According to data gathered at the Infected or Not website (www.infectedornot.com) last week, 18.92% of worldwide users that used Panda Security’s online tools, NanoScan and TotalScan, had active malware on their computers. 24.14% of PCs had latent malware (not running when the scan was carried out).
France was the country with most computers containing active malware, 28.21% (infections per country can be seen on the website). Spain on the other hand, was the country with most computers infected by latent malware, 29.10%.
“This proves traditional protection is no longer enough and that it must be complemented with online tools such as NanoScan and TotalScan, which are capable of detecting more malicious codes than the solutions installed on users’ computers” claims Luis Corrons, Technical Director of PandaLabs.
From the new samples that appeared this week, PandaLabs highlights the Voter.A, MSNSend.A and Sohanat.DB worms.
Voter.A is a worm with electoral aims, since it is designed to display a photo of a candidate for the Kenyan presidency each time it is run (every nine seconds). This worm modifies the registry so it also runs every time the system restarts. To spread, it creates copies on removable drives (USB, portable disk, etc…) called: smss.exe, Raila Odinga.exe or autorun.exe. It also creates an autorun.inf file so it runs every time the computer detects a removable drive.
The MSNSend.A worm spreads through Instant Messaging by sending a message to the contacts of the infected user connected when it is run. Examples include: “Here are my private pictures for you” or “hey i'm going to add this picture of us to my weblog”. The message has an attached zip file which contains a copy of the worm and infects users when they open it. This malicious code tries to connect to a specific web page to send its creator confidential information about the infected computer; MAC address (Media Access Control) or a network card or interface identifier. It also creates a key in the Windows Registry to ensure it is run every time the system is started up.
Sohanat.DB is a worm that reaches computers with a text file icon. It is designed to modify users’ host files so they cannot access specific pages, mostly browsers. This malicious code also connects to a web address to download a variant of itself onto the system. Sohanat.DB makes several modifications on the registry. Some of the malicious actions it carries out include changing the Windows Start page, disabling the Registry editor and the Task Manager, and preventing users from accessing the Run option in the Start Menu. It also creates a new key in the Windows Registry to run on every system restart.