Dr.web 2007讯息（英文比较多），请大家参阅！

mamigo

找到的资料中英文版比较多，请大家参阅！

多一点对Dr.web的了解！
多一点关于Dr.web的交流！

[ 本帖最后由 mamigo 于 2007-6-25 09:14 编辑 ]

mamigo

January 15, 2007
       
Doctor Web, Ltd. announces the beta-testing of the new product protecting Windows workstations from viruses and unsolicited mail (spam). The mail filtering module SpIDer Mail® now integrates a spam filter based on Vade Retro® technology from Goto Software, a French company with more than 5 year experience in anti-spam development.
All users willing to try the new functionality of Dr.Web anti-virus can register as beta-testers and explore the advantages of the spam-filtering technology. SpIDer Mail, being as always light, efficient and transparent to the user, is now integrated with Vade Retro anti-spam filter, thus protecting the client's mailbox from not just dangerous but from unsolicited mails as well.
The anti-spam module has several advantages.

    * The unique technology allowing to detect up to 97% of spam. Up to 80% of unsolicited e-mails are filtered by headers only, which increases substantially its productivity and decreases dependency of the anti-spam technology on the language of the message;
    * compact anti-spam module – the size of the Dr.Web distribution size became heavier by 1 MB only;
    * easy settings which can be understood even by computer beginners;
    * ability to filter mail traffic immediately after it is installed and enabled, without any previous teaching of the anti-spam;
    * support of POP3 and IMAP;
    * independence from any mail client.

An anti-spam solution has been long awaited by many of Dr.Web users. To meet the market requirements, finding a good anti-spam technology was not enough. It was really important to assure the cooperation with a professional team which would guarantee a continuous customers support, with a real-time reaction to numerous spammers tricks. It was also important to keep a certain technological balance with a newly integrated technology to preserve some specific trends of Dr.Web Anti-virus - compactness, simplicity, high technology level, computer resource sparing. Integration of the Vade Retro anti-spam technology into Dr.Web Anti-virus for Windows did not break this balance. "We plan to come out shortly with a highly efficient anti-spam solution based on Dr.Web for Windows workstations. The results of the internal testing of Vade Retro technology, both on servers and client stations proved that our choice to establish a strategic partnership with Goto Software was the right one, - commented Boris Sharov, the CEO of Doctor Web, Ltd. - The agreement we have recently signed with the French company allows us to use the unique Vade Retro technology in practically all Dr.Web products designed to protect E-mail messaging. We are sure that our users will appreciate the high technology level of this anti-spam, the original approach to spam detection issue, the speed of reaction of the French team to new waves of spam. What is the most important for us is that we saw in the French team a truly professional attitude to the work they are dedicated to and their ability to promptly act in their customers' interests." Technical detailsThe anti-spam technologies used in new product by Dr.Web contain several thousands rules which can be divided into several groups.

    * Heuristic analysisHighly complicated intellectual technology of empirical analysis of all parts of messages: headers, message body, etc. Not only the message itself but its attachment, if any, is being analyzed. The heuristic analyzer is being constantly improving; new rules are being added to it.
    * Counter-reaction Counter-reaction technique is one of the most advanced and efficient technologies of Dr.WEB anti-spam. It helps to counteract the tricks used by the spammers to outsmart anti-spam filters.
    * HTML-patternsThe messages with HTML-codes included into them are compared with the list of known patterns from the library of HTML-patterns of the anti-spam. Such comparison in combination with the available data on the image sizes typically used by spammers helps protect users against spam messages with HTML-code, which often include online images.
    * Semantic analysis During the semantic analysis the words and phrases from the message are compared with the words and phrases typical for spam. The comparison is made against a predefined dictionary. The words, phrases and symbols are analyzed – both visible to the human eye and those masqueraded by the technical tricks of spammers.
    * Anti-scamming technologyScam (as well as pharming messages – a type of scam-messages) is the most dangerous type of spam. There we can name also the so-called “Nigerian” scams, loan scams, lottery and casino scams, false messages of banks and credit organizations. To filter scams a special module is used in Dr.WEB anti-spam.


Anyone is welcome to test Dr.WEB beta version. To download the beta version, you should first register in the Beta section of the web-site of Doctor Web, Ltd. More details about beta version and anti-spam filter can be found here.

mamigo

January 4, 2007 Virus Monitoring Service of Doctor Web, Ltd. reports the virus review for December, 2006.
The last month of the year several vulnerabilities in MS Outlook Express and Internet Explorer were discovered. New flaws allowed computer criminals to execute an arbitrary code in the target computer, overrun the buffer and read remotely files in the Temporary Internet Files directory. Microsoft rated all the flaws as "critical". Despite the released patches, there is a high possibility a full-functional virus program can be created to exploit the vulnerabilities. Quite often the patches are installed after the computer is infected. Read more about vulnerabilities in Internet Explorer and Outlook Express here.
During December there was a large-scale distribution of spam messages inviting users to visit some web-site or see hot pics. A link where the archive could be downloaded pointed at the Trojan downloader detected by Dr.Web as Trojan.DownLoader.15512. Being infected, computers become a source of distribution of spam executed by another Troj – Trojan.Spambot.
This month new Trojan Horse named by Dr.Web as Trojan.Encoder.10appeared. It has a destructive function – it encrypts files on hard drives (*.jpg, *.doc, *.txt, *.gif, *.rar, *.bmp) by XOR algorithm with the key of 1 byte length. We remember, that its predecessor Trojan.Encoder.9 used 8-byte key, and Trojan.Encoder.6 encrypted files with RSA algorithm. Trojan.Encoder.10 infects files by adding itself at their beginning and adds the *.exe extension. The infected file is run by the operating system as executable and displays the message
"file_name" was infected with dangerous and destructive virus or spyware.CPS Anti-Spyware 2.0 deleted "file_name" from this path on your computerC:\ - now your system is fully protected CPS Anti-Spyware 2.0 allow you to recover all infected files with 100 guarantee.Purshase full version CPS Anti-Spyware and restore "file_name"and opens Internet Explorer with the target web-site page. By no means, this Troj is used for advertising purpose only.
Trojan.Promo can be used as another example of advertising programs. Having installed itself, the Troj registers at a definite web-site and receives unique identification number. After that, it downloads advertisements from time to time . Its icon is displayed in the system tray. When a user clicks the icon, a message is generated asking the user to send a paid SMS to remove the Trojan horse.
This month new modification of mass-mailing worm labeled Win32.HLLM.Limar was released, but it had a minor impact and did not cause a large-scale epidemics, as it was this autumn. At the end of the month a spam distribution of malicious "Christmas cards" was registered. The viral attachments contained new variant of the notorious Win32.HLLM.Limar and those users who opened these attachment received a real "present" from virus writers. These malware were added to Dr.WEB virus database as Trojan.DownLoader.16958, Trojan.DownLoader.16984 and Trojan.DownLoader.16985
Statistics8290 entries were added to Dr.Web virus database in December.
Find below a short summary table of online check results in December:
[tr]Virus nameQuantity[/tr]
Win32.HLLM.Limar        415
Win32.HLLM.Limar.based        279
Trojan.Spambot        201
Win32.HLLM.Beagle        173
Win32.HLLM.Wukill        165
Trojan.Popuper        162
Trojan.PWS.LDPinch.1217        156
Trojan.Peflog.52        137
BackDoor.Generic.1138        127
Trojan.Mezzia        74
Below goes a table of the most frequently detected viruses in mail servers and networks protected by Dr.Web Enterprise Suite:
[tr]Virus namePercentage rate [/tr]
Trojan.Bankfraud.272        14.37
Win32.HLLM.Limar.based        12.35
Win32.HLLM.Perf        11.16
Win32.HLLM.Beagle        9.25
Win32.HLLM.Netsky.35328        8.90
Win32.HLLP.Sector        7.00
Win32.Dref        6.30
Win32.HLLM.Netsky.based        4.89
Win32.HLLM.MyDoom.based        4.69
Win32.HLLM.MyDoom.33808        2.19
Win32.HLLM.Limar        2.19
Trojan.DownLoader.16958        2.16
Win32.HLLM.Graz        1.85
Win32.HLLM.MyDoom.49        1.14
Exploit.MS05-053        0.89
Win32.HLLM.Netsky        0.74
Win32.HLLM.Oder        0.72
Exploit.MS05-053        0.70
Exploit.IframeBO        0.63
Win32.HLLM.MyDoom        0.51
Other malware        7.37

mamigo

January 21, 2007 Virus monitoring service of Doctor Web, Ltd. informs on a rather high distribution of spam messages with a Trojan Horse (Trojan.Spambot labelled by Dr.WEB) in the attachment. This Troj is a copy of another malicious program - BackDoor.Groan - but this time it packed with a slightly modified packer. By 23.00 MSK, January 20, the messages having BackDoor.Groan in the attachment hit 87% of all infected mail traffic. In the first half of January 21st, Trojan.Spambot went up to 60% of the infected traffic leaving BackDoor.Groan very far behind. Such huge presence of the Troj in the Internet is explained by the fact that it was spammed and quickly reached millions of computers. The users are lured to open the viral attachment by the bright headline on some actual political event. There is no text in the messages and there is a high probability many careless users run the ill-intended attachment – the dangerous executable. Being executed, the program copies itself to the Windows System directory and installs the driver (its file name is wincom32.sys and the corresponding entry is made in the registry). The driver can download other malicious programs and it stays invisible for Task manager. The messages with Trojan.Spambot in attachments may have the following subjects:

    * Russian missle shot down Chinese satellite
    * Russian missle shot down USA satellite
    * The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
    * Fidel Castro dead!

The names of executable files are the following:

    * Full video.exe
    * Full clip.exe
    * Full news.exe
    * Full story.exe
    * Video.exe

Experts of Doctor Web, Ltd. warn users to never open any attachments received from unknown users. We predict increase of similar spam distributions of this Trojan. The subjects and the executables attached to the messages may differ.

mamigo

Doctor Web, Ltd. announces a special offer for users of Dr.WEB Anti-virus for Windows January 15, 2007 a beta version of Dr.WEB anti-spam was released. Its official release is planned for the end of February. Upon the release date the spam filtering function will be FREE for those who purchase and activate a Dr.WEB Anti-virus for Windows license between February 5 and February 28, 2007. Our new spam filtering function will be available upon version upgrade. With this version upgrade a "Check for spam" check box will appear in the 'SpIDer Mail Settings' window. For a free version of Dr.WEB Anti-spam, purchase and activate a Dr.WEB Anti-virus for Windows license at regular price until February 28. Follow our news to learn the release date of Dr.WEB Anti-spam! About Dr.WEB Anti-spamDr.WEB Anti-spam - is an efficient and highly productive spam filtering solution based on Vade Retro technology by GOTO Software, France, with more than 5-year experience in the anti-spam industry. Dr.Web has selected the best technologies and created a comprehensive Anti-spam solution for you! Dr. WEB Anti-spam is easy to use, even for PC-beginners. After the spam-filtering is activated and the first e-mail message is received, the anti-spam begins operating automatically! Dr.WEB Anti-spam uses different filtering techniques for different types of unsolicited e-mails - such as spam, phishing, pharming, scamming - and bounce messages, this technique produces an exceptionally high detection rate. By using the unique spam filtering technologies of Vade Retro, Dr.WEB is able to supply daily updates and rules that even the smallest bandwidth handles with ease.

mamigo

February 1, 2007 The beginning of 2007 demonstrated that virus writers hadn’t meant to hang around during New Year holidays. They were inventing new traps for users – such as spam letters offering a video of Saddam Hussein’s execution which took place on December 30th, 2006 in secrecy. Later on there emerged some mobile-made shots of it. A few malware upgrades, classified by Doctor Web, Ltd. experts as Trojan.DownLoader.17224, spread over the world. Being run, these malware downloaded and executed confidential information stealers – Trojan.PWS.Banker.6321, Trojan.PWS.Banker.6322, Trojan.PWS.Banker.6276. Since the video is run by media-player, users may simply have no notion about the information leak. Another spam video, detected by Dr.WEB Anti-virus as BackDoor.Groan, Trojan.Spambot, has proved the increased popularity of spread in spam political plots. According to mail servers’ statistics, e-mails with BackDoor.Groan comprise 87-90% of the whole infected traffic. Being run, the attached file adds to the infected system a driver, which further on downloads other malware. In addition BackDoor.Groan is able to run in peering systems, formed to manage certain hosts of the web, as well as initiate unauthorized downloads and launch of files on infected computers. The malware downloaded by BackDoor.Groan has been regularly upgraded during quite a long term. As statistics quotes, the upgrades took place twice a day, making their detection even more difficult. Yet, showy political headlines are not out of the ordinary. Remember Internet worm Win32.Dref, which copies spread all over the world with nuclear war alarm in the headline in November 2006. Creators of Win32.HLLM.Limar mail worm released new upgrades of their "off-spring" on January 15th and 23rd , as if congratulating users and anti-virus companies on the New Year and celebrating the malware 5 months anniversary in this way. Several versions of the network-aware worm of the Chinese origin infecting exe-files, classified by Dr.WEB Anti-virus as Win32.HLLP.Whboy, were detected in January, too by experts of Doctor Web, Ltd. Some of the versions had only a propagating function, without exe-files infecting mechanism. The warm resulted in local epidemics all around of North Korea and in some USA and European regions. Win32.HLLP.Whboy propagates through vulnerabilities in browsers when a user visits a specially designed web-page. In addition to its diffusion on the web, the worm copies itself onto movable media, if there are any connected to it at the moment of infection. Virus statistics by Doctor Web, Ltd. in January, 2007 6368 entries were added to Dr.Web virus database in January, 2007.
Find below a short summary table of online check in January:
[tr]Virus name Quantity[/tr]
Win32.HLLM.Limar.based        416
Trojan.Spambot        307
Win32.HLLM.Wukill        222
Win32.HLLM.Beagle        141
Win32.HLLW.Limar        143
Trojan.Popuper        128
VBS.Psyme.239        121
Win32.Sector.28682        58
Win32.HLLM.Perf        57
Trojan.Packed.2        42
Below goes a table of the most frequently detected viruses in mail servers and networks protected by Dr.Web Enterprise Suite in January, 2007:
[tr]Virus namePercentage rate [/tr]
Trojan.Bankfraud.272        22.47
BackDoor.Groan        12.48
Win32.HLLM.Limar.based        10.92
Win32.HLLM.Beagle        8.89
Win32.HLLM.Perf        6.98
Win32.HLLP.Sector        6.42
Win32.HLLM.Netsky.35328        5.41
Trojan.Packed.4        4.03
Win32.HLLM.MyDoom.based        3.06
Win32.HLLM.Netsky.based        2.93
Trojan.DownLoader.17767        2.04
Win32.HLLM.MyDoom.33808        1.46
Trojan.Spambot        1.44
Win32.HLLM.Graz        0.87
Trojan.Packed.3        0.81
Trojan.Packed.5        0.75
Program.RemoteAdmin        0.61
Win32.HLLM.MyDoom.49        0.60
Win32.HLLM.Limar        0.58
Exploit.MS05-053        0.53
Other malware         6.72

mamigo

Copyright line works as the link to the CureIt! project history page. Support of Finnish language is added.

mamigo

February 12, 2007 Doctor Web, Ltd., a Russian developer of Dr.WEB security solutions, launches a beta-testing of spam filtering system for Unix-servers. Now, in addition to Dr.Web Mail Daemon (mail anti-virus module), which beta-version release was announced earlier, a module for spam filtering based on Vade Retro® technology developed by the French company Goto Software is offered. The Vade Retro technology allows to analyze e-mails absolutely autonomously, without any calls to external sources of spam information. This helps quickly filter e-mails for spam and constantly improve the analysis of e-mail messages due to dynamically updated code of the anti-spam module.
A verdict if the message is spam or not spam is made after the deep analysis of the message structure and up to 80% of spam is filtered by message headers, which significantly decreases the dependency upon the language the message is written in. It considerably increases the technology resistance to tricks of spammers trying to avoid traditional spam filters, for example, resistance to graphical spam which is becoming widely spread now.
The technology used in new Dr.Web solution allows server administrators to flexibly ajust the mail filtering algorithm to company security policies. Unsolicited e-mails are marked by the anti-spam and can be filtered at the server level before they come into a user’s mail box. If the user wants to filter for spam at a client side, he can easily do that by setting up his mail client.
In addition to spam filtering server version, the main mail filtering module - Dr.Web Mail Daemon has been considerably improved and the following changes have been incorporated into it:

    * Support of Qmail is added;
    * Support of postfix on milter protocol is added;
    * Customized settings for Dr.Web Mail Daemon are provided;
    * Database format of Dr.Web Mail Daemon is changed (that is why if you update from the previous beta-version, you should delete the existing database);
    * The information displayed in diagnostic messages and log files of Dr.Web Mail Daemon is extended;.
    * Syntax of processing rules of messages is changed;
    * All known errors are corrected.

Dr.Web Anti-spam for Unix servers. Technical description The Dr.WEB spam filtering technology consists of several thousands rules which can be devided into several groups.

    * Heuristic analysisHighly complicated intellectual technology of empirical analysis of all parts of messages: headers, message body, etc. Not only the message itself but its attachment, if any, is being analyzed. The heuristic analyzer is being constantly improving; new rules are being added to it.
    * Counter-reaction Counter-reaction technique is one of the most advanced and efficient technologies of Dr.WEB anti-spam. It helps to counteract the tricks used by the spammers to outsmart anti-spam filters.
    * HTML-patternsThe messages with HTML-codes included into them are compared with the list of known patterns from the library of HTML-patterns of the anti-spam. Such comparison in combination with the available data on the image sizes typically used by spammers helps protect users against spam messages with HTML-code, which often include online images.
    * Semantic analysis During the semantic analysis the words and phrases from the message are compared with the words and phrases typical for spam. The comparison is made against a predefined dictionary. The words, phrases and symbols are analyzed – both visible to the human eye and those masqueraded by the technical tricks of spammers.
    * Anti-scamming technologyScam (as well as pharming messages – a type of scam-messages) is the most dangerous type of spam. There we can name also the so-called “Nigerian” scams, loan scams, lottery and casino scams, false messages of banks and credit organizations. To filter scams a special module is used in Dr.WEB anti-spam.


Anyone is welcome to test Dr.WEB beta version. To download the beta version, you should first register in the Beta section of the web-site of Doctor Web, Ltd. More details about beta version and anti-spam filter can be found in the documentation.
Beta versions of Dr.Web Mail Daemon for the following operating systems are available:

    * Linux (glibc 2.2/2.3)
    * FreeBSD 4.11/5.1/5.2/5.3/5.4/6.0

mamigo

Virus monitoring service of Doctor Web, Ltd. informs on a new malware which masquerades as a St.Valentine’s Day Greeting Card. It is distributed in the Internet with the source file name valentin.exe. Dofferent modifications of this malware were labeled by Dr.Web as Trojan.MulDrop.5549 and Trojan.MulDrop.5550. Being run, the Trojan Horse install in the victimized computer another malicious program classified by Dr.Web as Trojan.PWS.LDPinch.1437. Trojan.PWS.LDPinch.1437 searches for passwords for different programs – Opera Mozilla, Mail.Ru Agent, Eudora, CuteFTP, Total Commander, ICQ, Miranda, Trillian, The Bat!, Outlook, Far, Internet Account Manager and sends them to the criminal. Trojan.PWS.LDPinch.1437 also collects different information about the compromised computer – its configuration, running processes, etc, and sends it to the criminal. The Troj can avoid Windows firewall and firewalls and anti-virus programs of other vendors. Doctor Web, Ltd. calls all users to never run files received from unknown addressees.

mamigo

Doctor Web, Ltd. announces release of a corrected version of SpIDer Guard for Windows 95/98/Me.
New in the module:

    * Erroroneous display of SpIDer Guard's icon in the system tray is corrected;
    * Errors in processing of attached archives are corrected;
    * Algorithm of renaming files with multiple extensions is improved;
    * Some minor errors are also corrected.

The corrected version of SpIDer Guard for Windows 95/98/Me can be automatically downloaded during the next update.