Malware in January: Scammers, Freeloaders and Multifunctional Worms

03 Feb 2011
Virus News

The emergence of Email-Worm.Win32.Hlux was arguably the main event in January. This new mail worm spreads via emails containing malicious links that prompt users to install a fake Flash Player, purportedly to view an e-card. The link leads to a dialog window that asks if the user agrees to download a file. Regardless of the response, the worm attempts to penetrate the system. In addition to propagating via email, Hlux also has bot functionality and adds infected computers to a botnet before connecting to its command center and executing its commands, which are primarily directed at sending pharmaceutical spam.

Cybercriminals often exploit the popularity of an online service or product. In January, a web page was detected that offered users the chance to install an updated version of Microsoft Internet Explorer and to activate it by sending an SMS to a premium-rate number. These fraudulent web pages are detected as Hoax.HTML.Fraud.e, and appear in 17th place in the Top 20 most malicious programs on the Internet. The popularity of Kaspersky Lab products has not escaped the notice of cybercriminals either. January's Top 20 most popular programs detected on users' computers included two potentially unwanted programs (PUPs) belonging to the Kiser family – in 9th and 11th places – that allow some Kaspersky Lab products to be used without being activated.

In the first half of the month, the experts at Kaspersky Lab also detected a Trojan dropper masquerading as a key generator for the company's products. The old adage "There's no such thing as a free lunch" is particularly fitting here as the dropper goes on to install and launch two malicious programs. One of them steals program registration data and passwords for online games. The second is a backdoor that also has keylogger functionality.

The company's experts also witnessed the mass distribution of malicious short links on Twitter. After a number of redirects, the attention-grabbing links led users to a page promoting a rogue AV program.

Adware is still spreading fast. AdWare.Win32.WhiteSmoke.a at 12th place in the online malware rating adds the shortcut "Improve your PC" to a computer's desktop without seeking the user's permission first. If it is clicked, a program is downloaded that demands payment to rectify errors it supposedly detects on the system.

"Cyber fraud requires the participation of users. To prevent users falling victim to the various scams out there, it's very important that they know about them," the author of the report warns.

More detailed information about the IT threats detected by Kaspersky Lab on the Internet and on users' computers in January 2011 is available at http://www.securelist.com