14/03/2016
16:44

Statistics viruses/malware in February 2016 in Italy

Every month C.R.A.M. TG Soft analyze circulating virus/malware in Italy.
The C.R.A.M. (Anti-Malware Research Center) of TG Soft has released statistics of actually circulating virus/malware in February 2016 in Italy. Let's find out what are the families and variants of malware that infected users' PCs. Anti-Malware Research Center of TG Soft

Analysis of virus/malware


Click per ingrandire		 Analyzing the statistics shown on the left you can see how the Trojan family is definitely the most widespread malware family and right after, as for many months now, there are two categories that include advertising programs: ADWARE and PUP.

It's always advisable to check the actual usefulness of the software that you download from the Internet: they are often passed off as only existing solution to solve any problems. In truth, when used, they create more damage and worsen the situation.
 
Looking at Trojan family we observe in more detail the fourth position of the TOP10: a very famous malware, especially in this month, for the massive dissemination campaign adopted. We talk about the Trojan.Win32.Teslacrypt and more specifically the .AQ variant.

In the month of Febbraio 2016 there has been a massive spread of infections caused by Teslacrypt 3.0 in two variants that encrypt the files with .micro and .mp3 extensions.

The C.R.A.M. of TG Soft has already published several news about this type of malware. Below are the links for future reference (in Italian for now):

For the spread of Teslacrypt were used email scam (like the one you can see on the right) containing zipped file (in our example d.zip). Within that archive is hidden javascript that if extracted and executed, it downloads and executes the file cryptomalware.

It's possible to see more details on the samples of the Teslacrypt.AQ collected from C.R.A.M. of TG Soft viewable in the table at the following link: sample table Teslacrypt.AQ
Click to enlarge


Remember also that the Teslacrypt was the most popular, but it was not the only cryptomalware to infect computers: have been experienced some cases of Cryptolocky, another cryptomalware that performs encryption by renaming files with a random string and changing the extension in .LOCKY. The news about this new cryptomalware is available at the following link:

Analysis of the virus / malware that spread via email

Among the really circulating virus / malware that spread via email in this month C.R.A.M. of TG Soft has analyzed numerous incidents of scam emails containing fake attachments (such as invoices, delivery notes etc ...). We analyze the reports arrived


CAs expected after the massive spreading campaign of Teslacrypt in February 2016, among the first positions are present Trojan.JS.Dropper with variantBA and BC.

However, here we find the fake invoices and / or intercepted documents by Vir.IT eXplorer as Trojan.Win32.Dropper with variants TV, UC and TX.

These malware are always spread with email "lark" where is indicated to open the attachement or download it from some website.


As we can see from the rankings there's the PUP.Win32.OOO.Q that, although reported as Potentially Unwanted Program, which is an advertising program, it is a Trojan.Win32.CTBLocker which is another cryptomalware.

Almost certainly the creators of malware have stolen the digital signature to a software house that produces advertising programs and they use in turn to digitally sign illegally numerous samples of cryptomalware.

Let's see some samples and several variations of Trojan.JS.Dropper.BC who arrived with the email scam. The sample came in different variants but mostly divided into three types:
  1. invoice_copy_<randomstring>.js
  2. invoice_scan_<randomstring>.js
  3. invoice_<randomstring>.js

You can view the more detailed list on the sample of Trojan.JS.Dropper.BC by clicking the following link: table sample Trojan.JS.Dropper.BC.
 

Inevitable, as always, in the TOP 10 there are the macro word with at least a variant, in this case W97M.Downloader.BH. Following a Javascript infected, more precisely JS.Agent.IJ.

You can see the top 10 in the month of February 2016 at the following link: TOP 10 virus-malware of February 2016.
You'll find, however, the definition of the various types of pests in the glossary on viruses & malware

We point out that all the viruses / malware actually circulating are identified and, in many cases, also removed from Vir.IT eXplorer Lite -FREE Edition- that TG Soft makes freely used by both individuals both within the company. Vir.IT eXplorer Lite is interoperable with other AntiVirus already on your computer, without having to uninstall, and then allowing the cross-check that nowadays is no longer a whim, but a necessity. Go to the download page.
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: