Lavasoft Security Bulletin: May 2013

Top20 Blocked Malware

Position Ad-Aware detection % of all threats Change in ranking
1 Win32.Trojan.Agent 31.30% +0.76%
2 Trojan.Win32.Generic!BT 24.04% -3.08%
3 Virus.Win32.Sality.at 3.40% +1.31%
4 Virus.Win32.Sality.r 2.91% +0.47%
5 Trojan.Win32.Generic.pak!cobra 2.62% -0.33%
6 Trojan.JS.Generic 2.50% new
7 Worm.Win32.Vobfus.dla 2.09% new
8 Virus.VBS.Ramnit.a 1.94% +1.11%
9 Malware.JS.Generic 1.75% +0.29%
10 HackTool.Win32.Keygen 1.72% -0.22%
11 Virus.Win32.Ramnit.b 1.48% +0.41%
12 Email-Worm.Win32.Brontok.a 1.45% +0.03%
13 Virus.Win32.Sality.ah 1.02% -0.7%
14 Virus.Win32.Neshta.a 1.01% new
15 INF.Autorun 0.99% +0.09%
16 Trojan.Win32.Ramnit.c 0.86% 0.00%
17 Trojan.Win32.Sirefef.bb 0.69% -0.01%
18 Win32.Backdoor.Inject 0.62% new
19 Trojan.Win32.Jpgiframe 0.56% +0.13%
20 Heur.HTML.MalIFrame 0.42% +0.15%

The Top 20 malicious programs blocked on PCs

May sees new detections, Trojan.JS.Generic, written in Java Script and Worm.Win32.Vobfus.dla, written in Visual Basic. Worm.Win32.Vobfus.dla allows attackers to install additional malware on the infected computer. It spreads via network and removable drives, saving autorun.inf to the root folder of the infected drive. autorun.inf will launch the worm's executable file each time Explorer is used to open the infected drive.

Virus.Win32.Neshta.a has been discussed previously in a Lavasoft whitepaper published in March 2012 and information about Win32.Backdoor.Inject can be found in a whitepaper published in January 2013.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

Position Ad-Aware detection % of all threats Change in ranking
1 Trojan.Win32.Generic!BT 36.03% -0.37%
2 Trojan.Win32.Generic.pak!cobra 3.06% -0.51%
3 Virus.Win32.Expiro.bc 2.55% +0.85%
4 Trojan.Win32.Dwnldr.y 2.29% +1.00%
5 Trojan.Win32.Medfos.m 1.66% +0.31%
6 Virus.Win32.Virut.ce 1.54% -0.05%
7 Trojan.Win32.Generic!SB.0 1.53% +1.24%
8 Worm.Win32.Mabezat.b 0.59% +0.02%
9 TrojanPWS.Win32.OnLineGames.ahj 0.59% +0.35%
10 Malware.JS.Generic 0.59% +0.11%
11 Exploit.HTML.Iframe.dm 0.53% new
12 Trojan.Win32.Qhosts.bf 0.51% new
13 Trojan.JS.Obfuscator.aa 0.47% -0.09%
14 Trojan.Win32.Winwebsec.fd 0.40% -0.14%
15 Trojan-PWS.Win32.Zbot.aql 0.40% +0.2%
16 Trojan.JS.IFrame.i 0.38% +0.01%
17 Trojan.Win32.Vobfus.paa 0.29% -0.2%
18 Virus.Win32.PatchLoad.d 0.24% -0.17%
19 Win32.Malware!Drop 0.18% -0.23%
20 Trojan.Win32.Tepfer.a 0.12% -0.12%

New malicious programs entered the Top 20

May sees two new families in the Top 20.

Exploit.HTML.Iframe.dm is embedded as an iframe in HTML pages. Once a user opens an infected website, the URL indicated by an attacker is run in a frame 2 px high and 2 px wide.

Fragment of Exploit.HTML.Iframe.dm MD5: d69388832917ee228b14cf1e1c3fd21e

Using this technique, attackers can redirect a user to malicious websites containing exploits to execute arbitrary code on the target system.

Trojan.Win32.Qhosts.bf, written in Delphi, is designed to modify the "%System%\drivers\etc\hosts" file used to convert domain names (DNS) to IP addresses. Trojan.Win32.Qhosts.bf writes the following strings to the "hosts" file:

94.249.189.25  my.mail.ru
94.249.189.25  m.my.mail.ru
94.249.189.25  vk.com
94.249.189.25  m.vk.com
94.249.189.25  odnoklassniki.ru
94.249.189.25  m.odnoklassniki.ru
94.249.189.25  ok.ru
94.249.189.25  m.ok.ru

Opening any of the URLs mentioned above redirects all user requests to 94.249.189.25.

The Trojan extracts the file "rasstavanie.bat", two Visual Basic script files "eto.vbs" and "naverno.vbs" and "ruoshka.txt" and "mainlol.txt" files containing service information which are saved to the Program Files folder.

%Program Files%\akvi\kavi\

Command interpreter script is intended to modify the "%System%\drivers\etc\hosts" file:

Rasstavanie.bat batch file fragment

The VBS "naverno.vbs" malicious script is used to set a hidden attribute on the "%System%\drivers\etc\hosts" file. The "eto.vbs" script is used to send an HTTP GET request to the following URL:

http://94.249.188.143:9007/stat/tuk/210

When manually removing this Trojan, the following folder must be removed:

%Program Files%\akvi

Make the "%System%\drivers\etc\hosts" file accessible by displaying hidden files and folders and then restore the "%System%\drivers\etc\hosts" file content

Attackers often use this technique to block access to Internet resources or redirect users to phishing pages to steal information. If you suspect this happening, check the "hosts" file for unusual or suspicious entries.

Ransom Trojans continue to be highly prevalent threats that are frequently analysed by our automated malware analysis systems. Information on how to manually delete these threats can be found here.

Ransomware: Example 1

Ransomware (MD5: a8c05e37d057fad41dd07be3b46a8c3b) is detected by Ad-Aware as Trojan.Win32.Generic!BT

It is a dynamic library (DLL). After activation, it copies itself with a randomly generated name to the ‘all users’ Application Data folder:

%Documents and Settings%\All Users\%AppData%\1doqet.dat

The Trojan creates a link to itself in the current user's autorun Windows folder, with the "msconfig.lnk", which will launch the Trojan when the user logs in to Windows:

%Documents and Settings%\%Current User%\Start Menu\Programs\Startup\msconfig.lnk

It also adds a registry autorun key to be doubly sure that the malware survives a reboot:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE" = "%Documents and Settings%\All Users\%AppData%\rundll32.exe %Documents and Settings%\All Users\%AppData%\1doqet.dat,FG00"

To be launched, the Trojan copies the "rundll32.exe" system file to the folder:

%Documents and Settings%\All Users\%AppData%\rundll32.exe

The Trojan can be removed in the Windows Safe Mode with a command prompt option:

del %Documents and Settings%\All Users\%AppData%\1doqet.dat
del %Documents and Settings%\%Current User%\Start Menu\Programs\Startup\msconfig.lnk
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v CTFMON.EXE

The attackers’ server, from which an HTML-page that essentially prevents the computer from being used is loaded, is located in United States:

Ransomware: Example 2

Ransomware (MD5: eb02341a6de903a1d869b324bc1c3ff3) is detected by Ad-Aware as Trojan.Win32.Generic!BT

As in the previous example, the Trojan can be removed in Windows Safe Mode with a command. To remove the Trojan executable file, use the command prompt:

del %Documents and Settings%\%Current User%\%AppData%\skype.dat

… delete the affected registry autorun key using the command prompt:

reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v shell

The HTML-page blocking the computer performance is located in Netherlands:

In May, our automated malware analysis system also revealed new fake antiviruses which did not make it into the Top 20. Be cautious of this common scam - the threats detected by these programs do not exist on your PC! You can see what a common fake AV infection procedure looks like on Lavasoft’s Facebook page.

Fake AV (MD5: 984539c28d5c916be994c5eda5829be1) is detected by Ad-Aware as FraudTool.Win32.FakeRean

Fake AV (MD5: 7d7274a1cae4fc938ae4921ea74e7254) is detected by Ad-Aware as FraudTool.Win32.FakeRean.e

Fake AV (MD5: e5a17537734661574a839584398b85c8) is detected by Ad-Aware as Trojan.Win32.FakeAV.gbd

Fake AV (MD5: f6d881ab2eac9a7a399586b655cc895e) is detected by Ad-Aware as Trojan.Win32.Generic!BT

All threats described above are successfully detected by Ad-Aware Antivirus. Never pay a fee to attackers!

Update Windows to Avoid Vulnerability Exploits

At the beginning of May, a new exploit was detected on the Department of Labor’s (DoL) official web site. The exploit took advantage of a vulnerability in Internet Explorer 8. A “use-after-free” condition occurred when a CGenericElement object was freed, but a reference was kept on the Document and used again during rendering. Successful exploitation could allow an attacker to exploit this vulnerability and execute arbitrary code on the affected system.

According to the Net Applications statisctics, 23% of Internet Explorer 8 users were the group most at risk, while all Windows XP SP3 users may have been exposed to potential risks. We suppose that an attacker could perform the following actions on the affected system:

  • Use the system as a temporary stage to attack further targets.
  • Obtain a higher level of access i.e. Administrator privileges.
  • Disable UAC.
  • Get detailed information about OS.
  • Get full access to the file system.
  • Add user accounts.
  • Download and launch any file.
  • Steal confidential information from:

- Browsers;

- IM clients;

- Skype, Bitcoin;

- File managers;

- FTP, SFTP, SSH, SCP clients;

- Email clients;

- Standard Windows storages;

- Wireless connection system.

  • Listen to the microphone, capture web-camera screenshots, track keystrokes.
  • Get full control of the system using Remote Desktop.
  • Restore deleted files.
  • Explore network environment of the compromised system.
  • Perform injections of the malicious code into the address space of any process.

For detailed information about the threat, visit.

Top20 Potentially Unwanted Programs

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position Ad-Aware detection % of all threats Change in ranking
1 Adware.Linkury 22.92% +4.74%
2 MyWebSearch 19.28% -3.33%
3 Win32.Toolbar.Iminent 18.33% +8.7%
4 Win32.PUP.Bandoo 6.32% +0.76%
5 SweetIM 4.41% -1.14%
6 Bprotector 3.20% -1.26%
7 Yontoo 2.46% +0.19%
8 Babylon 1.60% +0.11%
9 DomaIQ 1.55% +0.4%
10 Wajam 1.50% -0.86%
11 DownloadMR 1.35% 0.00%
12 InstallBrain 1.20% -0.2%
13 Artua Vladislav 1.12% -0.28%
14 GamePlayLabs 1.08% -0.09%
15 Win32.Adware.ShopAtHome 0.96% -0.14%
16 Bundlore 0.69% new
17 CoolMirage Ltd 0.69% -0.66%
18 Win32.Toolbar.Mediabar 0.68% new
19 BetterInstaller 0.59% -0.51%
20 Optimum Installer 0.58% new

Top20 PUPs detected on user’s PC

Operating Systems

 Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.

  • Back to articles


  • Share this post:    Twitter Facebook