Windows malware

This is the second month that we are analyzing the data we collect from our on-line scanner. We can now make preliminary comparisons with our mail traffic statistics and analyze emerging trends.

We’re raising the alert status on Nyxem.e from green to orange. This is not based on any sudden upsurge in infections.

Yesterday we came across a worm with a German (speaking) background, Email-Worm.Win32.Skowor.b.

For the past two days we’ve been tracking an increase in the number of Email-Worm.Win32.Bagle.fj samples up to the point that it is now topping our malware statistics.

More than 24 hours have passed since the Nyxem.e activation date for this month and it’s been pretty quiet.

Solving the virus naming mess – not an easy task

Inside Nyxem.e’s 100K+ body there is a dreaded block of 32 bytes. On the 3rd of every month, exactly 30 minutes after the infected system is started, Nyxem.e will use this block.

We’ve got another version of GPCode. We’re currently looking at the encryption algorithms, and we’ll get back to you with the full story in the near future.

We’re seeing Bagle deployments on a number of websites, usually a sign of increased Bagle activity to follow

We’ve just issued an alert for Nyxem.e, due to the number of reports we’ve been receiving for the past few days but also because of its destructive payload which activates on 3rd of every month.

I recently came across an interesting IRCBot which KAV detects as Backdoor.Win32.IRCBot.lo. When I took a closer look at it, I found out that it’s quite an advanced bot with a lot of features.

It’s two years to the day that the antivirus industry first encountered Bagle – Email-Worm.Win32.Bagle.a.

Sober.y will attempt to update itself tonight from a predefined set of websites in Germany and Austria.

It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted.

Another case of infected storage media