50b0) is detected by Ad-Aware as Trojan.Win32.Kryptik.argh

All threats described above are successfully detected by Ad-Aware. Ransomware and fake antivirus target unsuspecting computer users making them pay a fee to unlock their computers.

Chinese NetTraveler

On June 4 Kaspersky Lab published a report devoted to the NetTraveler cyber-espionage campaign that covers more than 350 victims in 40 countries. The compromised organizations include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors. The most affected countries are Mongolia, Russia, India and Kazakhstan. Based on the analysis of C&C scripts and the NetTraveler’s communication protocol, researchers concluded that the spy-tool originated in China. Also common targets with the "Red October" campaign were found in Russia, Iran, Belgium, Kazakhstan, Belarus and Tadjikistan.

The attacks started with sending spear-phishing e-mails to victims with MS Office documents in attachment which exploit CVE-2012-0158 and CVE-2010-3333 vulnerabilities. A moment later the spy-tool is installed being able to collect private information, compress it and send to the attacker. By default, it looks for DOC, XLS, PPT, RTF and PDF documents on a victim’s computer but the list can be extended in a configuration file.

To protect your computer, it is recommended to install an antivirus with the latest definitions as well as to download and apply security updates for already installed software.

The malicious components are detected by Ad-Aware as Trojan.Win32.Generic!BT

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.