December 2, 2008 Doctor Web — the Russian developer of IT security solutions branded Dr.Web —reports upon the introduction of the Dr.Web anti-virus service by the CSN Internet service provider that has become the third company protecting its subscribers by means of Dr.Web software in the Belgorod region. One of the largest provider companies in the region has started delivering the anti-virus service to its subscribers at the end of November following a successful deployment of Dr.Web AV-Desk. The innovative Internet-service has already been put to good use by more than fifty access providers in Russia and the CIS offering their customers efficient protection against malware and spam along with broadband Internet. Prior to the deployment numerous home and small business customers were constantly faced with the threat of infection that would spread all over the network from a single compromised host. “Dr.Web AV-Desk fully complies with our requirements to anti-virus software. It is very easy to install and the price is quite reasonable. Add low use of traffic and subscription management tool and you get as many benefits as no other anti-virus software can provide”, Vladimir Ilyin, the manager of information systems department at CSN commented on cooperation of the ISP with Doctor Web. The test deployment of Dr.Web AV-Desk lowered the number of network failures caused by malware and reduced spam traffic. A number of calls for support also went down “Hopefully the deployment will raise the security of our subscribers to the level that would make their work in the Internet safe and comfortable and consequently strengthen our position on the local provider market”, Aleksy Prokopenko, the head of CSN said. About CSN CSN is an ISP operating in the Belgorod region with it wireless and optical fiber networks found virtually in every town. The company also plans, builds and administers computer systems and networks, distributes computer hardware and maintains office automatic telephone systems. About Dr.Web AV-Desk The Internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location. More than fifty provider companies have already deployed Dr.Web AV-Desk in Russia, Ukraine, Kazakhstan, Kyrgyzstan and Estonia. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk.

December 1, 2008 The closure of McColo Corporation responsible for 75 per cent of world wide spam traffic divided the reported month into two equal parts. Even though e-mail remains the most common means to spread malware virus makers also find other ways to bring malicious code to user machines AutoIt-worms A freeware automation language for Windows called AutoIt is very easy to learn and provides wide opportunities for virus makers. The last month showed their growing interest in this scripting language. Even though an AutoIt program is written as a script, such a script can be compiled into a packed executable with its shrouded code being very hard to analyze. November saw an AutoIt worm spreading via removable data storage devices instead of e-mail. Viruses spreading on removable devices are especially dangerous for companies and governmental institutions forced to introduce special measures to contain the infection. Companies adopt software that allows them to restrict usage of removable devices and sometimes impose a temporary ban on use of removable drives. Dr.Web anti-virus 5.0 currently undergoing open beta-testing allows to unpack files of an AutoIt worm and to analyze its scripts. Viruses written in this script language enter the Dr.Web database as Win32.HLLW.Autoruner. Mail viruses Prior to the closure of McColo spam mailings distributing malware came in high numbers. Below we will take a closer look at diverse methods used to lure a user to launch a malicious file. Trojan.PWS.GoldSpy.2454 was disguised as an e-card. Even though fake cards have long been known to Internet community they still remain efficient. The name of a malicious file is card.exe. Messages with a link to a malicious file were used to spread another modification of the malware – Trojan.PWS.GoldSpy.2466. [IMAGE] Trojan.DownLoad.3735 was spread as a file with a double extension – the attached active_key.zip contained the active_keys.zip.exe file. The message informed a user that his account was suspended upon a corresponding request supposedly sent by the victim. A user was also offered to activate the account. However, the message didn’t provide any reference to a service related to the blocked account. No wonder that details of the activation were said to be found in the attached document which turned out to be an executable file containing malicious code. Other messages spreading the same Trojan informed a user upon changes in certain clauses of an agreement. [IMAGE] Messages with attached Trojan.PWS.GoldSpy.2456 threatened a user with a forced disconnection from the Internet caused by a violation of the copyright. Activates of a victim related to the alleged violation for the last six months were said to be listed in an attached file (user-EA49945X-activities.exe) which was nothing more than another malicious program. The U.S presidential election was also used as a message topic in e-mails spreading the Trojan. [IMAGE] Another mailing notified a user upon a failed delivery of a package caused by an incorrect recipient address. An attached invoice was detected by Dr.Web as Trojan.PWS.Panda.31 [IMAGE] .Our analysts also registered several mailings advertising easy money on eBay. An html-file attached to a message was detected by Dr.Web as Trojan.Click.21795. The file contained an encrypted script that directed a user to a web-site advertising training courses. Another similar mailing advertised a new way of advertising using RSS and free promotion of web-sites using services by Google and Yahoo The closure of McColo Corporation reduced spam traffic significantly but was only a short outage. Now mailings related to malware have been short-term though the spam traffic sometimes has been rather high. Such mailings included Trojan.PWS.Panda.31 spam e-mails and messages containing an encrypted script detected by Dr.Web as Trojan.Click.21795. Authors of Trojan.DownLoad.4419 applied a new technique offering a link to download a beta version of Internet Explorer 8 from a bogus web-site. [IMAGE] A mailing in German described in the previous review from Doctor Web also reemerged. It prompted a user to view important financial information provided in an attached file. Earlier a shortcut and a piece of malicious code had been placed on one folder contained in the attachment while in November they were separated with the link placed outside the folder. Dr.Web detects this Trojan program as Trojan.DownLoad.16843. [IMAGE] Phishing November 2008 also saw a wave of phishing targeting users of online payment systems, Internet banking and other paid services in several countries. In particular customers of JPMorgan Chase Bank, RBC Royal Bank and usrs of AdWards and PayPal became victims of the phishing attack. [IMAGE] [IMAGE] Specialists of the virus monitoring service of Doctor Web added 25 461 entries to the virus database in November with average 850 new entries per each day. Mind that one entry in the Dr.Web database allows the software to detect numerous modifications of one virus. The figures show that regular updating of anti-virus software as often as once per hour becomes a necessity. Dr.Web automatic updating provides such an updating frequency quite easily. In addition a good anti-spam module becomes indispensable for normal work protecting against irrelevant and harmful e-mail messages. Malware detected in e-mail traffic in November 01.11.2008 00:00 - 01.12.2008 00:00 1 Win32.HLLM.MyDoom.based 13741 (15.33%) 2 Win32.Virut 13036 (14.55%) 3 Win32.HLLM.Alaxala 5705 (6.37%) 4 Trojan.MulDrop.13408 4534 (5.06%) 5 Win32.HLLM.Beagle 4426 (4.94%) 6 Trojan.MulDrop.16727 4206 (4.69%) 7 Trojan.PWS.GoldSpy.2456 4145 (4.63%) 8 Win32.HLLW.Autoruner.2640 3032 (3.38%) 9 Trojan.MulDrop.18280 2580 (2.88%) 10 Trojan.PWS.Panda.31 2228 (2.49%) 11 Trojan.DownLoad.16843 2192 (2.45%) 12 Win32.HLLM.Netsky.35328 1888 (2.11%) 13 Win32.Virut.5 1497 (1.67%) 14 Win32.HLLM.MyDoom.33 1442 (1.61%) 15 Win32.HLLM.Netsky 1361 (1.52%) 16 Trojan.PWS.GoldSpy.2454 1328 (1.48%) 17 Trojan.MulDrop.19648 1310 (1.46%) 18 Win32.HLLW.MyDoom.43010 1306 (1.46%) 19 Win32.HLLM.Mailbot 1305 (1.46%) 20 Trojan.DownLoad.3735 1212 (1.35%) Malware detected on user machines in November 01.11.2008 00:00 - 01.12.2008 00:00 1 Win32.HLLW.Gavir.ini 2039696 (21.98%) 2 Win32.HLLM.Lovgate.2 414507 (4.47%) 3 VBS.Autoruner.7 310657 (3.35%) 4 Win32.HLLM.Generic.440 288404 (3.11%) 5 VBS.Autoruner.8 277825 (2.99%) 6 Win32.Alman 275230 (2.97%) 7 DDoS.Kardraw 252853 (2.72%) 8 Win32.HLLP.Whboy 198018 (2.13%) 9 Trojan.Recycle 192769 (2.08%) 10 Win32.HLLP.Neshta 177445 (1.91%) 11 Win32.HLLP.Jeefo.36352 168291 (1.81%) 12 Win32.Virut.5 154206 (1.66%) 13 Win32.HLLW.Autoruner.274 147315 (1.59%) 14 Trojan.DownLoader.42350 132782 (1.43%) 15 Win32.HLLW.Autoruner.3631 120982 (1.30%) 16 VBS.Generic.548 110152 (1.19%) 17 Win32.HLLO.Black.2 97456 (1.05%) 18 Win32.HLLW.Autoruner.2805 89892 (0.97%) 19 Win32.HLLW.Cent 88296 (0.95%) 20 Trojan.MulDrop.18538 86521 (0.93%)

November 27, 2008 Doctor Web reports a significant increase of new viruses spreading on removable data storage devices. Malicious programs created using the AutoIt scripting language with their shrouded code are very hard to analyze. Automatic launch of the malicious code placed on a removable device has become one of the main causes of infection in recent months. The malicious code is classified by Dr.Web as Win32.HLLW.Autoruner. The number of the new viruses grows along with the popularity of AutoIt (a freeware automation language for Windows). The language is very easy to learn and provides wide opportunities for virus makers. The script code of such a virus can also include other malicious binary files with all of them compressed using various packers. When other malware is included in an AutoIt script it makes them very hard to detect by anti-virus software. Viruses infesting systems from removable devices has become an urgent issue with many companies and governmental institutions restricting usage of removable data storage devices by employees. So the US army suspended use of USB disks and flash drives aiming to contain spread of a worm in its networks. Many companies also adopt special software that restricts usage of removable devices. “Various executable packers and obfuscated code are typical techniques employed by virus makers. Now they use features of the AutoIt scripting language to which we provide a prompt response. For example the beta-version of the Dr.Web anti-virus 5.0 currently in public testing features recompilation of AutoI tmalware that allows analyzing malicious scripts and unpacking executables included in AutoIt worms”, Vladimir Martyanov, the virus analyst of Doctor Web remarked. Doctor Web recommends all Windows users to disable the autorun of removable data storage devices (USB Flash Drive, CD/DVD, removable hard drives) and reduce the risk of infection. Besides, files placed on a device should be checked using an anti-virus with the latest virus definitions before you launch or open any of the files.

November 25, 2008 Doctor Web warns Internet-users of a mail-virus epidemic started on November 25. Though the recent closure of web host McColo Corporation reduced spam levels as much as by 70 percent malefactors are persistent in their search for new ways to spread malware with spam. By now one of such mailings has been amounting to 50 percent of infected mail traffic. Starting November 25 users started receiving messages in German with the attached abrechnung.zip file (translated into English as “statement of account”). Message text can be different but the aim is to lure a user to open an attached file. The attached archive contains abrechnung.lnk and the scann folder with the scann.a file. This executable file is detected by Dr.Web anti-viruses as Trojan.DownLoad.16843. The file structure of the archive shows that probably a user is meant to launch the abrechnung.lnk file (by default its extension is hidden in Windows Explorer) instead of opening the folder. Eventually the scann.a file will be launched. This executable injects malicious code into svchost.exe and explorer.exe processes and downloads other components of malware from servers located in China. This Trojan can also spread as the system.exe file on removable disks. .According to the virus laboratory of Doctor Web spam messages spreading Trojan.DownLoad.16843 amount to 50 percent of infected mail traffic. Messages with links to pages containingTrojan.DownLoad.4419 are also back. The latest mailing related to the Trojan started Monday evening. This time a user was offered to download a beta version of Microsoft Internet Explorer 8 instead of an adult video. Doctor Web recommends solutions from its Dr.Web Security Suite to ensure anti-virus and antis-am protection. As usual users should also be careful when decide to follow instructions provided by a suspicious message about free services or fiscal claims.

November 24, 2008 On November 22 2007 Doctor Web launched the Dr.Web AV-Desk innovative service as a part of its development strategy following latest trands of the anti-virus software market. The first deployment took place at one of the largest ISPs in Moscow. Currently Dr.Web anti-virus as an online service is used by hundreds of thousands of registered subscribes of over fifty providers in Russia, Ukraine, Kazakhstan, Kirgizstan, Estonia, Bulgaria and China. In one year Dr.Web anti-virus has reached farthest regions of Russia where one will have a hard time searching for a boxed software product. Dr.Web AV-Desk brought reliable anti-virus protection to every computer connected to the Internet. Distribution channels of provider companies made the anti-virus available to people from various social groups and allowed the companies to profit from the security of their networks. And it turns out that Dr.Web AV-Desk has come in the right place and in the right time. Numerous benefits brought by the Internet service have been fully appreciated by service providers Activities of malware have negative impact on the quality fo access services and on the reputation of a provider. Here Dr.Web AV-Desk steps in as a very efficient tool enforcing loyalty of customers who are not just willing to have services but to have them safely. One of the keys to the success of the anti-virus service is its easy subscription procedure. Following the Security as a Service principle it comes as another online service. A user obtains an installer download link with one mouse-click in his personal area at the website of a provider company. A complete list of companies offering the anti-virus service can be found at the web-page of “The Web!” project that was announced by Doctor Web in August 2008. The easy-to-use search system allows a user to find companies delivering the Dr.Web anti-virus in his region. The stats section can provide useful information to mass media writing about IT and telecommunication. The statistical data updated every twenty-four hours is collected automatically from several Dr.Web AV-Desk servers It’s not only ISPs that are interested in the Dr.Web anti-virus service. It also protects users of a social network and is being tested in several online banking systems. Dr.Web AV-Desk has already been deployed successfully at Yandex.Money offering protection against stealers of password and other personal information to more than one million of its customers. Time goes by and potential of the software appears to be unlimited. The next year will see another Internet service from Doctor Web – Dr.Web Mail Desk. About Dr.Web AV-Desk The internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location. More than fifty provider companies have already deployed Dr.Web AV-Desk in Russia, Ukraine, Kazakhstan, Kyrgyzstan, Bulgaria, China and Estonia. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk was awarded the large golden medal of the Siberian Fair as an original technical and telecom solutions.

November 24, 2008 Doctor Web reports on the deployment of Dr.Web AV-Desk by another service provider in the Moscow region giving all subscribers of STUPINO.SU an opportunity to subscribe to the Dr.Web anti-virus protection service. Striving to secure its subscribers and attract new customers the ISP has adopted Dr.Web AV-Desk. Now Internet users in the town of Stupino get reliable anti-virus and anti-spam protection complying with the highest security standards. Dr.Web anti-virus software operates virtually unnoticed by a user and downloads all necessary updates automatically. “We introduced the Dr.Web anti-virus protection service to give our subscribers an easy-to-use and efficient tool for protection of their computers against various types of malware. We hope that our fruitful cooperation with Doctor Web will continue in the future”, Dmitry Ledov, a leading IT specialist of SKS Telecom commented upon a commercial launch of the service. About Dr.Web AV-Desk The internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location. More than fifty provider companies have already deployed Dr.Web AV-Desk in Russia, Ukraine, Kazakhstan, Kyrgyzstan and Estonia. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk. About SKS Telecom (Stupino.Su network) The company builds a single multi-service network based on ETTH. Optic fiber and most up-to-date equipment will allow the company to deliver a wide package of top-quality telecom services in Stupino.

November 20, 2008 Doctor Web — the Russian developer of IT security solutions branded Dr.Web — has updated Dr.Web LiveCD used to restore a system rendered unbootable after a virus attack. Now Dr.Web LiveCD can also be loaded from a flash-drive using the CreateLiveUSB script. A user can specify a partition of a flash drive on which he wants to place Dr.Web LiveCD. If no partition is specified, CreateLiveUSB will enter a stand-by mode. After that a user needs to insert a flash drive into a USB-port. The script won’t change or remove any data stored on a device. However, it is recommended to backup the files on another drive before you use it to load Dr.Web LiveCD. Besides, the updated version features support of Intel graphic chips (i810 drivers) and has issues with Matrox video cards and an X.Org video drive for Intel fixed. Some changes have also been done to rule out any boot errors. что Dr.Web LiveCD is available for free. The updated version can be obtained at http://www.freedrweb.com.

November 19, 2008 Doctor Web – the Russian developer of IT security solutions branded Dr.Web – announces a successful deployment of Dr.Web AV-Desk in the network of the Globalnie Telesystemi company that provides the Internet to citizens of the Yaroslavl region. The company has joined “Nauka-svyaz” and “Zavolga.Net” that already deliver anti-virus and anti-spam protection as a service in the region. A successful internal testing of the Dr.Web AV-Desk Internet-service is followed by its commercial launch. Starting in November 2008 Globalnie Telesystemi offers its customers to sign up for the Dr.Web anti-virus service and receive reliable protection against viruses and other malware and use the service free of charge till December 31. “While surfing the web our customers being unaware of a danger often fell victims to viruses. As we detected a dramatic increase of traffic for an infected host, our specialists had to disconnect it to cure an infected system. Of course it took time and extra resources. That’s why we started searching for a solution that would protect computers of our subscribers and wouldn’t be too costly. Now the Internet service from Doctor Web allows any of our customers to use the Dr.Web anti-virus service. And it is much more convenient than buying a boxed anti-virus”, Mikhail Zilberman, the head of Globalnie Telesystemi said. About Dr.Web AV-Desk The Internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location. More than forty provider companies have already deployed Dr.Web AV-Desk in Russia, Ukraine, Kazakhstan, Kyrgyzstan and Estonia. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk was awarded the large golden medal of the Siberian Fair as an original technical and telecom solutions.

November 18, 2008 Doctor Web — the Russian developer of IT security solutions branded Dr.Web – unveils the beta-version of Dr.Web for Windows 5.0. Now the anti-virus engine works up to 30% faster compared with Dr.Web 4.44, recognizes even greater number of packers and archivers, has malware detection even more improved. The new version is also enhanced with a parential control module and HTTP traffic scanner - SpIDer Gate. All features of the software are configured now using the SpIDer Agent control centre. The new anti-virus engine created using cutting-edge Dr.Web technologies for detection of malware gives the anti-virus up to thirty percent gain of speed while retaining traditionally low system requirements and utmost efficiency. Dr.Web for Windows 5.0 beta is equally good at resisting virus attacks and in most cases can be installed in an infected system and cure it. The new Dr.web protects itself against malware aiming to disable an anti-virus. The self-protection driver restricts access to a network, files and folders and to certain registry branches ensuring that no component of Dr.Web for Windows 5.0 is disabled by a malicious program. Following its predecessors Dr.Web for Windows 5.0 beta can scan archives of any nesting level and recognizes even greater number of packers. Dr.Web for Windows 5.0 features several types of filtering for Internet traffic. SpIDer Gate scans incoming and outgoing HTTP-traffic real-time intercepting all connections and performing data-filtering so a user receives scanned web-content cleaned of malicious code. Besides, users are offered the Parental control module to restrict access to specified web-sites adding them to a list or using an updated database of unwanted web-resources. It may also restrict usage of a CD-DVD-ROM, a flash drives and other devices. SpIDer Agent with its launch icon integrated with the interface of Windows allows configuring all anti-virus components using a single control panel. Everybody is welcome to join the public beta-testing of the new Dr.Web anti-virus. Register to access the beta-testing section of our web-site. The beta-version is discussed on Dr.Web forum. Upon completion of the beta-testing the most active participants will receive a one year license for Dr.Web for Windows 5.0 free of charge and other gifts related to Dr.Web.

November 13, 2008 Doctor Web issues a warning as the new wave of phishing is coming up. Last days have seen spam mailings exploiting names of large international banks and Internet services including JPMorgan Chase Bank, RBC Royal Bank and Google AdWords. Users received fraudulent e-mails luring them into submitting their personal information, passwords or bank account data on fake web-sites. Present day phishers employ more and more devious technique, so prompt alerting becomes a high priority task. In the face of the global financial crisis online swindlers rush to snare clients of large international banks. Last week saw a lot of message copying corporate design of the banks and tricking users into entering their personal information on specifically designed fraudulent web-sites. Customers of JPMorgan Chase Bank were among targets of the phishing attacks. They were recommended to verify their online account access information using a specified link. A false web-site within the BIZ Internet domain had nothing to do with JPMorgan Chase Bank and data provided by a victim on the web-resource was obtained by a phisher. Another mailing for customers of JPMorgan Chase Bank offered adding USD 50 to an account of a recipient for answering five questions. A web-form on a fraudulent web-site provided five simple questions and extra fields for a PIN code and a credit card number of a victim. Clients of RBC Royal Bank received similar messages informing that a user account would be disabled after three failed attempts to sign in. Clicking on a provided link brought a user to a page that looked like a legitimate main page of the bank web-site in the EDU domain. A victim had to enter a credit card number and a password. A number of e-mails aiming to obtain access data of customers of Google AdWords also increased. A phishing e-mal notified a user that display of his advertisement had been suspended while his account was still valid. A user was offered to use his login and password to update his “billing data”. Doctor Web urges users to be more attentive while viewing message from banks and other financial institutions. Read a message carefully and consult the specified company for more information before you decide to reply. Also, pay attention to the top level domain name present in a link you are offered to follow.

November 7, 2008 Doctor Web – a Russian developer of IT security tools branded Dr.Web – announces introduction of the Dr.Web anti-virus service by ADVANTAGE TELECOM providing Internet in cities and towns to the north of Moscow. Since November customers of the ISP will be using the service free of charge for two months. ADVANTAGE TELECOM is a leader on the telecom market in several towns north of Moscow. Meainwhile, aiming to increase loyalty of existing customers and attract new ones the company expands the list of available services offered to customers along with access to the Internet. Here anti-virus security is one of the key issues. A user unaware of the threat can also endanger others especially if a network and its hosts are not protected by an anti-virus. The result is disrupted connection to the Internet and growing annoyance of customers who can’t get any help from the support service of an ISP. Dr.Web AV-Desk helps Advantage Telecom avoid such problems. The deployment of the Internet service brings comprehensive anti-virus protection to all its subscribers who will be using the service free of charge for two months. “Safe Internet surfing for subscribers is our main objective. Striving for better security we adopt best technologies provided by the industry. That’s why we adopted Dr.Web AV-Desk that shows perfect results protecting a large number of users against various types of malicious programs”, Alexei Shmonov, the IT-director of ADVANTAGE TELECOM commented upon preliminary results of the deployment. About Dr.Web AV-Desk The Internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location. More than forty provider companies have already deployed Dr.Web AV-Desk in Russia, Ukraine, Kazakhstan, Kyrgyzstan and Estonia. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk was awarded the large golden medal of the Siberian Fair as an original technical and telecom solutions.

November 1,2008 Doctor Web reviews activity of malware in October 2008 that turned out to be quite eventful. Numerous modifications of fake anti-viruses, tricks employed by spammers to hide malware in messages, new modifications of polymorphic and file viruses and various social engineering techniques. Below we’ll take a look at most widely used tricks and techniques and see how to counter them. Critical updates of Windows A release of an extra security update by Microsoft became a notable event. The security patch fixed vulnerability in Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008 with all registered customers urged to install the update via-email. It is even more remarkable that the critical flaw was also found in he upcoming Windows 7 that has only hit Pre-Beta. According to a description the vulnerability concerns the security system of Windows that allows a remote attacker to pass validation and get full control of a targeted machine. An exploit of the vulnerability spreading over the Internet made Microsoft rush with the update. The exploit entered the Dr.Web virus database as Win32.HLLW.Jimmy. This incident shows that prompt installation of critical security updates is essential for the security of a system. [IMAGE] File viruses A lot of reports from users concerned another modification of the Win32.Sector file virus — Win32.Sector.12. Users of Dr.Web software with the updated virus database were protected against attempt of this malicious program to get into a system. If a system has been infected by the virus, curing Win32.Sector.12 can be troublesome because it injects its code in the memory of running processes, can disrupt operation of an anti-virus and is equipped with rootkit technologies. Malicious programs from the Win32.Sector family can download malware from the Internet and install it on user machines and update the malware from web-sites that spread it. If curing such a virus causes any problems to a user of Dr.Web software, our technical specialists are always ready to support customers of Doctor Web. Mailings In October a large amount of spam messages was aiming to spread various modifications of Trojan.DownLoad.4419. This Trojan was already described in our September virus review. Usually such messages were brief and contained a link to a supposed pornographic video. While earlier such links lead a user to a fake YouTube web-page, in October careless users clicking on the link were displayed a simpler interface (see the image below). Regardless of the appearance download of an executable file started as soon as the page was loaded. A wide variety and similarity of modifications of Trojan.DownLoad.4419 made it possible for analysts of Doctor Web to create several entries that ensured detection of almost any sample from this Trojan family. In October entries for Trojan.Packed.1207 and Trojan.Packed.1219 were also added to the database. In October virus makers also reminded Internet community about malware placed in an archive protected by a password. Typically the password was placed in the message body while the contents of an archive was detected by Dr.Web anti-viruses as Trojan.PWS.GoldSpy.2268. Anti-virus vendors have recently urged users to check the address bar of a browser as they follow a link provided in a message. Virus makers often replace an address displayed in a link by something quite different. Trojan.Click.21207 shoed that a faked page is not necessary for a virus trying to get to a computer and that an offered link can also look harmless. In this case a user saw a link to a .jpeg file which turned out to be malicious JavaScript code. Among most significant Trojan mailings of October we’d like to mention Trojan.Packed.1198 which is remarkable for its mentioning of Angelina Jolie in the message subject. There was also a mailing of messages in German prompting a receiver to look through an important financial document that turned out to be malicious programs detected as Trojan.DownLoad.3735 or Trojan.DownLoad.8932. Warming! Beware of scams! October was also marked by the increase in the number of scams that lured a user to send an SMS that would cost a certain amount of money. In Russia one of such mailings offered a user to participate in a bonus offer from one of the leading mobile operators in the country. Scammers have been luring users to send short messages more and more often. The main reason for growing popularity of such frauds is worldwide popularity of mobile phones. ICQ as the transport of ill-intended messages Spam has become an ordinary thing for users of ICQ. Spam-messages provide links to malicious programs the same way as e-mail. In October ICQ spammers advertised Adware.FieryAds.4, and many others. They also attempted to persuade a user into sending a paid short message using a mobile phone. It should also be mentioned that in October ICQ spam was more often sent from a registered UID belonging to a user whose machine had been compromised. In such cases there were no other indication of malicious activates in the system. The only way for a user to learn about the infection was from people included in his contact list. Virus makers kept exploiting social networking web-sites number of which was growing steadily in the Internet. One of the ways to spread Trojan.Packed.673 using a social network was the creation of a special account that was used to rate images of other members of the network. A registered member of the social networking web-site loaded a page displaying information about the account and came across with a link to a personal page of a supposed owner of the account. Clicking on the link started downloading of malware. October revealed new spammer tricks and growing yet growing amount of spam. Unfortunately in most cases users launch malicious programs themselves. That’s why specialists of our company do their best to inform users about basics of information security. Viruses detected in e-mail traffic 01.10.2008 00:00 - 01.11.2008 00:00 1 Trojan.Click.19754 29330 (15.85%) 2 Trojan.PWS.GoldSpy.2268 15475 (8.36%) 3 Win32.HLLM.MyDoom.based 14635 (7.91%) 4 Win32.Virut 13743 (7.43%) 5 Trojan.DownLoad.3735 11076 (5.99%) 6 Trojan.PWS.GoldSpy.2277 10715 (5.79%) 7 Trojan.Inject.3742 10262 (5.55%) 8 Trojan.MulDrop.17829 7002 (3.78%) 9 Win32.HLLM.Netsky.35328 6208 (3.35%) 10 Win32.HLLW.Autoruner.2640 5096 (2.75%) 11 Trojan.MulDrop.13408 4090 (2.21%) 12 Trojan.MulDrop.16727 3950 (2.13%) 13 Trojan.Copyself 3484 (1.88%) 14 Win32.HLLW.Autoruner.1252 3376 (1.82%) 15 Win32.HLLM.Alaxala 3321 (1.79%) 16 Trojan.PWS.Panda.31 3299 (1.78%) 17 Win32.HLLM.Beagle 2646 (1.43%) 18 Trojan.MulDrop.18280 2622 (1.42%) 19 BackDoor.Bulknet.237 1985 (1.07%) 20 Trojan.PWS.GoldSpy.2278 1977 (1.07%) Viruses detected on workstations 01.10.2008 00:00 - 01.11.2008 00:00 1 Win32.HLLW.Gavir.ini 1336089 (17.58%) 2 DDoS.Kardraw 402787 (5.30%) 3 Win32.Alman 322084 (4.24%) 4 Trojan.MulDrop.18538 277195 (3.65%) 5 Win32.HLLP.Whboy 239879 (3.16%) 6 VBS.Autoruner.10 224391 (2.95%) 7 Win32.HLLM.Lovgate.2 218691 (2.88%) 8 Win32.HLLM.Generic.440 190744 (2.51%) 9 JS.Click.22 172206 (2.27%) 10 Win32.HLLW.Autoruner.2255 152617 (2.01%) 11 VBS.Generic.548 144545 (1.90%) 12 Trojan.DownLoader.22881 110771 (1.46%) 13 VBS.PackFor 106047 (1.40%) 14 Win32.HLLP.Jeefo.36352 104866 (1.38%) 15 Win32.HLLW.Autoruner.2339 81624 (1.07%) 16 Win32.HLLO.Black.2 77968 (1.03%) 17 Trojan.MulDrop.9985 77118 (1.01%) 18 Win32.HLLW.Autoruner.1020 70904 (0.93%) 19 Win32.Sector.20480 70541 (0.93%) 20 Win32.Sector.5 69635 (0.92%)

November 5, 2008 Doctor Web has released an updated version of Dr.Web LiveCD that was available for free download since October 28, 2008. Dr.Web LiveCD is an emergency anti-virus aid disk that will restore a Windows/Unix system rendered unbootable by malware. Mount scripts for certain types of partitions and automount have been improvied in the updated Dr.Web LiveCD. Besides, detection of CD drives and creation of bootable USB Flash Drives have been optimized. The updated version of Dr.Web LiveCD is available at http://www.freedrweb.com.

October 31, 2008 Dr.Web AV-Desk enables NTS Real company providing Internet access in the Russian city of Astrakhan to deliver its subscribers reliable protection against malware. Doctor Web became the first company on the Russian anti-virus market that offered its customers anti-virus and anti-spam protection as a service delivered to subscribers by numerous ISPs on the vast territory of Russian Federation and in other CIS countries. Following the deployment of Dr.Web AV-Desk by the NTS Real company the new model of obtaining an anti-virus as a service was implemented in the Astrakhan region High infected traffic in networks and numerous complaints from subscribers drove NTS Real to seek help from Doctor Web. “Viruses and spam-bots were found regularly on machines of some of our customers. When the testing started, we offered them to subscribe to the Dr.Web anti-virus and no malware was detected on their machines ever since. The workload of our technical support service was reduced and our technicians gained opportunity to assist other customers asking for help. Now we intent to deliver the Dr.Web anti-virus service to all our subscribers giving priority to business customers that have not adopted any anti-virus product. Besides, we want to tell them about benefits of the product so those who are using another anti-virus would migrate to Dr.Web AV-Desk so we could monitor and neutralize viral activities on all hosts in our network. The testing showed that centralized monitoring and prompt responding to threats is the most efficient way to maintain anti-virus security”, Alexandeer Trunov, the head of the technical support of NTS Real commented upon rcompletion of the testing. About NTS Real The company was set up in 1992 and became the first ISP in the Astrakhan region. The company has remained among the key players on the IT service market in the region ever since. About Dr.Web AV-Desk The internet service was developed by Doctor Web in 2007. It allows service providers to deliver the anti-virus protection service powered by Dr.Web for Windows to an unlimited number of subscribers. A service provider also receives a tool for centralized management of the delivery process. Deployment of Dr.Web AV-Desk gives subscribers an opportunity to use the anti-virus from Doctor Web as a service: select a desired subscription term (1-36 months) and plan their expenses on anti-virus protection. The innovative model that turns information security software into a service ensures instant delivery of an anti-virus making it extremely easy to renew for any user regardless of his geographical location. More than forty provider companies have already deployed Dr.Web AV-Desk in Russia, Ukraine, Kazakhstan, Kyrgyzstan and Estonia. Following results shown by the service in 2007 it was named the best product-service by PC Magazine Russia. In September 2008 Dr.Web AV-Desk was awarded the large golden medal of the Siberian Fair as an original technical and telecom solutions. .

October 30, 2008 Doctor Web — the Russian developer of IT security solutions branded Dr.Web — and Yandex.Money electronic payment system start a joint effort for protection of customers of Yandex.Money against spyware, password stealers, key loggers and other malicious programs. Since October 29 all owners of electronic wallets have access to the Dr.Web anti-virus service. Secure storage of user passwords and protection against malicious programs aiming to steal personal data of customers is a high-priority task for any electronic payment system. In order to ensure security of its numerous customers Yandex.Money provides them an opportunity to use Dr.Web anti-virus as an online-service. Dr.Web AV-Desk has already shown excellent results delivering anti-virus protection to subscribers of more than 45 IT service providers in countries of the CIS. Deployment of the service by the largest electronic payment system in Russia once again proves success of an anti-virus delivered to subscribers as a service instead of a box Software as a service makes using an anti-virus much easier for customers of Yandex.Money who receive anti-virus protection complying with world highest IT security standards. “Protection against malware is a necessity for our users because their keys and passwords to Yandex.Money accounts are stored on their personal computers. We’re glad to give them an opportunity to secure their account information”, Olga Pavlova, the promotion manager of Yandex.Money commented upon the launch of the effort. Now any customer of Yandex.Money can get free access to the Dr.Web anti-virus service at the web-site of the electronic payment system. The special offer is valid till March 31, 2009. When the free period expires, users will be able to renew their subscriptions at a special low price.

October 29, 2008 Doctor Web — the Russian developer of IT security solutions branded Dr.Web — has successfully neutralized the whole family of Trojan.Ws232Pacther that fake ad links displayed on search results pages of Yandex, Rambler, Google and other search engines. Trojan.Ws232Pacther infect the ws2_32.dll system file merging all its segments so it becomes much easier to infect. The Trojan places 16 Kbytes of malicious code near the end of the file. After that the malicious program intercepts some export functions of the library. The Trojan belongs to malicious programs faking web pages that change contents of a webp-page loaded by the browser of a user (e.g it changes links displayed as search results or as advertisements). The new species was discovered by analysts of the Yandex web-portal and by specialists of Doctor Web. Dr.Web software detected the malware as belonging to the Trojan.Ws232Pacther family. By now two modifications of the Trojan are found: Trojan.Ws232Pacther.1 and Trojan.Ws232Pacther.2. The first one was discovered on October 27 while the second variation emerged one day later. Trojan.Ws232Pacther.2 has a new encryption key but doesn’t have an encrypted piece of HTML code. Trojan.Ws232Pacther do not impose any threat to users of Dr.Web software. Those who still hasitate which anti-virus they should choose can use the free Dr.Web CureIt! utility available for downloading at www.freedrweb.com http://www.freedrweb.com. The program will scan your computer using the latest update of the Dr.Web virus database without installation in the system. Dr.Web CureIt! will help you to get rid of Trojan.Ws232Pacther and other malicious programs that could evade detection by an installed anti-virus. Besides, a free browser plugin called Dr.Web LinkChecker can be used for regular check of links.

October 28, 2008 Doctor Web — a Russian developer of IT security solutions branded Dr.Web — presents Dr.Web LiveCD aimed to become an efficient tool restoring a system after a virus attack. Every user can download this product free of charge. Dr.Web LiveCD is an anti-virus solution that will revive an operating system that was rendered unbootable by malware. The anti-virus will clean a computer of malware and cure infected system files or place them in the quarantine if necessary. Dr.Web LiveCD can be especially useful for users whose machines often get infected or for companies that provide system restore and diagnosis services. The new product from Doctor Web is a Linux LiveCD that can be used to scan Windows and Linux machines for viruses. A user may choose to load the software in the standard GUI mode or start in the safe mode using only the command line. The latter option is meant for customers familiar with Unix-family operating systems. Dr.Web LiveCD allows performing express, full and advanced scan. Dr.Web LiveCD also supports updating of the virus database and can be used to sned suspicious files to the virus laboratory. The live CD continues the long-standing tradition of free programs and utilities from Doctor Web. A user from any part of the world can use free of charge Dr.Web CureIt! , Dr.Web LinkChecker, а также Dr.Web online scanner.

October 28, 2008 We’d like to inform all our customers that on October 28, 2008 from 9.30 till 10.00 GMT www.drweb.com will be unavailable due to scheduled hardware maintenance. Sorry for inconveniences.

October 28, 2008 Doctor Web has registered an increased number of spam messages with an attached archive containing a malicious program detected as Trojan.Packed.1198 by Dr.Web anti-viruses. A message with the catchy subject line reading “New anjelina jolie sex scandal” lures a user into opening an attached archive supposedly containing a short pornographic vide clip. The trick is often used by spammers, however, in this case it spread so widely (according to the stats server of Doctor Web it exceeded 50% of infected mail traffic in busy hours) that a lot of machines in Russia and other countries have been infected by Trojan.Packed.1198. An attached archive contains the anjelina_video.exe file. The installer (file size is 44 032 bytes) creates a file detected as Trojan.MulDrop.17829. The malicious program checks if any fake anti-virus (a modification of Trojan.FakeAlert) is installed in a system. If there are any, the Trojan will stop operating and remove itself. If no fake anti-viruses are found, the Trojan will get to its malicious work. First of all Trojan.MulDrop.17829 will decrypt one of its files and place it in the system directory as brastk.exe. The file will also be detected as Trojan.Packed.1198 because it features a packer similar to the one used for an original file. The Trojan will also save the Figaro.sys file in the system. The file temporary replaces the bep.sys driver file so the Trojan will hide launch of its drivers from many anti-rootkits. After that the Trojan will delete its original file and reboot the system. Malicious activities of the Trojan consist in alteration of security zones configuration, disabling of warnings related to a disabled anti-virus, a firewall or automatic updates. The Windows firewall will be disabled as well. Next the Trojan will remove Internet Explorer extensions data from the registry and set Google as the default search engine and www.google.com as the start page. Eventually the Trojan will display an infection alert and offer a user to download anti-virus software. Mind that the Trojan downloads malicious files before it displays the infection alert. The highest amount of spam messages containing Trojan.Packed.1198 was registered on October 20-22. Since October 25 Trojan.PWS.Panda.31 is spread in messages with ithe dentical subject and body text. Doctor Web warns users against opening attachments that come with messages from unknown addresses and urges them to be more careful when examining what a strange message is offering. If one chooses to install a Dr.Web anti-virus in an infected system all threats related to Trojan.Packed.1198 will be neutralized promptly.

October 27, 2008 Doctor Web — the Russian developer of IT security tools branded Dr.Web — released updated versions of the anti-virus scanner and the SpIDer Guard® file monitor for Dr.Web Enterprise Suite and Dr.Web AV-Desk 4.44. The following changes have been done to the new version of the scanner: * improved compatibility with various virtual machines; * improved curing algorithm for the following types of viruses:Win32.HLLW.Autoruner The following changes have been done to SpIDer Guard: * An error that blocked access to network resources of a computer while a lot of file operations were performed has been fixed; * Configuration of notifications related to an outdated virus database and updates of the database has been implemented; * Incompatibility with Asus Data Security Manager (ADSM) has been fixed. New versions of the Dr.Web scanner and SpIDer Guard are available for automatic download to users of Dr.Web Enterprise Suite and Dr.Web AV-Desk