News of Doctor Web
16.05 Dr.Web for Android 8.0: faster, friendler and more reliable
May 16, 2013
Anti-virus scans on the latest Android smart phones are now significantly faster thanks to multi-thread scanning that divides tasks between the CPU cores.
The new version supports Android 4.2.
With Dr.Web for Android 8.0 you can use multiple trusted SIM cards with the Anti-theft enabled. Now, if you regularly switch between several SIM cards on one smartphone, you can add these SIM cards to your trusted list, so that the Anti-theft won't block access to the device when changing them. You can add SIM cards to your trusted list when you restart the device or when launching Dr.Web for Android.
Dr.Web also now lets you disable the detection of adware and riskware by the file monitor SpIDer Guard and the anti-virus scanner.
In addition, Dr.Web for Android can send statistics about its operation to Doctor Web with the user's consent. To use this feature, after installing version 8.0, you will need to accept the license agreement again.
In addition to the aforementioned innovations, several upgrades have also been made. Now, if SpIDer Guard and the anti-spam service are terminated, they will be restarted automatically.
Version 8.0 also includes Latvian and Estonian language support and tweaks that have been made to the custom scan interface.
Among other things, known defects have been corrected. In particular, the scanning process no longer decelerates as soon as the device's screen turns off and scanning can no longer be interrupted by touching the screen. A widget display issue that had the ability to impact certain devices has also been fixed.
The new version of Dr.Web for Android is available on Google Play (Dr.Web Anti-virus, Dr.Web Anti-Virus Life license) and on Doctor Web's site (Dr.Web for Android).
Dr.Web for Android will be updated to version 8.0 automatically. If automatic updates are disabled on the device, go to Google Play, choose Dr.Web Anti-virus (paid) or Dr.Web Anti-Virus Life license on the application list, and click "Update”.
For updates via Doctor Web's site, download a new distribution file. If the option “New application version” is enabled, a new version notification will be displayed when updating the virus databases. You can start the download directly from this dialogue box.
13.05 April 2013 virus activity review from Doctor Web
May 13, 2013
Viruses
According to statistics collected by Dr.Web CureIt!, the number of machines infected with
| Trojan.Hosts modifications | % |
|---|---|
| 1,84 | |
| 0,99 | |
| 0,42 | |
| 0,19 | |
| 0,18 | |
| 0,16 | |
| 0,15 | |
| 0,14 | |
| 0,14 | |
| 0,14 | |
| 0,13 | |
| 0,11 | |
| 0.10 | |
| 0.09 |
Doctor Web attributes such a large number of infections to multiple incidents of websites being compromised—the company published a report on this in March.
According to data gathered by Dr.Web CureIt!,
The table below lists the most common threats detected with Dr.Web CureIt! on home computers in April 2013.
| 1 | | 3.07 |
| 2 | | 1.84 |
| 3 | | 1.28 |
| 4 | | 0.99 |
| 5 | | 0.87 |
| 6 | | 0.76 |
| 7 | | 0.73 |
| 8 | | 0.72 |
| 9 | | 0.58 |
| 10 | | 0.56 |
| 11 | | 0.56 |
| 12 | | 0.56 |
| 13 | | 0.55 |
| 14 | | 0.54 |
| 15 | | 0.52 |
| 16 | | 0.47 |
| 17 | | 0.42 |
| 18 | | 0.37 |
| 19 | | 0.35 |
| 20 | | 0.33 |
Botnets
In early April, Doctor Web's analysts managed to gain control over a control server of a botnet comprised of computers infected with
This malware sends massive volumes of spam and can execute criminal commands including commands to perform updates, download new message templates or spam mailing lists, or stop sending spam. If the program terminates abnormally, it can notify the intruders
The growth rate of the botnet created with the file infector
Another botnet, formed by a related file infector
The threat of the month
A new representative of the well-known malicious family Trojan.Mayachok was one of the most peculiar threats analysed by Doctor Web in April. Despite the fact that analysts currently know about 1,500 species of the family,
The attackers’ main objective is to force the user to enter their mobile phone number into a specific field. After that they are subscribed to services promoted by http://vkmediaget.com for a fee of 0.60 USD per 24 hours.
Encoders on the offensive
Encoder Trojans are among the most dangerous threats in the modern IT world. Two such programs—
Spread with spam, these Trojans can do a lot of damage— several hundred systems have already been compromised by the encoders. More information on how to neutralize such threats can be found in news material published by Doctor Web.
Threats to Android
The second month of spring 2013 once again confirmed that Android is the main target for cybercriminals interested in mobile platforms. Throughout April, Doctor Web's analysts discovered new malicious Android applications whose definitions were promptly added to the Dr.Web virus databases.
The discovery on Google Play of programs containing the malicious adware module Android.Androways.1.origin became one of the most significant events related to Android security. Criminals distributed the module as part of their seemingly harmless ad network which enables developers to integrate the module into their software so that it generates revenue. Similarly to legal ad network modules, Android.Androways.1.origin can display push notifications in the status bar, however, these messages can be used to show fake prompts to update various programs. If the user agrees to an update, they risk downloading an
In addition, Android.Androways.1.origin can execute a number of commands from a remote server and upload such information as the device's phone number and IMEI, and the operator code to the server. More detailed information about this threat can be found in our news material.
Trojan horses primarily targeting devices used in China stand out from the multitude of malware designed to attack Android. Criminals usually embed them into legitimate applications. Various software catalogues and forums remain the most popular ways to distribute them. In April, Doctor Web's analysts discovered several such malicious programs. These include Android.Uapush.2.origin, Android.MMarketPay.3.origin, Android.DownLoader.17.origin, and several versions of
Android.Uapush.2.origin is a Trojan horse whose main purpose is to display advertising messages in the notification bar. However, it also has other functions. In particular, Android.Uapush.2.origin collects information about browser bookmarks, outbound calls, address book contact details and personal information stored by the IM client QQ. The Trojan uploads stolen information to a remote server.
Android.MMarketPay.3.origin is a malicious program discovered in early April. This Trojan is a modification of malware that Doctor Web reported on last year. Similarly to its predecessor, Android.MMarketPay.3.origin is designed to automatically buy applications on the Mobile Market portal maintained by the carrier China Mobile. This program can bypass the online store’s security restrictions and cause significant damage to Chinese users' finances by covertly purchasing applications.
As for Android.DownLoader.17.origin, it is a Trojan downloader that can download other applications from the Internet. Once the apk-package is downloaded, Android.DownLoader.17.origin attempts to install it. This Trojan was found in a large number of games and other applications available for downloading from several Chinese sites, so it can be assumed that the criminals who made it have ambitious plans with regard to the program. In particular, they can use it to increase the rating of applications or adjust the installations counter for programs distributed from partner sites. The illustration below provides information about some of the compromised applications that contain Android.DownLoader.17.origin.
Discovered in April, Android.Infostealer.4.origin, Android.Infostealer.5.origin and Android.Infostealer.6.origin are Trojans that steal such sensitive information as a device's IMEI, phone number and list of installed applications and sends this data to a remote, criminal-controlled server.
In the past month, cybercriminals didn't spare other East Asian countries, namely South Korea and Japan. An entry concerning the program Android.SmsSpy.27.origin, which also steals information, was added to the Dr.Web virus database at the end of the past month. This malware, which steals incoming short messages and sends them to a remote server, is spread as a Japanese and Korean version of a UI theme for Vertu phones.
Malicious files detected in mail traffic in April
| 01.04.2013 00:00 - 30.04.2013 23:00 | ||
| 1 | Trojan.PWS.Panda.3734 | 1.30% |
| 2 | Trojan.Inject2.23 | 1.11% |
| 3 | JS.Redirector.155 | 0.95% |
| 4 | Trojan.Necurs.97 | 0.88% |
| 5 | Trojan.Packed.196 | 0.77% |
| 6 | Win32.HLLM.MyDoom.54464 | 0.72% |
| 7 | Trojan.PWS.Stealer.2877 | 0.65% |
| 8 | Win32.HLLM.MyDoom.33808 | 0.51% |
| 9 | Trojan.Packed | 0.51% |
| 10 | SCRIPT.Virus | 0.39% |
| 11 | Trojan.Oficla.zip | 0.37% |
| 12 | BackDoor.Comet.152 | 0.37% |
| 13 | Trojan.PWS.Stealer.2830 | 0.37% |
| 14 | Trojan.PWS.Panda.547 | 0.35% |
| 15 | Win32.HLLM.Beagle | 0.32% |
| 16 | Trojan.PWS.Panda.2401 | 0.30% |
| 17 | Trojan.MulDrop2.64582 | 0.26% |
| 18 | Trojan.PWS.Stealer.1932 | 0.25% |
| 19 | Trojan.PWS.Panda.655 | 0.25% |
| 20 | Trojan.Siggen5.13188 | 0.21% |
Malicious files detected on user computers in April
| 01.04.2013 00:00 - 30.04.2013 23:00 | ||
| 1 | SCRIPT.Virus | 0.68% |
| 2 | Adware.Downware.915 | 0.65% |
| 3 | Tool.Unwanted.JS.SMSFraud.26 | 0.55% |
| 4 | Adware.Downware.179 | 0.47% |
| 5 | Adware.InstallCore.99 | 0.39% |
| 6 | JS.Redirector.189 | 0.38% |
| 7 | JS.IFrame.387 | 0.37% |
| 8 | Trojan.Packed.24079 | 0.36% |
| 9 | Adware.InstallCore.101 | 0.36% |
| 10 | Trojan.Redirect.140 | 0.34% |
| 11 | Adware.Webalta.11 | 0.34% |
| 12 | Tool.Unwanted.JS.SMSFraud.10 | 0.33% |
| 13 | JS.Redirector.188 | 0.33% |
| 14 | JS.Redirector.175 | 0.31% |
| 15 | Trojan.Fraudster.394 | 0.31% |
| 16 | Win32.HLLW.Shadow | 0.30% |
| 17 | Win32.HLLW.Autoruner.59834 | 0.29% |
| 18 | Tool.Skymonk.11 | 0.29% |
| 19 | Adware.Downware.1109 | 0.28% |
| 20 | Trojan.Fraudster.407 | 0.27% |
07.05 Dangerous Trojan substitutes web pages
May 7, 2013
The Trojan has two components: the dropper and the dynamic link library which stores the payload. During installation, the dropper creates a copy of itself in one of the folders on the hard drive and runs itself for execution. In Microsoft Windows Vista, the dropper can be launched as a Java update that requires user confirmation to bypass User Accounts Control.

Then the dropper saves on the hard drive the main library which injects its code into all running processes on the infected computer but operates only in the processes of the following browsers: Microsoft Internet Explorer, Mozilla Firefox, Opera, Safari, Google Chrome, Chromium, Mail.Ru Internet, Yandex.Browser, and Rambler Nichrome. The configuration file containing all the data needed to run
The architecture of
The signature of this threat has been added to the Dr.Web virus database, so
29.04 Scanning Engine service in Dr.Web 8.0 for Windows updated
April 29, 2013
The update resolves the issue when SpIDer Guard would stop scanning files if the option to check running programs and modules were disabled.
The update will be automatically downloaded by the anti-viruses, but applying it will require a system reboot.
25.04 Dr.Web for IBM Lotus Domino updated
April 25, 2013
The updated version of the module supports Red Hat Enterprise Linux (RHEL) 6 and Novell SuSE Linux Enterprise Server (SLES) 11 and incorporates updates of all plug-in components, including Dr.Web Virus Finding Engine, Dr.Web Daemon and Dr.Web Updater.
To install the new version of Dr.Web for IBM Lotus Domino you need to uninstall the previous one. All the current settings and the quarantine database will be deleted. If necessary, backup the database found in the Dr.Web directory.
24.04 Components in Dr.Web 8.0 products for Windows updated
April 24, 2013
The scanning service tweaks improve overall performance, accelerate the launch of processes and speed up file scanning. Also, the service no longer needs Windows API to detect system processes, so they can be removed from the list of scanned objects. This significantly increases system boot-up speed and accelerates the launch of trusted applications.
The updated Dr.Web SpIDer Guard can use some Dr.Web Anti-rootkit Service routines and, if necessary, utilize the service to neutralize threats.
The update also resolves known issues to improve the overall stability of Dr.Web Security Space and Dr.Web Anti-virus 8.0 for Windows.
- An error that could cause a system failure when the Dr.Web Anti-rootkit Service was running has been fixed.
- Also resolved was a problem involving system files being processed longer than they should have been while removable data storage devices were being initialized at the same time when incorrect settings were being used to establish an Internet connection.
- A defect keeping the size of the quarantine from resetting after being cleaned has been corrected.
- Previously, malignant files were being moved to the local disk quarantine from a removable media device even if the option to create the quarantine on a removable media had been enabled; that issue has been fixed.
- The error message “Access denied or incorrect program usage” was being displayed when Dr.Web was being removed, and that issue has also been rectified.
The update will be performed automatically; however, a system reboot will be required.
24.04 Windows versions of Dr.Web 6.0 products for Kerio mail servers and Internet gateways updated
April 24, 2013
Dr.Web for Kerio mail servers now supports Kerio Connect 8.0 and later, and Dr.Web for Internet gateways Kerio is now compatible with Kerio Control 7.0.0–7.4.2. The Dr.Web Virus Finding Engine has been updated in both products.
To update Dr.Web for Kerio mail servers or Dr.Web for Internet gateways Kerio, download the updated distribution and reinstall the application after removing the installed program.
23.04 Twenty eight apps on Google Play spread Trojans
April 23, 2013
Advertising in applications for Android has long been successfully used by various developers to generate income from their work: it is a legal and a very convenient way to get compensated for time and money spent creating software. It was in 2011 when crafty cybercriminals also decided to use mobile ad networks to spread Trojans. Android.SmsSend programs designed to send short messages to premium numbers and subscribe users to chargeable services are the most popular among them. Doctor Web recently reported an incident involving such a program. However, the list of malware being spread in such a way is expanding.
Despite the fact that ad networks like Google AdMob, Airpush, and Startapp meet criminals' demands, intruders decided to go even further and created an ad network of their own. At first sight, it appears quite similar to others: Android software developers are offered very favourable advertising API usage terms, and are promised a high and steady income and easy account management. So it's hardly surprising that some developers became very interested in the ad network.
The advertisement API provides push notification ads that deliver small alerts to an Android phone's notification bar. However, there are also some undocumented features.
Push ads sent via the ad network can prompt a user to install an important update for a certain application. If an unsuspecting user agrees to install this update, the advertising module downloads an apk package and places it into the download directory /mnt/sdcard/download on the memory card. The module can also create a shortcut linked to the downloaded package, so if the user taps on it, it will start the installation of the downloaded program.
An investigation conducted by Doctor Web's analysts revealed that such apk-files contain Android.SmsSend Trojans. Analysts also found that these malicious programs were being downloaded from various fake application catalogues. The ad module in three analysed applications would connect to a control server at 188.139.xxx.xx, while the module in the remaining 25 apps would try to connect to a server at 91.226.xxx.xx. These IP addresses were promptly added to the Dr.Web Parental Control database, so access to the respective sites is blocked.
Below you can find a full list of the commands sent by a controlling server to the malignant module:
- news – display a push-notification
- showpage – open a web page in a browser
- install – download and install an apk package
- showinstall – show a push-notification about the installation of an apk package
- iconpage – create a shortcut to a web page
- iconinstall – create a shortcut to the downloaded apk package
- newdomen – change the control server address
- seconddomen – an alternate server address
- stop – stop sending queries to the server
- testpost – re-send a request
- ok – do nothing
In addition to executing these commands, the fraudulent module is also able to collect and send the device's IMEI, operator code, and the phone number to the server.
The advertising API is particularly dangerous because applications that use it are found on Google Play, which de facto is the safest sourceof programs for Android. Many users have come to trust the security of Google Play, so the number of installations of the software that feature the advertising module is very large. Since statistics about downloads of applications from Google Play are hard to get, Doctor Web can't say exactly how many devices have been compromised, but it can be assumed that the number exceeds 5.3 million handhelds. This is the largest and most massive case of infection on Google Play since Google Bouncer was introduced.
Considering the advertising API’s malignant features and the connection between the ad network and sites spreading malware for Android, Doctor Web has classified this module as belonging to adware designed to perform malicious tasks. The module has been added to the virus databases as Android.Androways.1.origin and poses no threat to devices running Dr.Web anti-virus for Android.
22.04 Components in Dr.Web 8.0 products for Windows updated
April 22, 2013
Now upon upgrading from version 7, Dr.Web Net Filtering Service will use the settings from the previous installation. HTTPS links on the blacklist are now blocked, even if the option to scan encrypted traffic is disabled. An issue involving traffic of applications featuring Metro UI not being scanned has been resolved. A compatibility issue between Dr.Web and the T-Mobile mail client has also been resolved.
An updating defect of the Dr.Web Control Service has been corrected.
The update will be performed automatically; however, a system reboot will be required.
18.04 Updates made in Dr.Web SelfPROtect and Dr.Web Updater in Dr.Web 8.0 for Windows
April 18, 2013
In particular, it corrects a defect that could cause the self-protection module to terminate abnormally when installing Dr.Web, when upgrading from version 6.0, or when compatibility issues existed between the module and the NVIDIA ForceWare Network Access Manager.
Also resolved was an issue involving Dr.Web SelfPROtect, whereby a system restore point could not be created under Windows 8.
The update will be performed automatically; however, a system reboot will be required. Please note that it may take longer than usual to boot up for the first time after updating.
17.04 Fake anti-virus for Android spreads via ads in other applications
April 17, 2013
Ads displayed by Android applications have long been exploited by criminals to spread malware. Being an effective and relatively inexpensive means to reach a wide audience, advertisements are often used in schemes. Ads found by Doctor Web's analysts this time offer Android users virus scans. If users accept the offer, they are redirected to a website from which they can download an "anti-virus" which, in fact, is the malicious program Android.Fakealert.4.origin.
![]() |
![]() |
![]() |
![]() |
Analysts have been aware of Trojans of the family
Once Android.Fakealert.4.origin is installed and launched, it notifies the user that a threat has been detected, but, as to be expected, the user has to buy a full version of the program to neutralize it.
![]() |
![]() |
In addition to displaying infection alerts in its main menu, Android.Fakealert.4.origin can also display corresponding messages in the notification panel.

Doctor Web urges Android users to be more sceptical about various ads displayed by applications and to use reliable anti-virus software, when necessary.
11.04 Components in Dr.Web 8.0 products for Windows updated
April 11, 2013
Changes have been made to SpIDer Agent (8.1.0.04080) so that users can now adjust the window size in the application settings. A UI display issue involving fonts, icons and other objects scaling improperly has been resolved In addition, other tweaks have been made to the interface.
The update to Dr.Web Control Service (8.1.0.04090) has accelerated Dr.Web’s launch during system startup.
Also, the products now support the Greek and Hungarian languages.
The update will be performed automatically; however, a system reboot will be required.
10.04 Dr.Web for Android on Challenge Tablet in Japan
April 10, 2013
Under their partnership programme, Doctor Web and Benesse Corporation agreed that Dr.Web for Android will be made available pre-installed on the sought-after Challenge Tablet devices.
Beginning this month, which coincided with the start of Japan’s new academic year, secondary school students have been using these tablets for a distance-learning programme run by Benesse Corporation.
Today, Dr.Web for Android is popular among users not only in Russia but also far beyond its borders – in the Ukraine, Kazakhstan, Taiwan, Saudi Arabia, Japan and the USA. In all these countries installations of Dr.Web for Android number in the hundreds of thousands. The total number of Dr.Web for Android users so far is around 20 million.
Dr.Web for Android is already pre-installed on some mobile devices in Russia. Doctor Web’s partnership programme with Seiko Instruments Inc., which got under way in February, marked the OEM product’s début on a major international market. Customers who purchase Dayfiler electronic dictionaries automatically have Dr.Web for Android Light at their disposal.
About Challenge Tablet
Challenge Tablet devices have been specifically designed by Benesse Corporation for secondary school students who use them for the company’s distance-learning courses. These tablets can be used along with conventional textbooks. Models differ in screen size, settings, and the availability of a folding stand. With Dr.Web for Android pre-installed on the tablets, students can safely use them. Content can be filtered and usage time can be restricted.
Benesse Corporation
The diversified company provides products and services that educate children, inform parents, and care for the elderly. The company's education division, which accounts for nearly 60% of sales, provides correspondence course, exam prep services, and classroom education, to Japanese children from infancy through high school. Through Benesse Style Care the company operates nursing homes throughout Japan, as well as senior day care and temporary health care staffing services. Benesse Corporation also publishes magazines aimed primarily at women. Its Berlitz International subsidiary provides language training throughout the world.





















![[Google+]](social/google_plus.png)
![[Blog Dr.Web]](social/drweb.png)
![[You Tube]](social/youtube.png)
![[Twitter]](social/twitter.png)
![[Facebook]](social/facebook.png)
