TOP-10 most active threats for Windows

Posted: February 16, 2013 in Articles
Tags: , ,

TOP-10 threats for Windows

TOP-10 threats for Windows

Here we provide a more detailed description of the threats that are included in the list of TOP-10 most active.

1. INF / Autorun

INF-files that are startup files in which malware is activated in the system. Typically, such a method of distribution using the threat copies itself to removable USB-drives with subsequent activation of the computers to which the infected device is connected. Popular antivirus products heuristically determine such threats that try to create or modify the file autorun.inf

The default Windows settings are set so that the programs listed in the autorun.inf, will automatically start when you are working with different types of removable media (systems up to Windows 7). In the wild, there are quite a number of threats that copy themselves to removable devices.

2. HTML / ScrInject.B

Detecting the generic name for a web page containing malicious script or iframe tags that automatically redirect the user to install the malware.

3. HTML / Iframe.B

Is also a common name detecting the malicious iframe-tags embedded in html-pages, which redirect the browser to another URL or page that contains malicious code.

4. Win32/Conficker

Is a long time known worm, which was originally used for a vulnerability in the latest versions of Windows (Windows 2000 exposed – Windows 7). This vulnerability is present in the RPC sub-system and can be used remotely by an attacker without knowledge of the user account. Depending on the variant, it may also spread via unsecured shared folders and removable media, and enabled by default autorun (disabled in Windows 7 for all non-optical media CD / DVD). Conficker loads the DLL through the process svchost. Can access a special web server whose address precomputes a mechanism for the generation of domain names to download additional malicious components.

5. Win32/Sality

Sality – is a polymorphic file infector (virus). Provides its startup through the registry, and disables services related to antivirus products and security products. Able to modify the EXE and SCR files. Some of the latest versions are on board a rootkit, which allows you to block access to the infected computer to a variety of AV resources, and terminate processes.

6. Win32/Dorkbot

The worm, which spreads itself via removable media, also contains backdoor functionality and can receive commands from the outside (via IRC). Packed with UPX. Collects private user information such as user names and passwords for different services when you visit certain Web sites. The collected information is sent to a remote server. Can block access to web pages AV-companies. This year has spread spam attack on users Skype, the purpose of which was to install Dorkbot on users’ computers that have clicked on links in spam messages.

7. JS / TrojanDownloader.Iframe.NKE

Malicious Java-script redirects the browser to a special URL, which contains malicious code.

8. Win32/Sirefef

Backdoor that allows access to the infected computer to them. Can accept commands to download additional malware, launch malware on execution, completion of a running process. Provides through its startup registry keys. Earlier versions contained a rootkit, which is deeply embedded in the operating system, allowing malicious Trojan components be undetected for a long time. Injection also carries its code into system processes and services explorer. Is cross-platform and contains modules for x64 OS.

9. Win32/Ramnit

Virus with an auto restart function on every boot. Infects EXE and DLL files, and searches htm and html files for malicious code placed there. It uses a vulnerability in the system (CVE-2010-2568), which allows it to execute arbitrary code. Can be controlled remotely to the server and send a variety of information, screenshots, download files, launched on the files, and shut down and restart the computer. Some versions also have on board a rootkit that can complete the processes in the system.

10. Win32/Spy.Ursnif

Spyware application that steals information from the infected computer and sends it to a remote server, creating a hidden account in order to allow communication through the Remote Desktop connection. Actively distributed via Blackhole Exploit Kit earlier this year, is on board as x32, and x64 version.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s