Almost 26% of computers scanned last week at the Infected or Not website (http://www.infectedornot.com) with the NanoScan and TotalScan online scanners were infected with some kind of active malware. This implies not only that the computer was infected but also that the malware was operating maliciously at the moment of the scan.
Moreover, with respect to the total number of computers scanned, more than 33% were infected even though they had an antivirus solution installed. The figure for those systems without protection was over 43%.
“The distinction between active and latent malware is very important”, says Jeremy Matthews, head of Panda Security (South Africa). “Active threats are those that are actually causing damage to the user at the moment of the scan. These could be anything, from memory-resident banker Trojans stealing confidential passwords, to bots sending spam or attacking other computers without the user realizing.”
The ranking of specific malware most frequently detected by TotalScan is this week headed by the potentially unwanted program (PUP) MyWebSearch, the adware Zango and the Trojan Downloader.MDW.
With respect to new threats that have appeared during the week, PandaLabs highlights the Nautunit.A Trojan and the worm/virus DarkAngel.C.
Nautunit.A is a Trojan that reaches computers with an icon that seems to be that of an ACDSee application. If users run the file, the system displays an error message, claiming that the file format is not recognized, meanwhile the Trojan is installed on the system.
Nautunit.A makes several copies of itself in different places in the computer, in files with names like My Music.exe or 3D Screen Saver.scr. It also creates several Windows Registry entries, disabling the Windows Registry editor and hiding the Start menu search option. Similarly, it makes the changes needed so that on starting applications like Msconfig,exe, Regedit.exe or Rstrui.exe, it is actually the Trojan that is executed.
Nautunit.A restarts the computer every time users run certain applications, related in particular with security tools.
The worm DarkAngel.A reaches computers using the typical Microsoft Word icon. When run, it displays no obvious symptoms of infection. However, at that moment, DarkAngel.A creates several copies of itself on the computer as well as a file called autorun.inf to ensure that it is run whenever the user accesses the C: drive.
It also creates several Windows registry entries, enabling it to run automatically on every system restart or change the icon used by default with .scr files. DarkAngel.A disables a series of memory processes related largely with security applications.