Lavasoft News - September 2007

New Targets in Detection (August 2007)


AdvancedCleaner is a rogue anti-spyware application. It may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.


Adware.Caishow is Chinese-based software that installs itself as a Browser Helper Object (BHO) and shows advertisements.


Adware.Ismas is an advertisement plug-in installed along with other applications, such as Internet Speed Monitor. It will install itself as a Browser Helper Object (BHO). It may cause pop-ups and pop-unders.


Adware.MailSkinner installs itself to the user’s browser, Outlook Express and instant messenger, and also adds a small toolbar. The program runs in the background at all times and injects a dll into all running processes.


MalwareBurn is a clone of MalwareWipe. It is a program that masks as doing one thing, but does another by using false positive detections to trick the user into buying the commercial version.


Win32.Adware.Printview is an adware application that installs in stealth to all user accounts. It runs a process in stealth at all times. Win32.Adware.Printview may update itself and download additional adware components. It may also cause pop-ups, show advertisements and compromise system security.


Win32.Backdoor.Bandok is a backdoor Trojan that downloads and installs additional malware.


Win32.Backdoor.HacDef is malware that can open up backdoors on a compromised computer.


Win32.BadJoke.CloseMouse is a program that will move your mouse and close open windows.


Win32.HostsDeleter is malware that installs in stealth. This malware deletes its installer file after it has added a dll file that hooks to several system processes. The loaded dll file runs in the background and compromises system security. Win32.HostsDeleter may act as a password stealer. Win32.HostsDeleter also deletes the users’ Hosts File which maps hostnames to IP addresses; users may therefore have to rebuild their Hosts File manually.


Win32.PWS.FretHog is a password stealing Trojan. It monitors keystrokes to collect log-in information. This information is then transmitted to a remote homepage.


Win32.SurfNav is an application that simulates a Web surfer, auto-clicking on links in the background within a hidden Internet Explorer window. Win32.SurfNav installs without displaying a EULA or Privacy Policy. Win32.SurfNav runs a process in stealth and opens a port on the users’ computer, compromising system security. Win32.SurfNav also installs a service, set on auto-start, on the users’ computer.


Win32.Trojan.Gpcode is a Trojan that, once installed, will steal private files and claim to have encrypted them. It will then ask the user for a ransom to get the files back. The ransom message is delivered in a text file called readme.txt. Paying the ransom will most likely not result in getting the files back.


Win32.Trojan.MailInject installs in stealth, without user consent. Win32.Trojan.MailInject operates in stealth and opens ports on the victim’s computer allowing an attacker to gain remote access to the infected system. Once installed the Trojan also makes continuous connection attempts to different mail servers.  Win32.Trojan.MailInject may also be bundled with rootkit files.


Win32.TrojanProxy.Pixoliz drops a dll in the system folder. The dll hooks itself into the legitimate process, svchost.exe, and tries to open up TCP ports in stealth.


Win32.Worm.Bagle is a mass-mailing worm. Win32.Worm.Bagle spreads through e-mail and P2P software. It may also drop additional files like ICQ.exe or ICQLite.exe on the infected system.

TAI - Threat Analysis Index
The Lavasoft Threat Analysis Index (TAI) system is based on a 10-point scale, with 1 representing the lowest threat and 10 representing the highest. The behavior of the program has more influence when assigning TAI points than the actual technical aspects of the malware. In other words, if the malware secretly attaches without the computer user's full understanding and approval, then it will automatically be given higher TAI points. A minimum TAI value of 3 is required before the malware is put into detection. Read more on the Lavasoft Security Center here.


Threat Analysis (TA) Index

Home   arrow

Lavasoft Privacy Toolbox
The risk associated with using the Internet, like spam, viruses, spyware and phishing, remains high, according to Consumer Reports. In the first half of 2007, spyware infections prompted 850,000 U.S. households to replace their computers, according to a recent survey. One out of every 11 surveyed had a major, often costly problem due to spyware. The economic fallout per incident was averaged at $100 (U.S.), with damage totaling $1.7 billion.

Source: Consumer Reports, State of the Net 2007
Term of the Month
A pump and dump scam is a spam technique that uses misleading messages to create hype around targeted stock – usually “penny stocks” that sell for less than $1 U.S. per share. Spammers acquire the stock before sending their spam, and then “dump” their shares after share prices have inflated. The result: investors are fooled into losing money, while the spammers make off with a profit. Read more about recent spam trends in our “Spam Surge” article.

Tech Tips
Every time you surf the Net, your browser keeps track of all of your online steps. With Ad-Aware 2007, we’ve given you an easy solution to remove all traces of your Internet browsing from your system, keeping spyware from documenting surf patterns and targeting you with adware and spyware. TrackSweep, one of the new privacy features in Ad-Aware 2007, gives you the option to clean your cache, cookies, history, last typed URLs, and browser tabs from Internet Explorer, Firefox, and Opera, in one clean sweep! To use TrackSweep, from the “Tools & Plug-Ins” tab in Ad-Aware 2007’s user interface, select “TrackSweep” and then choose the items you want cleaned. TrackSweep is a feature in Ad-Aware 2007 Free, Plus and Pro.
Helpful Homepage
The Anti-Phishing Working Group is an organization committed to wiping out online scams by focusing on eliminating fraud and identity theft that results from phishing, pharming, and e-mail spoofing. Visit its website to report phishing attempts, pharming sites, and crimeware, or browse the informative resources section to brush up on the latest threats.
Lavasoft AB
Lilla Bommen 1
411 04 Gothenburg
Page footer