18/02/2016
15:50

Statistics viruses / malware in January 2016 in Italy

Every month C.R.A.M. TG Soft analyze circulating virus/malware.
The C.R.A.M. (Anti-Malware Research Center) of TG Soft has released statistics of actually circulating virus / malware in January 2016 in Italy. Let's find out what are the families and variants of malware that infected users' PCs. Centro Ricerche Anti-Malware di TG Soft

Analysis of virus/malware


Click to enlarge		 Analyzing the statistics shown on the left you can see how the Trojan family is definitely the most widespread malware family and right after, as for many months now, there are two categories that include advertising programs: ADWARE and PUP.

Too often we trust websites considered "safe" that distribute software.

In most cases in order to have a gain they must advertise other products by changing the setup of distributed programs: in this way, during installation, in a not so legitimate way, the user is prompted to try more software that are often ADWARE and PUP.

TheC.R.A.M. TG Soft reccomend to search and find the free software and download them directly from the manufacturer and not by third-party sites.

In the month of January 2016 there were numerous items of mail scam / spam containing attachments that unleashed Crypto Malware. Examples were:


1) 14-01-2016 -> "False email TELECOM Italia-TIM unleashes new variants of CTB-Locker to encrypt the data files of the PC / SERVER and demand ransom!"

2) 19-01-2016 -> "New year ... old friends ... CryptoLocker is back!"

3) 25-01-2016 -> "First cases of the new TeslaCrypt 3.0 in Italy."

4) 01-02-2016 -> "Black Monday: new massive attacks by TeslaCrypt 3.0" that even if dated the first day of February, sending massive emails is occurred between the last days of January and early February.

The many CRYPTOMALWARE variants are not present in the ranking because most deletes its executable file, guilty of encryption, at the end of the procedure to prevent its detection.

To the right you can see the code into javascript that were sent as email attachments scam.

The malicious javascript, intercepted by Vir.IT eXplorer PRO as Trojan.JS.Dropper.BA, downloads the Teslacrypt, in the example 80.exe file and saves it in the %TEMP% directory where there are saved to the user's temporary files.

Then it is renamed with the name contained in the "FILE_NAME" variable and finally runs.

The file name of the javascript, content as an email attachment was composed of:

invoce_scan_<randomstring>.js

invoice_copy_<randomstring>.js

invoice_<randomstring>.js

Analysis of the virus / malware that spread via email

Among the really circulating virus / malware that spread via email in this month C.R.A.M. TG Soft has analyzed numerous incidents of scam emails containing fake attachments (such as invoices, delivery notes etc ...). We analyze the reports arrived


As we can see from
ranking of the most widespread viruses / malware in January 2016, in first place, we find the W97M.Downloader.AZ, macro contained inside a fake Word document passed off invoice.

Following we find the infected macros always inside fake Excel documents, X97M/Downloader.H and W97M/Generic.K, some cryptomalware as Trojan.Win32.CTBLocker.BK e Trojan.Win32.CryptLocker.EA. The C.R.A.M. di TG Soft has already analyzed these cryptomalware also during the same month.


Also in the ranking are the usual fake invoices, executable files that download more malware variants as Trojan.Win32.Dropper variants TH, TS e TO.


Click to enlarge

In the photo above, to the left you can see an example of email scam came as "Fattura Telecom" containing a Trojan.Win32.CTBLockervariant.

The email attachment "fattura <randomnumber>.zip" contains the cryptomalware that having a double extension, .pdf.exe, s previously blocked da Vir.IT Security Monitor indicating the presence of a double extension file as you can see in right image.

If the received document by email scam is an executable file, such as Trojan.Win32.Dropper.TH, verrà it will be received zipped and in that case the user does not only have to open the compressed file but will also extract the contents and run the Trojan Dropper disguised as a fake PDF or other icons like the FedEx courier as can be seen in the image on the right.

In order to defend against these types of attack is always good not to trust the received emails containing these types of links and / or attachments, and you should test the reliability of the source or asking your system support to check the contents.

You can see the top 10 in the month of January 2016 at the following link: TOP 10 virus-malware di Gennaio 2016.
You'll find, however, the definition of the various types of pests in the glossary on viruses & malware

We point out that all the viruses / malware actually circulating are identified and, in many cases, also removed from Vir.IT eXplorer Lite -FREE Edition- that TG Soft makes freely used by both individuals both within the company. Vir.IT eXplorer Lite is interoperable with other AntiVirus already on your computer, without having to uninstall, and then allowing the cross-check that nowadays is no longer a whim, but a necessity. Go to the download page.
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: