January virus activity review from Doctor Web

Doctor Web presents the virus activity review for January 2009. The first month of 2009 went rather smoothly except for the outbreak of Win32.HLLW.Shadow.based. It didn’t see mass mailings spreading malicious code in attachments or directing users to bogus web-sites. However, fraudulent SMS, fake anti-viruses, new Trojans turning user machines into botnet zombies as well as phishing attacks were registered every now and then.

Win32.HLLW.Shadow.based (Net-Worm.Win32.Kido, W32.Downadup, Worm:Win32/Conficker)

In January Doctor Web issued a warning about the outbreak of the Win32.HLLW.Shadow.based polymorphic worm. This malicious program showed once again that installation of critical updates for Windows and other software is a must for every user willing to maintain high security of the system. It is also recommended to disable the autorun for removable drives as it is exploited by Win32.HLLW.Shadow.based as well as by many other malicious programs. Strange as it seems but the epidemics may have a positive effect upon users learning to use stronger passwords for the Trojan attempts to crack an administrator password in order to spread over a local network.

Virus analysts of Doctor Web have been adding entries for new modifications of Win32.HLLW.Shadow.based into the virus database throughout the January. If you suspect that your system is infected with the polymorphic worm, install all critical updates for the version of Windows you use, disconnect the machine from the network and use Dr.Web CureIt! to scan your system. Computers running Dr.Web for Windows with its virus databases updated regularly are protected from attempts of Win32.HLLW.Shadow.based to get into the system.


Even though the e-card disguise for malware has been well known for quite a while it remains as efficient as ever. In December 2008 and January 2009 numerous fake New Year and Christmas greeting notifications got in mailboxes of millions of users. As January drew to the end, web-sites supposedly providing Valentine greetings began to emerge. Trojan.Spambot is one of many malicious programs that get to user machines from such sites. Also known as Waledac the Trojan turns a compromised system into a zombie.


Criminals also attempted to get more money from accounts of subscribers of mobile operators. They used malware to encrypt data stored on a computer of a victim and demanded him to pay for their decryption. They could also demand money for removal of a malicious program installed as a browser plugin or lure a user into downloading and installing of a program on the phone that would start sending paid SMS. The malicious program is detected by Dr.Web as Java.SMSSend.19.

Fake anti-viruses

Fake anti-viruses also retained their popularity. Even if a program didn’t perform any malicious tasks in a compromised system it was still harmful as fraudsters received money for a useless piece of code. In January one of numerous web-sites offered online scanning of a system.

All machines that were checked for viruses by the “anti-virus” got infected. Moreover, when scanning was completed, a victim was offered to download another malicious program detected by Dr.Web as Trojan.Fakealert.3914.


The number of phishing attacks was lower in January compared with previous months. Main targets of criminals in the last month were customers of amazon.ca and PayPal.

Malicious programs in e-mail traffic in January
Position Name Percentage
 01.01.2009 00:00 - 01.02.2009 00:00 
1 Win32.Virut 14723 (18.70%)
2 Win32.HLLM.MyDoom.based 13479 (17.12%)
3 Trojan.MulDrop.18280 6235 (7.92%)
4 Trojan.MulDrop.13408 4594 (5.84%)
5 Trojan.MulDrop.16727 4357 (5.53%)
6 Win32.HLLM.Alaxala 4022 (5.11%)
7 Win32.Sector.12 2686 (3.41%)
8 Win32.HLLM.Beagle 2141 (2.72%)
9 Win32.HLLM.Netsky.35328 1944 (2.47%)
10 Win32.HLLM.Netsky 1698 (2.16%)
11 Trojan.Click.22109 1570 (1.99%)
12 Win32.HLLM.Mailbot 1498 (1.90%)
13 Win32.HLLW.Shadow.3 1405 (1.78%)
14 Win32.HLLM.Perf 1353 (1.72%)
15 Trojan.MulDrop.19648 1252 (1.59%)
16 Win32.HLLM.MyDoom.33 1182 (1.50%)
17 Win32.Virut.5 968 (1.23%)
18 Win32.IRC.Bot.based 769 (0.98%)
19 W97M.Thus 687 (0.87%)
20 BackDoor.Dosia.72 619 (0.79%)


Position Name Percentage
 01.01.2009 00:00 - 01.02.2009 00:00 
1 Win32.HLLW.Gavir.ini 2451656 (19.14%)
2 DDoS.Kardraw 2058062 (16.06%)
3 Win32.HLLM.Generic.440 714503 (5.58%)
4 VBS.Generic.548 453207 (3.54%)
5 Win32.Virut.5 435746 (3.40%)
6 Win32.Alman 358676 (2.80%)
7 Trojan.Recycle 349560 (2.73%)
8 Trojan.Starter.881 303349 (2.37%)
9 Win32.Sector.16 210250 (1.64%)
10 Win32.HLLW.Shadow.based 209118 (1.63%)
11 Win32.HLLM.Lovgate.2 188398 (1.47%)
12 Win32.HLLP.Neshta 174684 (1.36%)
13 Win32.HLLP.Jeefo.36352 169943 (1.33%)
14 Win32.HLLW.Autoruner.2536 159100 (1.24%)
15 VBS.PackFor 138289 (1.08%)
16 Win32.Sector.12 128054 (1.00%)
17 Win32.HLLW.Autoruner.5555 127353 (0.99%)
18 Win32.Sector.5 123027 (0.96%)
19 Trojan.DownLoader.42350 119657 (0.93%)
20 Win32.HLLM.Perf 88711 (0.69%)

Source: http://www.drweb.com