Malware linked to PDF reader tops e-threats report
The second highest e-threat in December 2009’s listing is Trojan.AutorunInf.Gen. This is a generic mechanism to spread malware using removable devices, such as flash drives, memory cards, or external hard disk drives. Win32.Worm.Downadup and Win32.TDSS are two of the most notorious families of malware to use this approach to trigger newer infections.
Trojan.Clicker.CM, in third place, is mostly found on Websites hosting illegal applications such as cracks, key generators and serial numbers for popular commercial software applications. The Trojan is mostly used to force advertisements inside the users’ browser.
Fourth is Win32.Worm.Downadup.Gen. Relying on the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-67), this worm spreads on other computers in the local network, and restricts users’ access to Windows Update and security vendors’ Web pages. Newer variants of the worm also install rogue antivirus applications, among others.
Trojan.Wimad.Gen.1 mostly exploits the capability of ASF files to automatically download the appropriate codec from a remote location in order to deploy infected binary files on the host system. The ASF format will store data in either WMA or WMV formats, which are to be found mostly on Torrent websites. When played locally, the specially-crafted WMV file would allegedly attempt to download a ‘special codec’, which is actually a malicious binary hosted on a third-party website.
Win32.Sality.OG is a malicious e-threat is a polymorphic file infector that appends its encrypted code to executable files (.exe and .scr binaries). It deploys a rootkit and kills antivirus applications running on the computer so as to hide its presence on the infected machine.
In seventh position is Trojan.Autorun.AET, a malicious code spreading via the Windows shared folders, as well as through removable storage devices. The Trojan exploits the Autorun feature implemented in Windows for automatically launching applications when an infected storage device is plugged in.
At eighth position is Worm.Autorun.VHG. This is an Internet /network worm that exploits the Windows MS08-067 vulnerability in order to execute itself remotely using a specially crafted RPC (remote procedure call) package (an approach also used by Win32.Worm.Downadup).
Win32.Worm.Downadup.B is a variant of Win32.Worm.Downadup with similar functionality, except for the fact that the number of blocked anti-virus URLs is lower. This is one of the least dangerous variants, as it comes with no malicious payload.
The December 2009 E-threat list in full:
- Exploit.PDF-JS.Gen - 12.04 per cent.
- Trojan.AutorunINF.Gen - 8.15 per cent.
- Trojan.Clicker.CM - 7.90 per cent.
- Win32.Worm.Downadup.Gen - 5.85 per cent.
- Trojan.Wimad.Gen.1 - 4.57 per cent.
- Win32.Sality.OG - 2.65 per cent.
- Trojan.Autorun.AET - 1.97 per cent.
- Worm.Autorun.VHG - 1.65 per cent.
- Win32.Worm.Downadup.B - 1.25 per cent.
- Trojan.Script.236197 - 1.08 per cent.
Others - 52.85 per cent.