Latest Virus Alerts: Articles and Statistics

Autorun and JavaScript – this month’s main vectors of infection

BitDefender^®,
an award-winning provider of innovative anti-malware security
solutions, today announced January’s top ten e-threats. Leading the way
this month is Trojan.Clicker.CM with 8.30 percent of the total amount
of infected computers. Trojan.Clicker.CM is mostly found on file
sharing websites such as torrent portals, “warez” communities and other
services hosting pirated content. This Trojan is a small script which
forces advertisements in your browser. While some of the advertisements
are related to free online games, others may expose the computer user
to pornography or other types of inappropriate content.

At 8.17 percent, the second e-threat on January’s Top Ten is
Trojan.AutorunInf.Gen, a generic mechanism to spread malware using
removable devices such as flash drives, memory cards or external
hard-disk drives. “Two of the most famous families of malware,
Win32.Worm.Downadup and Worm.Zimuse, also employ this approach to
infect systems,” said Catalin Cosoi, BitDefender’s senior antispam
researcher. “While these removable devices might offer an easy solution
when it comes to data transportation, they may also easily harm the

A new spam campaign gives the phrase “too good to be true” a whole new spin: spammed messages purporting to come from Google in response to job applications. While most spammed messages take advantage of a specific special occasion, holiday, or even a currently newsworthy item, spammers have hit a new low with their latest scheme.

Taking the form of job application responses from Google, the email
even sports the official Google logo with an accompanied legitimate From:
address. With close-to-perfect grammar and syntax (unlike most known
spammed messages), it is becoming even trickier to distinguish real
email messages from fake ones. And why would users not want to believe
what the message says? Google has always been commended for being a
more-than-ideal workplace. Receiving word regarding a job application
from the company is thus great news indeed. But is viewing a
suspicious-looking email message, especially if you did not even send
an application in the first place, worth infecting your computer?

Symantec has observed a new trend in phishing in which the phishing
Web page contains pornographic content. The phishing site states that
the end user can obtain free pornography after logging in or signing
up. These offers tempt users into entering their credentials in the
hopes of obtaining pornography.

The attackers use several offers of pornography as bait. Some of the
offers are adult chat, social networking with adult personals for
sexual favors, blogs with free pornography, and so on. The screenshot
below is an example of a phishing website using a leading information
services brand. The site states that they provide email alerts for sex
parties:

In January, new phishing attacks such as the above example continued
to be observed abusing legitimate brands. The phishing pages were
created using free Web hosting sites. Upon entering login credentials,
the site redirects to a pornographic website that then leads to a fake
antivirus website containing malicious code. To learn more about the
trends involved with fake antivirus software, please refer to Fake Antivirus Scans are so 2009.

Disguised IQ test combines virus, rootkit and worm -- malicious code for one fatal formula

BitDefender^®,
an award-winning provider of innovative anti-malware security
solutions, today identified a new e-threat that combines the
destructive behavior of a virus with the spreading mechanisms of a
worm. There are two known variants of this virus, which enters the
computer as a harmless IQ test.

Once executed, the worm creates between seven and eleven copies of
itself (depending on the variant) in critical areas of the Windows
system.

Win32.Worm.Zimuse.A is an extremely dangerous piece of malware. Unlike
average worms, Win32.Worm.Zimuse.A could lead to severe data loss as it
overwrites the first 50 KB of the Master Boot Record - a key zone of
the hard disk drive.

In order to execute on each Windows boot-up, the worm sets the following registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Dump"="%programfiles%\Dump\Dump.exe

It also creates two driver files, namely:

%system%\drivers\Mstart.sys and %system%\drivers\Mseu.sys

Since 64-bit versions of Windows Vista and Windows 7 require digitally

Yesterday we saw SEO poisoning attacks when searching for keywords
such as "Apple Tablet". Now, after the product announcement has been
made, we are seeing the same attack with the actual name of the product
included in the search term.

Using search terms like "Apple Ipad rumor" or "Apple Ipad size" are
likely to produce results from sites like youcanbesureforsafe.net,
antyspywarescanblog.com, or mastersmegasecurity.net, ultimately
compromising your computer with rogue security software.

At this stage we’ve looked at several features of Hydraq, including
its obfuscation techniques and how it remains on an infected system.
So, what control does the attacker have over a compromised system?

Backdoor Functionality

The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of: