Lavasoft Security Bulletin: June 2012

Top20 Blocked Malware

Position Ad-Aware detection % of all threats  
1 Trojan.Win32.Generic!BT 23.25% +2.93%
2 Win32.Trojan.Agent 17.48% -13.43%
3 Trojan.Win32.Generic.pak!cobra 5.62% +2.42%
4 Virus.Win32.Sality.ah 3.21% +0.54%
5 Virus.Win32.Sality.at 2.53% +0.81%
6 Heur.HTML.MalIFrame 2.41% new
7 Malware.JS.Generic 2.25% +0.35%
8 Virus.VBS.Ramnit.a 2.16% +1.1%
9 Trojan-Clicker.HTML.Iframe 1.92% new
10 Trojan.Win32.Ramnit.c 1.57% -0.13%
11 Email-Worm.Win32.Brontok.a 1.50% +0.73%
12 Virus.Win32.Ramnit.b 1.43% -0.69%
13 MSIL.Backdoor.Agent 1.29% new
14 Virus.Win32.Neshta.a 1.27% new
15 Virus.Win32.Virut.ce. 1.17% -0.08%
16 Trojan.Win32.Vobfus.paa 1.16% +0.12%
17 Win32.Sality.ek 1.14% new
18 INF.Autorun 0.91% new
19 Virus.Win32.Ramnit.a 0.85% -0.46%
20 Trojan.Win32.Jpgiframe 0.72% new

The Top 20 malicious programs blocked on PCs  

June sees minor changes in the top positions compared to the previous month: Virus.Win32.Neshta.a and Trojan.Win32.Jpgiframe families which appeared in the Top 20 malicious programs in March continue to appear in the current Top 20. Several new families entered the Top 20 in June.

Trojan-Clicker.HTML.Iframe is designed to increase site visitor statistics. The Trojan programs themselves are contained in fake HTML pages with encrypted links to the sites being promoted. When users unknowingly surf to an infected page,  unsolicited connections are made to certain URLs, fraudulently generating revenue for the attacker.

MSIL.Backdoor.Agent. Backdoors give an attacker remote unauthorized access to the infected system. This backdoor is written in .Net. Thus, computers with .NET Framework installed are infected.

INF.Autorun. INF files are used by Microsoft Windows to automatically run or install applications. An attacker stores inf files in the root directory of the logical, portable and network drives together with the worm’s executive files. This activates the worm each time a user opens the infected disk using Windows Explorer.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

Position Ad-Aware detection % of all threats  
1 Trojan.Win32.Generic!BT 42.71% +3.02%
2 Virus.Win32.Sality.ah 7.37% +0.42%
3 Virus.Win32.Sality.at 6.77% +0.21%
4 Trojan.Win32.Generic.pak!cobra 5.5% new
5 Trojan-Dropper.VBS.Agent.bp 4.63% new
6 not-a-virus:AdWare.Win32.iBryte.x 3.39% new
7 Virus.Win32.Virut.ce 2.85% -2.58%
8 Worm.Win32.Mabezat.b 2.57% +2.02%
9 Trojan-Downloader.Win32.VB.ardt 2.32% new
10 Trojan.Win32.Generic!SB.0 1.66% new
11 Packed.Win32.Krap.iu 2.18% new
12 Trojan-Clicker.HTML.IFrame.aga 1.71% new
13 Virus.Win32.Xpaj.A 1.05% -2.81%
14 Trojan.Win32.Starter.yy 0.78% new
15 Trojan.Win32.Jpgiframe 0.76% -2.48%
16 Trojan.Win32.Fakeav.rm 0.41% new
17 MyWebSearch.J 0.41% -1%
18 Worm.LNK.Autorun.bqj 0.23% new
19 LooksLike.Win32.Malware!vb 0.16% -2.62%
20 Pinball Corporation 0.15% -2.27%

 New malicious programs entered the Top 20

A new generic detect Trojan.Win32.Generic.pak!cobra has entered the Top 20. The top positions are still occupied by viruses and generic detects as the majority of signatures belong to these categories. Let’s consider some of them.

Virus.Win32.Xpaj.A infects x86 pe-exe and pe-dll files. In addition, the virus contains backdoor and bootkit-like behavior. It uses a special technique to counteract antivirus applications. The virus installs system notifiers to create processes using the PsCreateProcessNorifyRoutine functions. Thus, the antivirus is blocked. Once the process runs on the system, the virus calculates checksum of the process name and compares it with its internal checksum list. If the checksum of the name coincides with the list inside of the virus body, it inserts a code to the Entry Point which ends the process.

To hide a bootkit and its data in the last sections of the drive, the virus intercepts the NTReadFile and NTWriteFile functions.

Diagnosing the system for the installed interceptors and MBR infection using the Gmer anti-rootkit

A peculiarity of the virus lies in the ability to run on the Windows x64 when Kernel Patch Protection (KPP) known as “PatchGuard” is on. KPP protects infected MBR from being read and modified.

Trojan.Win32.Carberp (Trojan.Win32.Generic.pak!cobra) is used by an attacker to steal confidential data from trade and online banking platforms. The latest versions of the Trojan contain bootkit-like features. The Trojan supports a plugin system. Plugins are used to counteract antivirus products, rival’s botnets, to perform DdoS attacks and steal confidential data. Below is an example of how the bankbot is sold on blackhat forums:

Offer for Multifunctional Carberp Bankbot

According to the latest news from ESET, all botnet creators have been arrested.

Backdoor.Win32.Shiz (Trojan.Win32.Generic!BT) has a wide range of features. A peculiarity of this malicious program lies in counteracting antivirus detections using server-side polymorphism. A polymorphic mutator engine is installed on the attacker’s server and updates itself periodically:

Comparison of two modifications of Backdoor.Win32.Shiz

Worm.LNK.Autorun.bqj uses vulnerability in Lnk-files. Attackers continue to exploit a vulnerability discovered in June 2010 when investigating Stuxnet. In spite of MS10-046 updates issued by Microsoft which closes the vulnerability, LNK files which exploit this vulnerability increase in number:

Received LNK samples

Top20 Potentially Unwanted Programs

Below is Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position Ad-Aware detection % of all threats  
1 MyWebSearch 30.99% +0.09%
2 Win32.Toolbar.Iminent 16.52% -2.96%
3 SweetIM 12.53% +5.39%
4 Win32.PUP.Bandoo 10.69% -3.22%
5 Win32.Toolbar.SearchQU 3.07% +1.19%
6 Win32.Toolbar.Mediabar 2.69% -0.79%
7 Win32.PUP.Predictad 2.16% -1.66%
8 GamePlayLabs 1.60% +0.72%
9 Win32.Adware.Agent 1.47% +0.19%
10 Win32.Adware.ShopAtHome 1.46% -1,46%
11 Yontoo 1.12% +0.64%
12 Click run software 1.04% new
13 RelevantKnowledge 0.96% -0.08%
14 Win32.Adware.Offerbox 0.82% -0.34
15 Adware.Eorezo.a 0.41% +0.06%
16 GameVance 0.39% +0.07%
17 Zango 0.22% -0.65%
18 Possible Browser Hijack attempt 0.19% -0.02%
19 Win32.Adware.Altnet.GEN 0.17% -0.11%
20 Hotbar 0.07% -0.08%

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook