Security News
January Virus Top 10
Mon, 12 February 2007
New Year … new threats … old tricks
Tettnang, 12 February 2007– Avira reveals today the monthly malware ranking counting down the worst threats discovered in January. Only the first month in 2007 and we already were confronted with a dangerous virus attack.
The large media cover about the terrible hurricane - Kyrill - which produced a lot of damages in the northern Europe, was a real inspiration for the hackers. On January 23rd Avira specialists noticed the e-mail spreading of messages that pretended to contain sensational news about Kyrill hurricane. The authors of this message were clearly taking advantage of social engineering, using news of the European storm to make people to open the infected attachments. The fake emails contained a Trojan, the so-called "storm worm", which turns to action when the attachment is opened.
The trick became a custom for the virus writers: in order to deceive people it's enough to create emails to look deceptively genuine and contain a malicious .exe file attachment or an executable .exe-file packed in an archive, usually in .zip format and to give them attention-grabbing subjects. Despite years of warning, computer users are still deceived by these scams. Besides the "storm worm" attack Avira virus analysts detected two other threats that also used social engineering: the false 1&1 and GEZ invoices.
The emails detected on January 8th that seemed to come from 1&1 had the subject "Invoice from 26.12.2006" (Rechnung vom 26.12.2006) and a viral code hidden in the attached file "Rechnung.pdf.exe". Avira AntiVir has proactively detected the malware as HEUR/Crypted and the current VDF classified it as "TR/Dldr.iBill.A". After a week, the same trick but a different subject: emails with false GEZ (Central radio and television toll collecting agency) invoices were seeded. Like the other threat, the false invoice demands payment of a three-digit amount. Also this time AntiVir has proactively detected the Trojan as HEUR/Malware and the current VDF classified it as "TR/Dldr.iBill.C". These malicious schemes were almost certainly generated by the same malware author who made use of people's curiosity or greed. And the wave of fake invoices continued to spread. The false 1&1 and GEZ invoices came back on email on January 23rd. They had attached new versions of the Trojan "TR/Dldr.iBill".
Other recent tricks are so-called invoices from Neckermann, returned debits at eBay, orders from Sunrise or credit card debits by Dell via PayPal. Avira advises users to carefully check attachments for the extensions .exe and .zip and not to click on executable program files in connection with online invoices. Files from uncertain sources should never be opened.
But there is no surprise that old tricks are still the most dangerous ones. Look for example at the never-dying - Netsky.P - which is not only still spreading, but continues to infect so many computers that is the number one threat with 23.4 % of all malicious programs discovered in January. Due to the fact that Windows XP systems get the removal tool delivered by Microsoft during the update process we assume that the majority are older Windows operating systems without AV protection. Maybe the launch of Vista at the end of January will show a decrease of Netsky.P over the next months.
And besides Netsky we have the Mytobs, other old timers which still cause damages to computer systems. After Mytobs variants disappeared completely from the November Virus Top 10, now we can observe that they represented the most prevalent malware family in January 2007, with five members in the virus chart. The reason is probably the disappearing of the Stration versions, as we predicted in November.
One year after it was discovered, on the 19th January 2006, the worm KillAV.GR reappeared in our Virus Top 10. As its name clearly states, this viral infection disable security applications and uses its own email engine for spreading. Also Worm/Mytob.MR was discovered in January 2006. Malicious anniversary or simple coincidence?
According to our specific statistic dates, spam emails represented 82.51 % of all email submissions detected on our trap system in January 2007. And the worst is yet to come, as Avira experts anticipate that the percentage of spam emails will continue to rise in 2007. Lately spammers developed new techniques in order to make it hard to analyze spam by spamfilters, like random colored shapes as background and text written in waves.
Only 5.10 % of malicious samples detected during January have been classified as viruses and 12.40 % were phishing attacks.
Here is a shot of our January Virus Top 10:
For technical information on any of these worms, please see the detailed descriptions on the Avira website. Also, please keep in mind that all Avira users are perfectly protected against these threats.
Make sure you update your Avira product on a regular basis in order to detect the latest threats. |
As for the monthly analyze of phishing scams, we find little changes in the phishing ranking in January.
For more information on how to recognize a phishing fraud, take your time to read our dedicated page.
|
New targets of phishing emails that have never seen before were discovered in January:
Australian and New Zealand Banking Group and
Catoosa Teachers Federal Credit Union.
Avira strongly recommends all users to be careful with suspicious emails and unexpected attachments, no matter what interesting subjects they might claim to be carrying and to update their security product on a regular basis.
For more information on how to recognize a phishing fraud, take your time to read our dedicated page:
http://www.avira.com/en/threats/what_is_phishing.htmlRemember that we are here to assist you against the malware threat. Get rid of your doubts when facing a suspect file: just send it to
virus@avira.com and we will analyze it for you. Take a moment to see how to submit malware and then follow our instructions to send the suspicious file:
http://www.avira.com/en/support/submit_suspicious_files.html
Virus threats 
Print this page
.gif)
