December 30, 2008 Doctor Web, Ltd., a Russian developer of IT-security solutions, announces a release of a fixed weekly virus database update – drw50005.vdb ( drw44472.vdb drw433ba.vdb ). The update has been re-released in order to fix errors while curing Win32.HLLP.Whboy.98. The fixed update is available for download on all update servers of Doctor Web, Ltd. and will be automatically downloaded to all machines protected by Dr.Web solutions.

[IMAGE]

December 24, 2008 Doctor Web — the Russian developer of IT security tools branded Dr.Web — reports on another successful deployment of its innovative Internet-service by DUCAT, the largest alternative telecom operator in Kazakhstan. All customers of the company can subscribe to the Dr.Web anti-virus service and get reliable anti-virus and anti-spam protection of their desktop computers and laptops. The service will be provided free of charge for two months. In XXI century information has become one of the most important assets. Naturally a very good tool is required to keep it safe. The security issue is relevant for large companies as well as for home users employing internet in their daily routines. Dr.Web AV-Desk allows a provider to help its subscribers who can’t implement efficient s protection against viruses on their own. The Internet-services gives access providers an opportunity to deliver anti-virus and anti-spam protection to an unlimited number of their home and business customers and to perform centralized management of the delivery process DUCAT announced successful completion of the internal testing of Dr.Web AV-Desk at the end of November. “It is clear that Dr.Web AV-Desk will reduce viral traffic and lower repair costs related to damages caused by viruses. We also hope that an anti-virus as a service will significantly increase the loyalty of our existing subscribers and attract new ones”, Elena Shestak, the business manager of DUCAT said. “We got interested in Dr.Web AV-Desk as an excellent tool to secure our networks and computers of our subscribers who only need to sign up for the service and get reliable anti-virus protection. Our company always tried to maintain the highest quality of provided services and maximum security of its network. Our cooperation with Doctor Web is another step in this direction”, Aleksander, Shvetsov, the technical director of DUCAT noted. “The number of Internet users worldwide is growing. So does the number of viral threats. A top-quality security solution is required to minimize security risks. Such a solution should also be available to corporate customers as well as ordinary people. Dr.Web AV-Desk allows provider companies to deliver the anti-virus as a service making it much easier to obtain and to use”, Boris Sharov, the director-general of Doctor Web commented upon the introduction of the anti-virus service by DUCAT. About Dr.Web AV-Desk The internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location.

December 18, 2008 Doctor Web — the Russian developer of IT security tools — releases Dr.Web Security Space. [IMAGE] [IMAGE] Dr.Web Security Space (Windows Vista/2000/XP) features all components required to provide comprehensive protection of a computer against Internet-threats: viruses, rootkits, mail worms, hack-tools, spam, phishing messages, infected web-pages and cyber crimes targeting children. New features of Dr.Web Security Space * SpIDer Gate™ HTTP monitor SpIDer Gate™ protects against malware attempting to get into a system via HTTP. It intercepts all HTTP-connections, filters all data received from the Internet — files, applets, scripts, — blocks access to infected web-pages and dangerous web-resources. It is compatible with all known web-browsers. The filtering doesn’t increase traffic or slow performance of the system and web-surfing. * Dr.Web parental control Dr.Web parental control It will protect your children against unwanted web-resources and shield them from contacts with cyber-criminals. It can also disable usage of removable data storage devices, block access to network devices and files and folders so your personal information won’t be deleted occasionally or compromised by a third party. Low-cost upgrade to Dr.Web Security Space Starting December 18, 2008 users of Dr.Web for Windows. Anti-virus&Anti-spam shall be able to upgrade to Dr.Web Security Space free of charge. Download the distribution file and copy your current key file used to run Dr.Web for Windows into the installation directory. Users of Dr.Web anti-virus for Windows can upgrade to Dr.Web Security Space at the price of renewal. If you choose to upgrade to Dr.Web Security Space, a new license period will be added to the current one, so you will be able to use new features of Dr.Web Security Space right after you register the renewal license. The full text of the upgrade offer. Free demo | Buy an upgrade license

December 18, 2008 Doctor Web — the Russian developer of IT security software branded Dr.Web — releases Dr.Web for Windows 5.0. “Change of a version number always marks another milestone in development of Dr.Web software. Growing complexity of contemporary threats relevant for virtually any user drove us to focus on cutting-edge protection features that would deflect attacks of known viruses and secure users from unknown malware. Some features of the new Dr.Web have no look-likes in any other anti-virus available nowadays”, the author of Dr.Web anti-virus and technical director of Doctor Web Igor Danilov commented upon the release. New features and improvements Cures what others fail to detect Successful curing of active infections, exceptional resistance to viruses, unique technologies for scan of processes in RAM and unsurpassed capabilities for neutralization of active infections that allow installing Dr.Web on an infected machine remain key technological advantages of Dr.Web software. It also disarms complex viruses like MaosBoot, Rustock.C, Sector. Technologies that enable Dr.Web to counter active viruses rather than simply detect collected malware samples have been further developed and honed for the new version. Immunity Dr.Web for Windows 5.0 is very good at protecting itself and resisting attacks of malware. Dr.Web SelfPROtect controls access and modification of files, processes, windows and keys of the Windows Registry related to the application. The self-protection module is installed as a driver that can neither be stopped nor unloaded before a system is rebooted. Advanced detection A number of entries in a virus database is not the only criterion that determines efficiency of a present-day anti-virus. It should also be able to recognize unknown threats and be ready to detect viruses that are yet to come. The new feature of Dr.Web 5.0 called FLY-CODE is a universal decompression technology that allows detecting viruses disguised by means of packers unknown to Dr.Web. The anti-virus uses special entries in its database and heuristic analyzer to suggest if a packed file contains malicious code. Origins Tracing™ is a unique non-signature detection technology that has also been brought to a new level in Dr.Web 5.0. It has already proven its efficiency during epidemics that caused data losses to a large number of customers of other vendors. Origins Tracing™ enhances traditional signature-based scan and the heuristic analyzer and improves detection of unknown malware. Anti-rootkit Dr.Web for Windows is one of the few anti-viruses that can detect and neutralize viruses that feature rootkit technologies. Users of other anti-virus products put Dr.Web CureIt!® to a good use to cure their machines of rootkits. The new version of Dr.Web features a brand-new version of Dr.Web Shield™ to counter even next generation of rootkits. Deep insight Capabilities of an anti-virus engine to decompress archives and depth of scan it can perform affect the quality of detection. Dr.Web can check archived files at any nesting level. Even if a malicious program has been compressed several times using various archiver programs, Dr.Web shall detect it and disarm. Higher performance Dr.Web for Windows 5.0 has become even faster. Optimization and introduction of new technologies gave a significant boost of speed to the scanning process. Now the scanner checks RAM, boot sectors and files on hard drives thirty percent faster. New components SpIDer Gate™ One of the key innovations implemented in Dr.Web 5.0 is a full-fledged HTTP monitor called SpIDer Gate™. It scans incoming and outgoing HTTP traffic and works with all known web-browsers. It doesn’t affect system performance or slow down web-surfing. Dr.Web parental control Dr.Web parental control is another new feature implemented in version 5.0. It will protect your children against unwanted web-resources and shield them from contacts with cyber-criminals. It can also disable usage of removable data storage devices, block access to network devices and files and folders so your personal information won’t be deleted occasionally or compromised by a third party. Dr.Web parental control is very efficient and doesn’t interfere with routine activities of a user. The new components are available only in Dr.Web Security Space. “The new version comes to the market as two products. The first one is a classical Dr.Web anti-virus for Windows while the second one is Dr.Web Security Space that provides a user with the package of software aiming to secure a system against modern Internet threats. We hope that work of our developers will come in handy for every user concerned with security of thier information which we have been protecting since 1992”, Boris Sharov, the director-general of Doctor Web commented. You can also read Dr.Web Security Space Dr.Web anti-virus for Windows

December 15, 2008 As the year comes to an end, Doctor Web sums up all events related to malware and outlines trends in its development for 2009. The share of malicious code of the total number of files scanned on user machines doubled this year while the amount of spam messages spreading malware dropped significantly due to the widely discussed closure of McColo. At the same time phishing attacks became more frequent. E-mail, removable data storage devices and web-sites have been used to spread malicious code over the Internet. The number of files with malicious code found by anti-viruses on user machines increased steadily at the beginning of 2008 and by April it more than quadrupled. The figure didn’t change till July when the number halved reaching 0.01% of the total number of scanned files in August. It has remained virtually unchanged till the end of the year which means that one scanned file out of ten thousand is infected. The diagram below illustrates dependency between the share of infected files and the total number of scanned files. The subsequent diagram shows how a number of messages containing malicious code changed through the year with their average share amounting to 0,2-0,25 % of the total number of e-mails (meaning that one message in five hundred had malicious code attached or embedded as a script). Following the closure of the company hosting spammers it has reduced to 0.02% (one message in five thousand contains malicious code). Most notorious species BackDoor.MaosBoot, Win32.Ntldrbot (Rustock.C) and numerous modifications of Trojan.Encoder have become the most remarkable malicious programs of this year. BackDoor.MaosBoot places its code in the boot sector and hides its presence in the system using rootkit technologies. Several modifications of this virus have been found since March. Win32.Ntldrbot turned out to be the hide master with its numerous techniques to conceal its presence that allowed it to elude virus analysts for several months. The rootkit was so good at hiding that many anti-virus vendors considered it to be no more than a myth. Win32.Ntldrbot features powerful polymorphic protector implemented as a kernel-level driver and special self-protection and anti-debugging mechanisms. The rootkit also has features of a file virus, it filters all calls to an infected file, injects its code into system processes and starts sending out spam. Developers of Doctor Web updated anti-virus software in timely manger to ensure its efficient operation against BackDoor.MaosBoot and Win32.Ntldrbot. Eventually Dr.Web turned out to be the first anti-virus capable to counteract the malicious programs without resorting to utilities from a third-party developer. Trojan.Encoder has also become famous in 2008. The Trojan encrypts documents in a compromised system and offers a victim to purchase a decryption utility. Doctor Web registered several modifications of this malicious program that differed in length of encryption keys and in their visual manifestation in the system. Dr.Web analysts developed a free decryption utility that can be obtained from the web-site of Doctor Web. Malicious e-mails Messages spreading Trojan.DownLoad.4419 and Trojan.PWS.GoldSpy were the most typically cases of distribution of malicious code via e-mail in 2008. Trojan.DownLoad.4419 got into a system as a “codec” required to view a supposed pornographic video. Authors of the malicious program often modified its executable and changed packers used to compress the file every now and then. It made detection of the Trojan more difficult for anti-viruses. As usual prompt updating of the Dr.Web virus database by analysts allowed Dr.Web software to detect numerous variations of Trojan.DownLoad.4419. A wide variety of techniques was applied to spread Trojan.PWS.GoldSpy that came as a an e-card or as an attachment to a threatening message. In particular such messages warned a user that he would be disconnected from the Internet due to his violation of a copyright. In latest months Trojan.PWS.GoldSpy increased the number of e-mailed Trojans that featured password stealing. The diagram below represents how share of Trojan.PWS of the total amount of malicious e-mail changed in 2008. Social networks Increased popularity of social networks among users in Russia also attracted attention of virus makers who used fake accounts on social networking web-sites to trick users into downloading malicious code. Now owners of social networking web-resources employ various techniques to secure their customers. Sometimes links sent with messages are displayed as plain text so a user has to copy a link to the address bar of a browser. Another option is displaying a warning to a user who clicks on a link leading to an external web-page. By now such measures have not allowed to solve the problem. Doctor Web offers all registered visitors of social networking web-sites to use high-quality anti-virus software or the free link-checker plugin from Doctor Web to scan linked content for viruses. ICQ as another tool spreading malware ICQ instant messaging service was also used to distribute malicious code this year. Malefactors created new accounts or used trusted UINs of ordinary users whose machines were compromised by malware capable of using the ICQ contact list to send messages. Removable disks As removable disks became the most common means to move information from one computer to another they were also put to use by virus makers as carriers of malicious code that entered Dr.Web database as Win32.HLLW.Autoruner. Authors of the malware exploited the autorun mechanism of Windows for execution of its code. Removable data storage devices circulated widely among employees of large companies and so did the infection. Companies and governmental establishments were forced to restrict or even ban usage of removable disks. The next diagram shows how Win32.HLLW.Autoruner Trojans were rated among most common viruses through 2008. It suggests that virus makers tend to shift their preferences towards removable disks as means to spread malware. They employ various techniques making it harder to detect, analyze or remove a piece of malicious code from a flash drive. Win32.Sector The file virus got an entire subsection of the review to itself as one of the biggest troublemakers of 2008. It infected executables, injected its code into system processes, disabled UAC in Windows Vista and downloaded other malicious programs from the Internet. See how Win32.Sector was detected by Dr.Web scanner in 2008 on the graph below. The last months of the year have been marked by the increased number of phishing attacks. A user received a message that looked like an e-mail from a legitimate financial institution and was offered to follow a link to a bogus web-site that also looked like a genuine web-site of a corresponding company. As a user got to such a site, he was lured into submitting personal information including his credit card number and PIN code or login and password used to access a paid service via the Internet. Such messages were received by customers of such respected banks and service providers as JPMorgan Chase Bank, RBC Royal Bank, Google AdWords, PayPal and eBay. In 2009 Instant massagers, removable disks and other alternative channels for distribution of malware will become even more popular among virus makers. Authors of viruses will be perfecting their techniques that will provide them with even more complex polymorphic packers and other means to make analysis even more difficult. Numerous vulnerabilities found in operating systems and other software will be exploited by malefactors just as well. Doctor Web also expects that a number of e-mails containing malicious code will be rising at the beginning of 2009. Detection and curing features of anti-viruses are also improved. That’s why some cyber criminals have to change their activities. For example, distributors of Trojan.DownLoad.4419 start sending e-mails providing links to advertising web-resources instead of malware.

December 12, 2008 Doctor Web reports on discovery of a new Trojan — Trojan.Locker.8 — that emerged on the Internet on December 9, 2008. This malicious program blocks access to files and folders on a hard drive and offers a victim to contact authors of the malware for instructions to regain access to their information The two megabyte Trojan file packed by ASPack is rather large for malware When the Trojan is launched, a key generator Window appears on the screen. While the window has nothing to do with actual activities of the malicious program, it shows that Trojan.Locker.8 can be disguised as a key generator designed by crackers to activate software products by Adobe Systems. Key generator for Adobe Systems products Once launched Trojan.Locker.8 renames files and folders on all disk partitions except the system partitions. New file names violate Windows file naming standards so files become inaccessible even though their content is unchanged. After that the program creates its copy (answer.exe) on the desktop and on all partitions containing inaccessible files. Running the file shows a warning message that informs a user that his data has been locked and offers to contact offers of the Trojan to unlock using contact information provided in the message. Files on the system drive also become inaccessible including files placed in my documents and on the desktop even though the virus makers claim that no changes are done to the system drive.. Doctor Web offers a free utility to unlock access to files in a system compromised by the Trojan. It can be downloaded from the official web-site of the company. Doctor Web strongly advises against contacting the virus makers.

December 9, 2008 Subscribers of the TRINITY network receive free anti-virus protection following another successful deployment of DrWeb AV-Desk in the Krasnoyarsk region. PUBLICITY company that owns and administers the TRINITY network decided on adopting Dr.Web AV-Desk in autumn 2008. The anti-virus as a service arose interest of subscribers during the testing period. Even then Dr.Web AV-Desk reduced the number of support calls that were often caused by activities of malware. “Maximum comfort of subscribers is the corner stone of our network administration policy that drove us to search for a simple way to secure our customers from possible virus attacks. Some users lack experience or skill to configure software installed on their machines properly, let alone protection against malware spreading on removable devices, via e-mail and HTTP traffic. The only solution capable of protecting a large network available on the market at that moment was Dr.Web AV-Desk. It fulfilled our requirements as an easy-to-use and reliable anti-virus tool providing centralized real-time virus monitoring and friendly user interface", Andrei Aleksandrov, the head of PUBLICITY said. About Dr.Web AV-Desk The Internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location. More than fifty provider companies have already deployed Dr.Web AV-Desk in Russia, Ukraine, Kazakhstan, Kyrgyzstan and Estonia. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk.

December 8, 2008 Now Dr.Web AV-Desk delivers the anti-virus service to customers of e-BS company (translated from Russian as electronic business systems) providing accounting software for the document workflow system of the Pension Fund of Russian Federation. Originally Dr.Web AV-Desk targeted IT service providers. The number of successful deployments on the territory of Russia and the CIS has already exceeded 50. Meanwhile the anti-virus as a service providing comprehensive protection against viruses, Trojans and other malware turned out to be relevant for companies involved in other types of business. Dr.Web AV-Desk has been adopted by Yandex.Money and a social network of the Russian city of Novosibirsk. E-BS company provides accounting software for the document workflow system of the Pension Fund of Russian Federation in Siberia. Dr.Web AV-Desk was deployed by the company in autumn 2008. Since December customers of e-BS can sign up for the Dr.Web anti-virus service and get protection against latest modifications of malware. “The security of information is an urgent issue for any company because it affects its competitive capabilities and its image. The deployment of Dr.Web AV-Desk brings our customers reliable protection against various threats and contributes to creation of safe working environment”, Sergei Mullov, the head of e-BS said. About e-BS E-BS is a multi-industry company focusing on information security and development of information and telecom systems based on state-of-the-art network technologies. The number of business customers of e-Bs exceeds six thousand.

December 4, 2008 Doctor Web has renewed its license for development of information security tools from the Federal Service on Technical and Export Control [IMAGE] The new license has been given to Doctor Web as the previous license expired. Doctor Web is entitled to develop information security tools including technical means of information security, tools for processing of protected information, tools controlling efficiency of information security and software for information security and its control. The new license will be valid till 2013. In 2008 Doctor Web also renewed a license from the Russian Ministry of Defence for activities involving development of information security tools and a license from the Federal Security Service for activities involving access to state secret information. See the full list of licenses here

December 2, 2008 Doctor Web — the Russian developer of IT security solutions branded Dr.Web —reports upon the introduction of the Dr.Web anti-virus service by the CSN Internet service provider that has become the third company protecting its subscribers by means of Dr.Web software in the Belgorod region. One of the largest provider companies in the region has started delivering the anti-virus service to its subscribers at the end of November following a successful deployment of Dr.Web AV-Desk. The innovative Internet-service has already been put to good use by more than fifty access providers in Russia and the CIS offering their customers efficient protection against malware and spam along with broadband Internet. Prior to the deployment numerous home and small business customers were constantly faced with the threat of infection that would spread all over the network from a single compromised host. “Dr.Web AV-Desk fully complies with our requirements to anti-virus software. It is very easy to install and the price is quite reasonable. Add low use of traffic and subscription management tool and you get as many benefits as no other anti-virus software can provide”, Vladimir Ilyin, the manager of information systems department at CSN commented on cooperation of the ISP with Doctor Web. The test deployment of Dr.Web AV-Desk lowered the number of network failures caused by malware and reduced spam traffic. A number of calls for support also went down “Hopefully the deployment will raise the security of our subscribers to the level that would make their work in the Internet safe and comfortable and consequently strengthen our position on the local provider market”, Aleksy Prokopenko, the head of CSN said. About CSN CSN is an ISP operating in the Belgorod region with it wireless and optical fiber networks found virtually in every town. The company also plans, builds and administers computer systems and networks, distributes computer hardware and maintains office automatic telephone systems. About Dr.Web AV-Desk The Internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location. More than fifty provider companies have already deployed Dr.Web AV-Desk in Russia, Ukraine, Kazakhstan, Kyrgyzstan and Estonia. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk.

December 1, 2008 The closure of McColo Corporation responsible for 75 per cent of world wide spam traffic divided the reported month into two equal parts. Even though e-mail remains the most common means to spread malware virus makers also find other ways to bring malicious code to user machines AutoIt-worms A freeware automation language for Windows called AutoIt is very easy to learn and provides wide opportunities for virus makers. The last month showed their growing interest in this scripting language. Even though an AutoIt program is written as a script, such a script can be compiled into a packed executable with its shrouded code being very hard to analyze. November saw an AutoIt worm spreading via removable data storage devices instead of e-mail. Viruses spreading on removable devices are especially dangerous for companies and governmental institutions forced to introduce special measures to contain the infection. Companies adopt software that allows them to restrict usage of removable devices and sometimes impose a temporary ban on use of removable drives. Dr.Web anti-virus 5.0 currently undergoing open beta-testing allows to unpack files of an AutoIt worm and to analyze its scripts. Viruses written in this script language enter the Dr.Web database as Win32.HLLW.Autoruner. Mail viruses Prior to the closure of McColo spam mailings distributing malware came in high numbers. Below we will take a closer look at diverse methods used to lure a user to launch a malicious file. Trojan.PWS.GoldSpy.2454 was disguised as an e-card. Even though fake cards have long been known to Internet community they still remain efficient. The name of a malicious file is card.exe. Messages with a link to a malicious file were used to spread another modification of the malware – Trojan.PWS.GoldSpy.2466. [IMAGE] Trojan.DownLoad.3735 was spread as a file with a double extension – the attached active_key.zip contained the active_keys.zip.exe file. The message informed a user that his account was suspended upon a corresponding request supposedly sent by the victim. A user was also offered to activate the account. However, the message didn’t provide any reference to a service related to the blocked account. No wonder that details of the activation were said to be found in the attached document which turned out to be an executable file containing malicious code. Other messages spreading the same Trojan informed a user upon changes in certain clauses of an agreement. [IMAGE] Messages with attached Trojan.PWS.GoldSpy.2456 threatened a user with a forced disconnection from the Internet caused by a violation of the copyright. Activates of a victim related to the alleged violation for the last six months were said to be listed in an attached file (user-EA49945X-activities.exe) which was nothing more than another malicious program. The U.S presidential election was also used as a message topic in e-mails spreading the Trojan. [IMAGE] Another mailing notified a user upon a failed delivery of a package caused by an incorrect recipient address. An attached invoice was detected by Dr.Web as Trojan.PWS.Panda.31 [IMAGE] .Our analysts also registered several mailings advertising easy money on eBay. An html-file attached to a message was detected by Dr.Web as Trojan.Click.21795. The file contained an encrypted script that directed a user to a web-site advertising training courses. Another similar mailing advertised a new way of advertising using RSS and free promotion of web-sites using services by Google and Yahoo The closure of McColo Corporation reduced spam traffic significantly but was only a short outage. Now mailings related to malware have been short-term though the spam traffic sometimes has been rather high. Such mailings included Trojan.PWS.Panda.31 spam e-mails and messages containing an encrypted script detected by Dr.Web as Trojan.Click.21795. Authors of Trojan.DownLoad.4419 applied a new technique offering a link to download a beta version of Internet Explorer 8 from a bogus web-site. [IMAGE] A mailing in German described in the previous review from Doctor Web also reemerged. It prompted a user to view important financial information provided in an attached file. Earlier a shortcut and a piece of malicious code had been placed on one folder contained in the attachment while in November they were separated with the link placed outside the folder. Dr.Web detects this Trojan program as Trojan.DownLoad.16843. [IMAGE] Phishing November 2008 also saw a wave of phishing targeting users of online payment systems, Internet banking and other paid services in several countries. In particular customers of JPMorgan Chase Bank, RBC Royal Bank and usrs of AdWards and PayPal became victims of the phishing attack. [IMAGE] [IMAGE] Specialists of the virus monitoring service of Doctor Web added 25 461 entries to the virus database in November with average 850 new entries per each day. Mind that one entry in the Dr.Web database allows the software to detect numerous modifications of one virus. The figures show that regular updating of anti-virus software as often as once per hour becomes a necessity. Dr.Web automatic updating provides such an updating frequency quite easily. In addition a good anti-spam module becomes indispensable for normal work protecting against irrelevant and harmful e-mail messages. Malware detected in e-mail traffic in November 01.11.2008 00:00 - 01.12.2008 00:00 1 Win32.HLLM.MyDoom.based 13741 (15.33%) 2 Win32.Virut 13036 (14.55%) 3 Win32.HLLM.Alaxala 5705 (6.37%) 4 Trojan.MulDrop.13408 4534 (5.06%) 5 Win32.HLLM.Beagle 4426 (4.94%) 6 Trojan.MulDrop.16727 4206 (4.69%) 7 Trojan.PWS.GoldSpy.2456 4145 (4.63%) 8 Win32.HLLW.Autoruner.2640 3032 (3.38%) 9 Trojan.MulDrop.18280 2580 (2.88%) 10 Trojan.PWS.Panda.31 2228 (2.49%) 11 Trojan.DownLoad.16843 2192 (2.45%) 12 Win32.HLLM.Netsky.35328 1888 (2.11%) 13 Win32.Virut.5 1497 (1.67%) 14 Win32.HLLM.MyDoom.33 1442 (1.61%) 15 Win32.HLLM.Netsky 1361 (1.52%) 16 Trojan.PWS.GoldSpy.2454 1328 (1.48%) 17 Trojan.MulDrop.19648 1310 (1.46%) 18 Win32.HLLW.MyDoom.43010 1306 (1.46%) 19 Win32.HLLM.Mailbot 1305 (1.46%) 20 Trojan.DownLoad.3735 1212 (1.35%) Malware detected on user machines in November 01.11.2008 00:00 - 01.12.2008 00:00 1 Win32.HLLW.Gavir.ini 2039696 (21.98%) 2 Win32.HLLM.Lovgate.2 414507 (4.47%) 3 VBS.Autoruner.7 310657 (3.35%) 4 Win32.HLLM.Generic.440 288404 (3.11%) 5 VBS.Autoruner.8 277825 (2.99%) 6 Win32.Alman 275230 (2.97%) 7 DDoS.Kardraw 252853 (2.72%) 8 Win32.HLLP.Whboy 198018 (2.13%) 9 Trojan.Recycle 192769 (2.08%) 10 Win32.HLLP.Neshta 177445 (1.91%) 11 Win32.HLLP.Jeefo.36352 168291 (1.81%) 12 Win32.Virut.5 154206 (1.66%) 13 Win32.HLLW.Autoruner.274 147315 (1.59%) 14 Trojan.DownLoader.42350 132782 (1.43%) 15 Win32.HLLW.Autoruner.3631 120982 (1.30%) 16 VBS.Generic.548 110152 (1.19%) 17 Win32.HLLO.Black.2 97456 (1.05%) 18 Win32.HLLW.Autoruner.2805 89892 (0.97%) 19 Win32.HLLW.Cent 88296 (0.95%) 20 Trojan.MulDrop.18538 86521 (0.93%)

November 27, 2008 Doctor Web reports a significant increase of new viruses spreading on removable data storage devices. Malicious programs created using the AutoIt scripting language with their shrouded code are very hard to analyze. Automatic launch of the malicious code placed on a removable device has become one of the main causes of infection in recent months. The malicious code is classified by Dr.Web as Win32.HLLW.Autoruner. The number of the new viruses grows along with the popularity of AutoIt (a freeware automation language for Windows). The language is very easy to learn and provides wide opportunities for virus makers. The script code of such a virus can also include other malicious binary files with all of them compressed using various packers. When other malware is included in an AutoIt script it makes them very hard to detect by anti-virus software. Viruses infesting systems from removable devices has become an urgent issue with many companies and governmental institutions restricting usage of removable data storage devices by employees. So the US army suspended use of USB disks and flash drives aiming to contain spread of a worm in its networks. Many companies also adopt special software that restricts usage of removable devices. “Various executable packers and obfuscated code are typical techniques employed by virus makers. Now they use features of the AutoIt scripting language to which we provide a prompt response. For example the beta-version of the Dr.Web anti-virus 5.0 currently in public testing features recompilation of AutoI tmalware that allows analyzing malicious scripts and unpacking executables included in AutoIt worms”, Vladimir Martyanov, the virus analyst of Doctor Web remarked. Doctor Web recommends all Windows users to disable the autorun of removable data storage devices (USB Flash Drive, CD/DVD, removable hard drives) and reduce the risk of infection. Besides, files placed on a device should be checked using an anti-virus with the latest virus definitions before you launch or open any of the files.

November 25, 2008 Doctor Web warns Internet-users of a mail-virus epidemic started on November 25. Though the recent closure of web host McColo Corporation reduced spam levels as much as by 70 percent malefactors are persistent in their search for new ways to spread malware with spam. By now one of such mailings has been amounting to 50 percent of infected mail traffic. Starting November 25 users started receiving messages in German with the attached abrechnung.zip file (translated into English as “statement of account”). Message text can be different but the aim is to lure a user to open an attached file. The attached archive contains abrechnung.lnk and the scann folder with the scann.a file. This executable file is detected by Dr.Web anti-viruses as Trojan.DownLoad.16843. The file structure of the archive shows that probably a user is meant to launch the abrechnung.lnk file (by default its extension is hidden in Windows Explorer) instead of opening the folder. Eventually the scann.a file will be launched. This executable injects malicious code into svchost.exe and explorer.exe processes and downloads other components of malware from servers located in China. This Trojan can also spread as the system.exe file on removable disks. .According to the virus laboratory of Doctor Web spam messages spreading Trojan.DownLoad.16843 amount to 50 percent of infected mail traffic. Messages with links to pages containingTrojan.DownLoad.4419 are also back. The latest mailing related to the Trojan started Monday evening. This time a user was offered to download a beta version of Microsoft Internet Explorer 8 instead of an adult video. Doctor Web recommends solutions from its Dr.Web Security Suite to ensure anti-virus and antis-am protection. As usual users should also be careful when decide to follow instructions provided by a suspicious message about free services or fiscal claims.

November 24, 2008 On November 22 2007 Doctor Web launched the Dr.Web AV-Desk innovative service as a part of its development strategy following latest trands of the anti-virus software market. The first deployment took place at one of the largest ISPs in Moscow. Currently Dr.Web anti-virus as an online service is used by hundreds of thousands of registered subscribes of over fifty providers in Russia, Ukraine, Kazakhstan, Kirgizstan, Estonia, Bulgaria and China. In one year Dr.Web anti-virus has reached farthest regions of Russia where one will have a hard time searching for a boxed software product. Dr.Web AV-Desk brought reliable anti-virus protection to every computer connected to the Internet. Distribution channels of provider companies made the anti-virus available to people from various social groups and allowed the companies to profit from the security of their networks. And it turns out that Dr.Web AV-Desk has come in the right place and in the right time. Numerous benefits brought by the Internet service have been fully appreciated by service providers Activities of malware have negative impact on the quality fo access services and on the reputation of a provider. Here Dr.Web AV-Desk steps in as a very efficient tool enforcing loyalty of customers who are not just willing to have services but to have them safely. One of the keys to the success of the anti-virus service is its easy subscription procedure. Following the Security as a Service principle it comes as another online service. A user obtains an installer download link with one mouse-click in his personal area at the website of a provider company. A complete list of companies offering the anti-virus service can be found at the web-page of “The Web!” project that was announced by Doctor Web in August 2008. The easy-to-use search system allows a user to find companies delivering the Dr.Web anti-virus in his region. The stats section can provide useful information to mass media writing about IT and telecommunication. The statistical data updated every twenty-four hours is collected automatically from several Dr.Web AV-Desk servers It’s not only ISPs that are interested in the Dr.Web anti-virus service. It also protects users of a social network and is being tested in several online banking systems. Dr.Web AV-Desk has already been deployed successfully at Yandex.Money offering protection against stealers of password and other personal information to more than one million of its customers. Time goes by and potential of the software appears to be unlimited. The next year will see another Internet service from Doctor Web – Dr.Web Mail Desk. About Dr.Web AV-Desk The internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location. More than fifty provider companies have already deployed Dr.Web AV-Desk in Russia, Ukraine, Kazakhstan, Kyrgyzstan, Bulgaria, China and Estonia. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk was awarded the large golden medal of the Siberian Fair as an original technical and telecom solutions.

November 24, 2008 Doctor Web reports on the deployment of Dr.Web AV-Desk by another service provider in the Moscow region giving all subscribers of STUPINO.SU an opportunity to subscribe to the Dr.Web anti-virus protection service. Striving to secure its subscribers and attract new customers the ISP has adopted Dr.Web AV-Desk. Now Internet users in the town of Stupino get reliable anti-virus and anti-spam protection complying with the highest security standards. Dr.Web anti-virus software operates virtually unnoticed by a user and downloads all necessary updates automatically. “We introduced the Dr.Web anti-virus protection service to give our subscribers an easy-to-use and efficient tool for protection of their computers against various types of malware. We hope that our fruitful cooperation with Doctor Web will continue in the future”, Dmitry Ledov, a leading IT specialist of SKS Telecom commented upon a commercial launch of the service. About Dr.Web AV-Desk The internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location. More than fifty provider companies have already deployed Dr.Web AV-Desk in Russia, Ukraine, Kazakhstan, Kyrgyzstan and Estonia. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk. About SKS Telecom (Stupino.Su network) The company builds a single multi-service network based on ETTH. Optic fiber and most up-to-date equipment will allow the company to deliver a wide package of top-quality telecom services in Stupino.

November 20, 2008 Doctor Web — the Russian developer of IT security solutions branded Dr.Web — has updated Dr.Web LiveCD used to restore a system rendered unbootable after a virus attack. Now Dr.Web LiveCD can also be loaded from a flash-drive using the CreateLiveUSB script. A user can specify a partition of a flash drive on which he wants to place Dr.Web LiveCD. If no partition is specified, CreateLiveUSB will enter a stand-by mode. After that a user needs to insert a flash drive into a USB-port. The script won’t change or remove any data stored on a device. However, it is recommended to backup the files on another drive before you use it to load Dr.Web LiveCD. Besides, the updated version features support of Intel graphic chips (i810 drivers) and has issues with Matrox video cards and an X.Org video drive for Intel fixed. Some changes have also been done to rule out any boot errors. что Dr.Web LiveCD is available for free. The updated version can be obtained at http://www.freedrweb.com.

November 19, 2008 Doctor Web – the Russian developer of IT security solutions branded Dr.Web – announces a successful deployment of Dr.Web AV-Desk in the network of the Globalnie Telesystemi company that provides the Internet to citizens of the Yaroslavl region. The company has joined “Nauka-svyaz” and “Zavolga.Net” that already deliver anti-virus and anti-spam protection as a service in the region. A successful internal testing of the Dr.Web AV-Desk Internet-service is followed by its commercial launch. Starting in November 2008 Globalnie Telesystemi offers its customers to sign up for the Dr.Web anti-virus service and receive reliable protection against viruses and other malware and use the service free of charge till December 31. “While surfing the web our customers being unaware of a danger often fell victims to viruses. As we detected a dramatic increase of traffic for an infected host, our specialists had to disconnect it to cure an infected system. Of course it took time and extra resources. That’s why we started searching for a solution that would protect computers of our subscribers and wouldn’t be too costly. Now the Internet service from Doctor Web allows any of our customers to use the Dr.Web anti-virus service. And it is much more convenient than buying a boxed anti-virus”, Mikhail Zilberman, the head of Globalnie Telesystemi said. About Dr.Web AV-Desk The Internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location. More than forty provider companies have already deployed Dr.Web AV-Desk in Russia, Ukraine, Kazakhstan, Kyrgyzstan and Estonia. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk was awarded the large golden medal of the Siberian Fair as an original technical and telecom solutions.

November 18, 2008 Doctor Web — the Russian developer of IT security solutions branded Dr.Web – unveils the beta-version of Dr.Web for Windows 5.0. Now the anti-virus engine works up to 30% faster compared with Dr.Web 4.44, recognizes even greater number of packers and archivers, has malware detection even more improved. The new version is also enhanced with a parential control module and HTTP traffic scanner - SpIDer Gate. All features of the software are configured now using the SpIDer Agent control centre. The new anti-virus engine created using cutting-edge Dr.Web technologies for detection of malware gives the anti-virus up to thirty percent gain of speed while retaining traditionally low system requirements and utmost efficiency. Dr.Web for Windows 5.0 beta is equally good at resisting virus attacks and in most cases can be installed in an infected system and cure it. The new Dr.web protects itself against malware aiming to disable an anti-virus. The self-protection driver restricts access to a network, files and folders and to certain registry branches ensuring that no component of Dr.Web for Windows 5.0 is disabled by a malicious program. Following its predecessors Dr.Web for Windows 5.0 beta can scan archives of any nesting level and recognizes even greater number of packers. Dr.Web for Windows 5.0 features several types of filtering for Internet traffic. SpIDer Gate scans incoming and outgoing HTTP-traffic real-time intercepting all connections and performing data-filtering so a user receives scanned web-content cleaned of malicious code. Besides, users are offered the Parental control module to restrict access to specified web-sites adding them to a list or using an updated database of unwanted web-resources. It may also restrict usage of a CD-DVD-ROM, a flash drives and other devices. SpIDer Agent with its launch icon integrated with the interface of Windows allows configuring all anti-virus components using a single control panel. Everybody is welcome to join the public beta-testing of the new Dr.Web anti-virus. Register to access the beta-testing section of our web-site. The beta-version is discussed on Dr.Web forum. Upon completion of the beta-testing the most active participants will receive a one year license for Dr.Web for Windows 5.0 free of charge and other gifts related to Dr.Web.

November 13, 2008 Doctor Web issues a warning as the new wave of phishing is coming up. Last days have seen spam mailings exploiting names of large international banks and Internet services including JPMorgan Chase Bank, RBC Royal Bank and Google AdWords. Users received fraudulent e-mails luring them into submitting their personal information, passwords or bank account data on fake web-sites. Present day phishers employ more and more devious technique, so prompt alerting becomes a high priority task. In the face of the global financial crisis online swindlers rush to snare clients of large international banks. Last week saw a lot of message copying corporate design of the banks and tricking users into entering their personal information on specifically designed fraudulent web-sites. Customers of JPMorgan Chase Bank were among targets of the phishing attacks. They were recommended to verify their online account access information using a specified link. A false web-site within the BIZ Internet domain had nothing to do with JPMorgan Chase Bank and data provided by a victim on the web-resource was obtained by a phisher. Another mailing for customers of JPMorgan Chase Bank offered adding USD 50 to an account of a recipient for answering five questions. A web-form on a fraudulent web-site provided five simple questions and extra fields for a PIN code and a credit card number of a victim. Clients of RBC Royal Bank received similar messages informing that a user account would be disabled after three failed attempts to sign in. Clicking on a provided link brought a user to a page that looked like a legitimate main page of the bank web-site in the EDU domain. A victim had to enter a credit card number and a password. A number of e-mails aiming to obtain access data of customers of Google AdWords also increased. A phishing e-mal notified a user that display of his advertisement had been suspended while his account was still valid. A user was offered to use his login and password to update his “billing data”. Doctor Web urges users to be more attentive while viewing message from banks and other financial institutions. Read a message carefully and consult the specified company for more information before you decide to reply. Also, pay attention to the top level domain name present in a link you are offered to follow.