Real-time threat news
July 18, 2017
Android.BankBot.211.origin is distributed under the guise of benign programs, for example, as Adobe Flash Player. Once a user installs and launches the Trojan, the banker tries to gain access to the Accessibility Service. For this purpose, Android.BankBot.211.origin displays a window with a request that reappears at every attempt to close it and doesn’t allow the device to be used.
The Accessibility Service makes it easier to work with Android smartphones and tablets and is used in a variety of ways, including to help people with disabilities. It allows programs to independently click on different interface elements, such as buttons in dialog boxes and system menus. The Trojan forces the user to grant it these rights and uses them to independently add itself to the device administrator list. Then Android.BankBot.211.origin establishes itself as the default message manager and gains access to the screen capture function. All these actions are accompanied by a display of system requests that can be overlooked entirely because the malicious program immediately confirms them. If, at a later stage, the device owner tries to disable any function obtained by Android.BankBot.211.origin, the banker forbids it and returns the user to previous system menus.
After a successful infection, the Trojan connects to its command and control service, registers the mobile device there, and awaits further commands. Android.BankBot.211.origin can execute the following actions:
- Send an SMS containing a specific text to the number specified in the command;
- Send to the server SMS data stored in the device memory;
- Forward to the server information about the installed applications, the contact list, and phone call data;
- Open the link specified in a command;
- Change the address of the command center.
In addition, the malicious program tracks all incoming SMS and sends them to cybercriminals.
Besides the standard commands, cybercriminals can send the Trojan special orders. They contain encrypted information about the applications the banker is supposed to attack. Once Android.BankBot.211.origin receives such commands, it can:
- Display fake input forms for login credentials on top of launched banking programs;
- Display a phishing dialog asking users to input their bank card details (for example, when making a purchase on Google Play);
- Block the operation of anti-viruses and other applications that could interfere with the Trojan’s work.
Android.BankBot.211.origin can attack users of any applications. Cybercriminals just have to update the configuration file with the list of targeted programs. The banker receives this list once connected to the command and control server. When the Trojan was first observed, cybercriminals were interested only in customers of Turkish banks. However, later on the list was expanded to include residents of other countries, including Germany, Australia, Poland, France, the United Kingdom, and the USA. At the moment this news article was posted, the list of programs attacked by the Trojan contained more than 50 applications designed to operate with payment systems, remote banking services (RBS), and other software.
Examples of the fraudulent windows Android.BankBot.211.origin can display:
The Trojan also collects information about all launched applications and user’s actions performed within them. For example, it tracks available text fields, such as menu elements, and logs key strokes and other components of the user interface.
Moreover, Android.BankBot.211.origin is capable of stealing login credentials and other authentication information input by users in any programs on any websites during authorization. To steal passwords, the Trojan takes a screenshot of every key stroke; as a result, it obtains the required sequence of characters before they are hidden. After that, the information input into the displayed fields and all the saved screenshots are sent to the command and control server.
Due to the fact that Android.BankBot.211.origin prevents anyone from removing it, the following actions must be performed in order to combat it:
- Load an infected smartphone or tablet in safe mode;
- Log into the system settings and go to the list of device administrators;
- Find the Trojan in this list and recall the corresponding rights (here the malicious program will try to frighten the device’s owner by warning them about the possible loss of all of their important data, but this is just a trick—the files are in no danger);
- Restart the device, perform a full anti-virus scan on it, and remove the Trojan after the scanning is complete.
All known versions of Android.BankBot.211.origin are successfully detected by Dr.Web Anti-virus; therefore, this banker does not pose any threat to our users.
July 13, 2017
The start date the website was compromised and past activity in this attack vector are currently impossible to determine. There are at least 15 domain addresses registered by an unknown individual. The malicious code forces the browser of any visitor to the website to covertly connect to one of them. These domains can reply with any independent document, from a fraudulent input form for entering bank card details to a brute-force attack of vulnerabilities, aimed at obtaining access to a visitor’s computer.
While a website page requested by a user is being generated dynamically, the container <iframe> is added to the website code. It allows any external data to be downloaded or requested from the user’s browser. Currently, the security researchers have detected at least 15 domains. Among them are m3oxem1nip48.ru, m81jmqmn.ru and other addresses of intentionally inconclusive names. At least five of them belong to a range of addresses of companies registered in the Netherlands. Over the past day, requests to these domains are either unsuccessful, because the security certificate of most of these websites is expired, or don’t contain any malicious code. However, there’s nothing to prevent the domain owners from updating the certificates at any moment and publishing malicious code on these domains.
Currently, the website gosuslugi.ru is still compromised. Information has been sent to the website’s technical support service, but it has yet to confirm that it has launched an investigation and initiated measures to prevent such incidents in the future. Doctor Web recommends that users be careful when using the Government Services Portal of the Russian Federation until the situation is resolved. Doctor Web, Ltd., recommends that the administration of the website gosuslugi.ru and the relevant authorities perform a security check on the website.
Any user can check for the code’s presence themselves by using a search tool and making the following request:
UPDATE: The potentially malicious code was removed from gosuslugi.ru after approximately 3 hours from the publication.
July 5, 2017
The malicious application, dubbed
In contrast with the standard update procedure, when an old version of an application is entirely replaced with a new one, the SDK indicated above allows needed components to be loaded separately without reinstalling the entire software package. This allows developers to keep the version of software installed on mobile devices current even if users do not keep track of the release of new versions. However, Excelliance operates as a loader Trojan because it can download and run unchecked application components. This update method violates Google Play rules because it is dangerous.
The Trojan module tracks network activity and tries to connect to its command and control server. Depending on the server settings,
Besides the application’s additional resources and updates,
Meanwhile, while the downloaded APK files are being installed, the user sees a standard dialog box; however, if
Doctor Web specialists have informed Google about the dangerous behavior of the Trojan component in SDK, which is used in the game BlazBlue. However, at the moment this news article was posted, the game version containing
Applications containing this Trojan are successfully detected by Dr.Web for Android anti-virus products as
July 4, 2017
The reports state that
Doctor Web specialists noted this registry key because Trojan.Encoder.12703 uses the same path for its operation. An analysis of the Dr.Web Anti-virus log obtained from one of our customer’s computers showed that Trojan.Encoder.12703 was launched on the infected machine by the application ProgramData\Medoc\Medoc\ezvit.exe, which is a component of M.E.Doc:
id: 425036, timestamp: 15:41:42.606, type: PsCreate (16), flags: 1 (wait: 1), cid: 1184/5796:\Device\HarddiskVolume3\ProgramData\Medoc\Medoc\ezvit.exe
source context: start addr: 0x7fef06cbeb4, image: 0x7fef05e0000:\Device\HarddiskVolume3\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
created process: \Device\HarddiskVolume3\ProgramData\Medoc\Medoc\ezvit.exe:1184 --> \Device\HarddiskVolume3\Windows\System32\cmd.exe:6328
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
curdir: C:\Users\user\Desktop\, cmd: "cmd.exe" /c %temp%\wc.exe -ed BgIAAACkAABSU0ExAAgAAAEAAQCr+LiQCtQgJttD2PcKVqWiavOlEAwD/cOOzvRhZi8mvPJFSgIcsEwH8Tm4UlpOeS18o EJeJ18jAcSujh5hH1YJwAcIBnGg7tVkw9P2CfiiEj68mS1XKpy0v0lgIkPDw7eah2xX2LMLk87P75rE6 UGTrbd7TFQRKcNkC2ltgpnOmKIRMmQjdB0whF2g9o+Tfg/3Y2IICNYDnJl7U4IdVwTMpDFVE+q1l+Ad9 2ldDiHvBoiz1an9FQJMRSVfaVOXJvImGddTMZUkMo535xFGEgkjSDKZGH44phsDClwbOuA/gVJVktXvD X0ZmyXvpdH2fliUn23hQ44tKSOgFAnqNAra
status: signed_microsoft, script_vm, spc / signed_microsoft / clean
id: 425036 ==> allowed , time: 0.285438 ms
2017-Jun-27 15:41:42.626500  [INF]  [arkdll]
id: 425037, timestamp: 15:41:42.626, type: PsCreate (16), flags: 1 (wait: 1), cid: 692/2996:\Device\HarddiskVolume3\Windows\System32\csrss.exe
source context: start addr: 0x7fefcfc4c7c, image: 0x7fefcfc0000:\Device\HarddiskVolume3\Windows\System32\csrsrv.dll
created process: \Device\HarddiskVolume3\Windows\System32\csrss.exe:692 --> \Device\HarddiskVolume3\Windows\System32\conhost.exe:7144
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0
curdir: C:\windows\system32\, cmd: \??\C:\windows\system32\conhost.exe "1955116396976855329-15661177171169773728-1552245407-149017856018122784351593218185"
status: signed_microsoft, spc / signed_microsoft / clean
id: 425037 ==> allowed , time: 0.270931 ms
2017-Jun-27 15:41:43.854500  [INF]  [arkdll]
id: 425045, timestamp: 15:41:43.782, type: PsCreate (16), flags: 1 (wait: 1), cid: 1340/1612:\Device\HarddiskVolume3\Windows\System32\cmd.exe
source context: start addr: 0x4a1f90b4, image: 0x4a1f0000:\Device\HarddiskVolume3\Windows\System32\cmd.exe
created process: \Device\HarddiskVolume3\Windows\System32\cmd.exe:1340 --> \Device\HarddiskVolume3\Users\user\AppData\Local\Temp\wc.exe:3648
bitness: 64, ilevel: high, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0
curdir: C:\Users\user\Desktop\, cmd: C:\Users\user\AppData\Local\Temp\wc.exe -ed BgIAAACkAABSU0ExAAgAAAEAAQCr+LiQCtQgJttD2PcKVqWiavOlEAwD/cOOzvRhZi8mvPJFSgIcsEwH8Tm4UlpOeS18oE JeJ18jAcSujh5hH1YJwAcIBnGg7tVkw9P2CfiiEj68mS1XKpy0v0lgIkPDw7eah2xX2LMLk87P75rE6U GTrbd7TFQRKcNkC2ltgpnOmKIRMmQjdB0whF2g9o+Tfg/3Y2IICNYDnJl7U4IdVwTMpDFVE+q1l+Ad92 ldDiHvBoiz1an9FQJMRSVfaVOXJvImGddTMZUkMo535xFGEgkjSDKZGH44phsDClwbOuA/gVJVktXvDX 0ZmyXvpdH2fliUn23hQ44tKSOgFAnqNAra
fileinfo: size: 3880448, easize: 0, attr: 0x2020, buildtime: 01.01.2016 02:25:26.000, ctime: 27.06.2017 15:41:42.196, atime: 27.06.2017 15:41:42.196, mtime: 27.06.2017 15:41:42.196, descr: wc, ver: 18.104.22.168, company: , oname: wc.exe
hash: 7716a209006baa90227046e998b004468af2b1d6 status: unsigned, pe32, new_pe / unsigned / unknown
id: 425045 ==> undefined , time: 54.639770 ms
The file ZvitPublishedObjects.dll, which was requested from the infected machine, had the same hash as a sample examined in the Doctor Web virus laboratory. Thus, our security researchers concluded that the M.E.Doc update module, which is implemented as the dynamic library ZvitPublishedObjects.dll, contains a backdoor. Further research showed that this backdoor can execute the following functions in the infected system:
- Collect data for accessing mail servers;
- Execute arbitrary commands in the infected system;
- Load arbitrary files to the infected computer;
- Load, save and start any executable files;
- Upload arbitrary files to a remote server.
The following code fragment of the M.E.Doc update module looks rather unique—it allows the payload to be launched using the tool rundll32.exe with the parameter #1:
This is exactly how the encryption Trojan, known as NePetya, Petya.A, ExPetya and WannaCry-2 (
Reuters published an interview with the developers of M.E.Doc who stated that their application contains no malicious functions. Because of that, and also taking into account the results of a static code analysis, Doctor Web security researchers concluded that some unidentified cybercriminals infected one of M.E.Doc’s components with the malicious program. This component was added to the Dr.Web virus databases under the name
June 29, 2017
The security researchers who examined
Back in 2012, Doctor Web security researchers detected a targeted attack on drugstores and pharmaceutical companies that involved the use of a malicious program called
Doctor Web specialists conducted an investigation lasting four years. One of the affected companies provided its hard drives which had been compromised by
The similarity of these two cases shows that the software development infrastructure requires a heightened level of awareness in terms of information security. Above all, the update process for any commercial software should be closely scrutinized by both users and the developers themselves. Some update tools of different programs have the right to install and launch executable files in an operating system. This can be an unexpected source of infection. In the case of MEDoc, the infection was caused by cybercriminals hacking into and compromising an update server. In the case of
June 28, 2017
At the moment, it is known that the Trojan has infected computers by exploiting the same vulnerabilities exploited by cybercriminals during the WannaCry attack. The spread of
In its body, the Trojan contains four compressed resources. Two of these resources are 32-bit and 64-bit versions of the Mimikatz tool, which is designed to intercept passwords of open Windows sessions. Depending on an operating system’s capacity, the Trojan unpacks the necessary version of the Mimikatz tool, saves it to a temporary folder, and runs the Mimikatz tool. Using Mimikatz and some other methods,
The encoder checks its second launch using a file it saved to the C:\Windows\ folder. The file name matches the Trojan’s name, without the extension. Since the worm sample spreading at the moment is named perfc.dat, the file preventing its launch is C:\Windows\perfc. However, if cybercriminals change the original Trojan’s name, creating the file C:\Windows\perfc (as many anti-virus developers advise) will not save a computer from infection. In addition, the Trojan checks the existence of the file only if it has enough privileges to do so.
Once launched, the Trojan sets its privileges, loads its copy to the memory, and grants the copy control. Then, the encoder overwrites its own file with the trash data and removes the file. First,
The Trojan encrypts files only on the fixed drives. The data on each drive is encrypted in a separate thread. The files are encrypted using the AES-128-CBC algorithm; a separate key is created for each drive (a characteristic feature of the Trojan that has not been noted by other specialists). This key is encrypted with the RSA-2048 algorithm (other researchers say that an 800-bit key is used) and is saved to the file named README.TXT to the root folder of the system drive. An additional extension is not added to the encrypted files.
After the computer is rebooted according to the created task, control is granted to the Trojan boot record. On the screen of the infected computer, it displays a text similar to the CHDISK standard tool’s text.
Power down your computer immediately if you see the CHDISK text at system startup. In this case, the boot records will be damaged, but they can be repaired using the Windows recovery tool or Recovery Console if you boot the computer using the distribution disk. Normally, recovery of the boot record is possible in Windows 7 and later operating systems if the hidden portion containing the critical data backup copy is present on the drive. You can also use Dr.Web LiveDisk; create a boot disk or a boot USB, start the operating system from this boot removable media, run the Dr.Web scanner, check the infected drive, and choose the Neutralize action for the detected threats.
According to some sources, the only email address used by the cybercriminals behind
To avoid infection by
June 27, 2017
According to data of our information security specialists, the Trojan is distributed independently, just as infamous WannaCry. Yet there is no precise data if it uses the same distribution mechanism. At present, our security researchers examine the new Trojan; we will give the details later on. Some mass media sources draw parallels with the ransomware Petya (in particular, Dr.Web detects it as Trojan.Ransom.369) due to the external side of the ransomware operation. However, a distribution method of the new threat is different from the standard pattern of Petya.
Today, on June 27 at 4.30 p.m., this encryption ransomware has been added to Dr.Web virus databases as
Doctor Web advises all users to be vigilant and refrain from opening suspicious emails (this measure is required but is not fully sufficient). It is necessary to make backup copies of critically important data and to install all software security updates. Availability of an installed anti-virus is also crucial.
June 23, 2017
During May 2017, in Ukraine, access to the services of several Russian companies was restricted by Presidential Decree. Among those companies were the social networks “VK” and “Odnoklassniki”. This has led to the growth in popularity of methods that allow people to bypass blocking measures—for example, the Tor browser, VPN services, and anonymizers. In addition, new programs offering similar functionality have started cropping up. However, by no means are all these latest programs safe.
Doctor Web specialists have found several applications on Google Play that allow people to work with the blocked “VK” and “Odnoklassniki” websites. To access these social networks, owners of Android devices are asked to input their login credentials; after that the programs log into the user’s account, bypassing blocking measures. Doctor Web security researchers have detected eight such programs, which are being distributed by these developers: JDX Studio, Soukaina Bousfiha, Zikolabs, Boubakri yassir, affzakanab, and simon faiz.
All these applications look exceedingly similar. They are installed on mobile devices as programs with the names «ВК В Украина», «ВК Украина», «ВК Украина 2», «ОК Украина», «Украина ОК», «ВК VPN Украина.», «ВК Украiна» and «ВК Украина VPN» and have similar shortcuts. At least 122,000 users have downloaded these applications, and each of them risks having their personal data leaked.
The problem is that to circumvent the blocking measures put in place by social media websites, this software redirects traffic through an online anonymizer. Anonymizers are special servers that process network requests and also hide information about a computer or a mobile device in order to bypass restrictions that prevent the visitation of blocked Internet resources. Such services are in demand, for example, among users of corporate networks where system administrators have restricted access to social network domains at the gateway level.
The unencrypted login credentials input by users are sent to an anonymizing server so there is nothing to prevent the server’s owners from using the information it receives for illegal purposes. For example, these server owners can log into a social network as a user and send messages without that user’s knowledge; they can add friends, join groups, read correspondence, go through photos, etc. The user doesn’t know that they have logged into the social network via a third-party domain because the applications don’t display an address bar. Any subsequent activity conducted on the “VK” and “Odnoklassniki” websites via this software is also unencrypted, which allows all actions performed in these social networks to be monitored.
Even assuming that an anonymizing server’s owners have taken such an irresponsible approach to protecting confidential data through sheer error or elementary ignorance of information security basics, there is no guarantee that cybercriminals won’t intercept the unencrypted network traffic.
As usage of the programs indicated could lead to a leak of personal information, Dr.Web Anti-virus detects them as the potentially dangerous applications
To protect themselves, users of blocked online sources should avoid suspicious applications and services used to bypass access restrictions. There are safer solutions on the market that provide a sufficient level of safety. Among them are commercial and free VPN services (Virtual Network Provider or private virtual networks) and Proxy servers.
All known versions of
June 20, 2017
Security specialists view this case as an ordinary ransomware attack. Neglected software updates, configuration flaws, etc. But this is the largest ransom amount that has ever been paid to extortionists. And the most successful attack on Linux.
Who is to blame?
- The hosting provider didn't offer to create backups for its customers and didn't establish a«system to switch to if the existing infrastructure failed.
- Their customers relied upon the hosting infrastructure and didn't back up their data.
Successful attacks have been mounted against cloud service providers before, but none have drawn so much attention.
Doctor Web expects a sharp increase in the number of similar incidents.
And that’s because success stories of this sort encourage numerous copycats to appear. Perhaps, later on, the wave of attacks on providers of all kinds will decrease—or, perhaps, it will become a new trend just like the attacks on Linux did. It is too early to make predictions.
- If you store your data in a cloud and don't make backups, start doing it now, and make sure that you store them on servers belonging to a different provider, at home or in a different location.
- If you rent a cloud-based server, site, or service, it doesn't mean that you don't have to protect your data. Security is your concern. In addition to making backups, you need at minimum an anti-virus. One on your PC and in the cloud.
Dr.Web Server Security Suite (protects servers against malware) and Dr.Web Gateway Security Suite (scans inbound traffic and blocks access to dubious sites on the Internet) can provide protection for a service providers' infrastructure.
Dr.Web Enterprise Security Suite products provide protection for all corporate customers regardless of company size. Please pay special attention to the fact that anti-virus protection is necessary on the provider's end as well as on the customers' end (the corporate network and employee computers). This is the only way to protect against man-in-the-middle attacks..
June 19, 2017
The Trojan, named
Once launched, the Trojan offers to check how popular the mobile device owner is among other Telegram users. To do that, it asks the owner for their personal ID. After the victim inputs any information in the corresponding form,
After removing the shortcut,
Below are examples of files that have been transmitted by
Once the confidential information is stolen,
- call — make a phone call;
- sendmsg — send an SMS;
- getapps — forward information about the installed applications to the server;
- getfiles — forward information about all the available files to the server;
- getloc — forward device location information to the server;
- upload — upload to the server the file that is indicated in a command and stored on the device;
- removeA — delete from the device the file specified in a command;
- removeB — delete a file group;
- lstmsg — forward to the server the file containing information about all the sent and received SMS, including sender and recipient phone numbers, and message contents.
When each command is executed, the malicious program reports this information back to the cybercriminals’ Telegram bot.
Besides collecting confidential data when commanded to do so by cybercriminals,
Doctor Web security researchers are warning users that cybercriminals often distribute malicious applications under the guise of benign programs. To protect their devices from Android Trojans, users should install software distributed only by reliable developers and download it from such dependable sources as Google Play. All known versions of
June 15, 2017
This malicious program, designed for mining the Monero (XMR) cryptocurrency, was dubbed
The main module designed for mining the Monero cryptocurrency is also implemented as a library, and the Trojan contains both 32- and 64-bit versions of the miner. The respective implementation of the Trojan used on the infected computer depends on the bitness of the operating system. This module’s configuration indicates how many of the processor’s kernels and computing resources will be used for cryptocurrency mining, the intervals with which the miner will automatically restart, and other parameters. The Trojan tracks running processes on the infected computer and shuts itself down when an attempt is made to launch the Task Manager.
Despite the fact that the first mining Trojans were detected over six years ago (the signature for
June 5, 2017
The first of the two was added to the Dr.Web virus databases under the name
The other Trojan was named
A significant portion of the attacked IP addresses is located in Russia. In second place is China, and in third place—Taiwan. The below illustration shows the geographical locations from which
The Trojan uses a special range of methods to detect honeypots—special decoy servers used by digital security specialists to examine malicious software. Once launched, it connects to its command and control server and, after getting confirmation from it, runs a SOCKS proxy server on the infected device. Cybercriminals can use this Trojan to ensure that they remain anonymous online.
Both of these Trojans are successfully detected and removed by Dr.Web products for Linux, and, therefore, they pose no threat to our users.
May 25, 2017
Doctor Web security researchers registered the first attacks of this Trojan from the
All the scripts included in
One of the
The danger of
Doctor Web’s specialists have collected statistics on the unique IP addresses of devices infected with
Doctor Web security researchers are familiar with several modifications of
May 17, 2017
The malware, known as WannaCry, is a network worm that infects computers running Microsoft Windows without any user involvement. Dr.Web Anti-virus detects all the worm’s components as
Once launched, the worm attempts to send a request to the remote server whose domain is stored inside the Trojan. If a response to this request is received, the worm shuts itself down. Some media sources have reported that the WannaCry outbreak was stopped once this domain was registered: up to the moment the Trojan started being spread, the domain was available due to a mistake made by the cybercriminals. In reality, the analysis of the Trojan shows that it will operate and infect computers that are connected to a local network but have no Internet connection. Thus, it is too early to talk about the epidemic being over.
After being launched, the Trojan registers itself as a system service named mssecsvc2.0. In addition, the worm is sensitive to command line parameters: if an argument is indicated, it attempts to enable an automatic restart of the service in case an error occurs. Within 24 hours after it is launched as a system service, the worm automatically shuts itself down.
After successfully starting up on an infected machine, the worm starts checking for servers that it can access in the infected machine’s local network and for computers on the Internet that have random IP addresses. It tries to connect to port 445. If the connection is successfully established, the worm attempts to infect these computers using a vulnerability in the SMB protocol.
A dropper is a component designed to install a malicious executable file into an operating system. WannaCry’s dropper contains a massive password-protected ZIP archive, which contains an encrypted file with a Trojan encoder, Windows Desktop wallpaper containing the cybercriminals’ demands, a file containing the addresses of onion servers and the name of a wallet for Bitcoin transactions, and also an archive containing programs for operating in the Tor network. The dropper is launched from the worm’s body, installs itself in the system, and then attempts to launch its copy as a randomly named system service. If this attempt is unsuccessful, it is executed as an ordinary program. The dropper’s main task is to save the contents of the archive on the disk and launch the encryptor.
A ransomware Trojan
The Trojan contains the author’s decoder, which deletes shadow copies on the infected computer and disables the system restore function. It changes the Windows Desktop wallpaper to a graphic file that reads as follows:
Then it unpacks the applications it uses to operate with the Tor network (or downloads them from the Web) and connects to onion servers, the addresses of which are indicated in the Trojan’s configuration. From there it receives the name of the wallet accepting Bitcoin electronic currency and writes it into the configuration. To exchange data with the onion servers,
The decoder permits the decryption of several test files, the list of which is stored in the file f.wnry. The private key needed to decrypt them is stored in one of the malicious program’s components. So it is possible to decrypt them even without using the Trojan. However, the test files and all the other files are decrypted with different keys. Therefore, there is no guarantee that the data corrupted by the encoder can be restored successfully, even if a ransom is paid.
Unfortunately, at present it is impossible to decrypt files encoded by
Signs of infection
The hallmark signs of a WannaCry infection are:
- The presence of the mssecsvc2.0 system service (visible name—”Microsoft Security Center (2.0) Service”);
- The presence of the Trojan encoder file C:\WINDOWS\tasksche.exe; the previous sample of the malicious program is stored in the file C:\WINDOWS\qeriuwjhrf.
What to do in case of infection
- To prevent the further spread of infection, isolate infected machines and PCs containing valuable data from computer networks;
- Save a backup copy of the information on separate storages that must thereafter remain disconnected from any computers.
This link will take you to a description of the worm.
May 15, 2017
The very first modification of the Trojan known to Dr.Web (Wanna Decryptor 1.0) was analyzed in Doctor Web’s laboratory on March 27, 2017, at 07:20 a.m. and was added to virus databases at 11:51 a.m., later that same day.
Trojan.Encoder.11432, which is also known as WannaCry, started actively spreading on Friday evening, and by the weekend it had infected computers of large organizations all over the world.
Doctor Web obtained its sample on May 12 at 10:45 a.m. and added it to the Dr.Web virus databases.
Before it was added to the database, Dr.Web had detected the Trojan as BACKDOOR.Trojan.
The Trojan itself is a multi-component encoder named Trojan.Encoder.11432. It includes the following four components: a network worm, an encoder dropper, an encoder and the author’s encoder.
Trojan.Encoder.11432 encrypts files on an infected computer and demands a ransom for their decryption. The money must be transferred to the specified e-wallets in Bitcoin cryptocurrency.
The mass proliferation of the Trojan is being caused by a vulnerability in the SMB protocol. All Windows operating systems older than version 10 are subject to this vulnerability. Trojan.Encoder.11432 didn’t pose any threat to our users from the moment it started spreading.
To eliminate any chance of your computers getting infected with this Trojan, we recommend that you do the following:
- Install the MS17-010 update for your operating system, which is available at technet.microsoft.com/en-us/library/security/ms17-010.aspx, and all current security updates;
- Update the Anti-virus;
- Close attacked network ports (139, 445), using the firewall;
- Disable the attacked and vulnerable service of the operating system;
- Forbid the installation and running of new software (executable files);
- Remove excessive user rights (rights for launching and installing new software);
- Delete unnecessary services in the system;
- Forbid access to the Tor network.
May 12, 2017
The Trojan backdoor has been added to the Dr.Web virus databases under the name
The Trojan stores encrypted information in its own file. This information determines whether
- Name and version of the operating system;
- User name;
- Availability of root privileges;
- MAC addresses of all available network interfaces;
- IP addresses of all available network interfaces;
- External IP address;
- CPU type;
- RAM amount;
- Data about the malware version and its configuration.
The Trojan has its own file manager, which allows cybercriminals to execute various actions with files and folders on the infected computer. The backdoor can execute the following commands:
- Receive a list of the contents of a specified directory;
- Read a file;
- Write to a file;
- Get the contents of a file;
- Delete a file or folder;
- Rename a file or folder;
- Change the privileges for a file or folder (chmod command);
- Change the owner of a file object (chown command);
- Create a folder;
- Execute a command in the bash shell;
- Update the Trojan;
- Reinstall the Trojan;
- Change the command and control server’s IP address;
- Install a plug-in.
May 4, 2017
Recently, in the official “Doctor Web” group on the “VK” social network, messages appeared from anonymous users offering the option to download free license keys for the Dr.Web Anti-virus. Usually such messages contain a short link to RGhost file hosting. If a potential victim follows it, they will be asked if they want to download a 26 KB RAR archive. Naturally, moderators of the Doctor Web group try to delete such messages as quickly as possible, but sometimes they are not quick enough to remove them right after they are published.
The archive contains a small executable file that has an icon of a simple text document. All the examined samples of this application reveal that it is the same backdoor, but the cybercriminals have repacked the malicious program each time before publishing it online in order to avoid signature detection. As a result, the Trojan, named
After launch, the backdoor connects to its command and control (C&C) server and sends information about the infected computer, the serial number of a hard drive, the version and bitness of the installed operating system, the name of the computer, the name of the manufacturer, the version of the anti-virus, if present, and the availability of a connected webcam. The Trojan can execute the following commands of cybercriminals:
- Replace the Windows Desktop wallpaper;
- Turn off or restart the computer;
- Output a system message with the specified text on the screen;
- Swap the functions of mouse keys;
- Play a specific phrase using a voice synthesizer and speakers;
- Hide and then restore the Windows taskbar;
- Open or close the optical disc drive;
- Turn a display on and off;
- Open the specified link in a browser;
- Read, install or remove the specified value of the system registry;
- Receive a screenshot and send it to the C&C server;
- Download and launch the specified executable file;
- Refresh or remove the Trojan’s executable file;
One of the most dangerous functions of the backdoor is an embedded keylogger that records pressed keys. Upon command, this data is downloaded on the cybercriminals’ server. In addition, the Trojan is able to unexpectedly display on the infected computer SWF videos containing frightening images.
Doctor Web’s specialists note that such malicious programs, whose main purpose is to frighten or confuse users, are quite rare these days. The majority of Trojans are aimed at making a profit, and secondary school age children are the ones most likely to distribute viruses in order to frighten users just for “fun”.
Conventional wisdom says that there is no such thing as a free lunch, so all the different kinds of offers users come across to download license keys for commercial software are fraud anyway. Doctor Web advises users to be vigilant and not fall for such provocations.
April 20, 2017
Most modern Trojans execute either only one function or several simultaneously with one function dominating. Multi-purpose malicious programs are quite rare.
Once launched on an attacked computer,
A representative of banking Trojan family designed to steal private information and money from user bank accounts.
The Trojan connects with a command and control server to receive such commands as:
- Launch a file from the temporary folder on the disk of the infected computer;
- Self inject in a running process;
- Delete the specified file;
- Launch the specified executable file;
- Save the SQLite database used by Google Chrome and send it to the cybercriminals;
- Change the command and control server to the one specified;
- Delete cookies;
- Restart the operating system;
- Turn off the computer.
The signature for
April 20, 2017
This vulnerability has been detected in Microsoft Word. Cybercriminals have developed an active exploit for this application, and it has been added to the Dr.Web virus database as
This exploit is implemented as a Microsoft Word document with the DOCX extension. Once this document is opened, another file called doc.doc is loaded. It contains an embedded HTA script, detected by Dr.Web as
Currently, cybercriminals use this mechanism to install
Dr.Web successfully detects and removes files containing
April 17, 2017
The traditional approach of cybercriminals engaged in so-called fixed matches is quite simple: they create a special website that offers for sale “reliable and verified information on the results of sporting events”. Later, buyers can use this information to make supposedly sure-win bets at bookmaker's offices. The creators of such websites represent themselves as retired coaches and sports analysts. In fact, while one segment of paying customers gets one forecast, another segment gets one that’s the exact opposite. If one of the victims complains, cybercriminals offer them their next forecast for free as compensation for their loss.
Recently cybercriminals have made some changes to this scheme. They are still creating websites to attract customers and public pages on social networks, but as a way of proving the quality of their services, they tell customers to download a password-protected, self-unpacking RAR archive that supposedly contains text files showing the match results of an event. Cybercriminals send the password for this archive after the match is finished. This is supposed to give users a chance to compare the predicted outcome with the real one.
Instead of the archive, cybercriminals send their victims their own program, one that fully imitates the interface and behaviour of an SFX archive created with WinRAR. This program has been added to the Dr.Web virus databases under the name
This fake “archive” contains the template of a text file that, with the help of a special algorithm, inserts the required match results which depend on what password is entered by the user. Thus, when the match is finished, the only thing that cybercriminals have to do is to send their victim the appropriate password, and the text file with the correct result will be “extracted” from the “archive” (in reality, the Trojan will generate it on the basis of the template).
There is also an alternative version of this fraudulent scheme—cybercriminals send their victims a password-protected Microsoft Excel file containing a special macro. This macro uses the same method to insert the required result, depending on what password is entered.
Doctor Web reminds users that all the various and sundry predictions criminals are making about match results is a type of fraud that any user can fall victim to. Do not trust websites offering you the chance to make a fortune using insider information to place bets, even if the promises of the cybercriminals involved look very convincing.
April 13, 2017
The mass mailing of malicious attachments is one of the most popular Trojan distribution methods. Cybercriminals try to compose a message in a manner that will make the recipient open the attached file which subsequently infects their computer.
Over the past few days, emails with the subject header “Made the payment” have been distributed on behalf of a certain LLC Globalniye Sistemy (“Global Systems”). These letters contain the following text (the author’s syntax and spelling have been preserved):
We made the payment on April, 6, but for some reason we haven’t received an answer from you.
We hereby request to process the payment as soon as possible and provide the services because time is an issue for us.
The copy of the billing statement and other documents are in the attached archive.
Please, check the details of the billing statement. Perhaps there has been a mistake that caused the failure in delivery of our payment. It could be the reason for the delay.
LLC Globalniye Sistemy
The email has an attached archive called “Billing from LLC Globalniye Sistemy April 6 2017.JPG.zip” that is more than 4 MB in size. It contains an executable file with the extension .JPG[several dozen spaces].exe which was added to the Dr.Web virus database under the name
The application is a packed container that was created using the capabilities of the Autoit language. On launch the program checks whether it is running as the sole copy, and then saves a library to a disk in order to bypass User Accounts Control (UAC) on 32-bit and 64-bit versions of Windows and some other files. Then
One of the components launched by
Another component of the Trojan, xservice.bin, which is also an encrypted Autoit container, extracts two executable files on a disk. These programs are 32-bit and 64-bit versions of the Mimikatz tool, which is designed to intercept passwords of open Windows sessions. xservice.bin can be launched with different keys. They influence the actions this file performs on infected computers.
|-help||display possible keys (support information is displayed in unknown encoding)|
|-screen||makes a screenshot, saves it as a file called Screen(<HOURS>_<MINUTES>).jpg (<HOURS>_<MINUTES> stands for the current time) and sets file attributes to “hidden” and “system”|
|-wallpaper <path>||changes wallpaper to the one indicated in the parameter <path>|
|-opencd||opens CD drive|
|-closecd||closes CD drive|
|-offdesktop||prints to the console the following text: “Not working =(”|
|-ondesktop||prints to the console the following text: “Not working =(”|
|-rdp||RDP launch (look below)|
|-getip||receives IP address of the infected computer using the following website: http://ident.me/|
|-msg <type> <title> <msg>||creates a dialog of the given type (err, notice, qst, inf) with a specified header and text|
|-banurl <url>||adds to the file %windir%\System32\drivers\etc\hosts the following string: “127.0.0.1 <url>”, where <url> is a command argument|
This application also activates a keylogger that records to the file any information about the keys pressed by a user. It also takes a screenshot at the moment of launch.
The Trojan gives criminals access to the infected device via RDP (Remote Desktop Protocol). For this purpose, it downloads a program called Rdpwrap from the Github server and installs it with parameters that allow it to run in the hidden mode. Dr.Web Anti-virus detects it as Program.Rdpwrap. Then
The signature for
April 10, 2017
Services that organize access to paid content using WAP-click are provided by many network providers. They actively use numerous partner programs that allow website owners to monetize mobile traffic. For example, MegaFon announced a new WAP-click technology in 2012. The provider marketed it as a service “that allows MegaFon subscribers to purchase audio, video and graphic files under a simplified procedure on websites belonging to the company’s partners and to use services that do not require loading”.
This technology is simple: a mobile web user is redirected to a webpage containing a message advising them that they must pay to access the requested content. The webpage is equipped with a button that subscribes the user to the paid service when they click on it.
Soon this service became a matter of discussion both among users and on the pages of online media: in particular, WAP-click has been mentioned by VC.RU, Apple Insider and many others. One of the users even prepared a petition, demanding that network providers ensure that paid subscriptions are confirmed via SMS.
And, the subscription is available for all of the users in the mobile provider’s network. Owners of USB modems have also fallen victim to unauthorized subscriptions and search for solutions to this problem on their own: some of the solutions are described in detail on such websites as http://vsyako.blogspot.ru/2014/06/podpiski.html and https://антиподписки.рф. For Windows users, one of the suggested methods of combating paid subscriptions is by making the corresponding changes in the hosts file. Initially the recommendations suggested limiting access to wap.megafonpro.ru, the website through which subscriptions are processed. Perhaps, this method was effective for a while, but later it was discovered that MegaFon owns a number of other domains with the same functionality:
|22.214.171.124||moy-m-portal.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-04-07T15:00:38Z|
|126.96.36.199||propodpiski.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:21Z|
|188.8.131.52||mfprovas.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:22Z|
|184.108.40.206||vasmfpro.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:22Z|
|220.127.116.11||propodpiskimf.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:23Z|
|18.104.22.168||promfvas.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:23Z|
|22.214.171.124||vasmpro.ru||ns1.misp.ru||North-West Branch of PJSC "MegaFon"||2016-05-10T11:39:24Z|
Let’s review a real example of WAP-click technology at work. Doctor Web specialists conducted an experiment that reflects their experience using MegaFon’s mobile Internet. Let’s assume that on the eve of the summer growing season a user intends to plant onions in their vegetable garden. Naturally, the best way to do this is according to the instructions our gardener found via a Google search. The search request “how and when to plant onions” pulled up a link that seemed to meet the user’s needs.
A special script is embedded in the HTML code of the website the link leads to. This script identifies the user’s network provider. In our example, all the following actions are performed only for MegaFon subscribers.
When attempting to go to this web resource, a chain of automatic redirections is executed. It consists of at least 5-7 intermediates. This chain ends on an online subscription site belonging to MegaFon, according to data provided by WHOIS.
Information on the subscription service page clearly warns that the user must pay 30 rubles per day to access the website they need. The payment to view the web resource is explained by the presence of “articles and news intended for personal use”. However, in some cases, for example, on devices with high-screen resolution (a tablet or computer with a connected USB modem), this important warning becomes less noticeable. The visitor may simply miss this text in small print.
Even if the user agrees to the proposed terms and conditions, they will not see information on onions anyway. After clicking the subscription button, they will be redirected to infonews24.ru via another chain of redirections. This web resource belongs to LLC Informpartnyor (http://informpartner.com). The user will then receive an SMS notifying them that they subscribed to the paid service successfully. It’s worth noting as an aside that owners of USB modems that don’t support SMS notifications will not get a message telling them they have successfully signed up for a service—they will only find out about it when they get the bill from their network provider.
From the moment the subscription button is clicked, the user’s account is charged 30 rubles daily, even if they have not visited the paid website, used the Internet or even turned on the phone.
It is not that easy to unsubscribe from paid access to web resources. For several days, our specialists sent USSD requests from a mobile device in order to determine the presence of paid content services. However, the SMS replies from MegaFon stated that the given subscriber number had no active subscriptions.
We have observed the exact same result in the “Dashboard” of a MegaFon user, regardless of whether we logged in with a mobile device or via a desktop, and on the special website http://podpiski.megafon.ru: no mention was made about paid access to web resources. In our case, subscription information appeared in the “Dashboard” only several days later. In the interim period, the subscription fee was charged daily.
MegaFon itself offers its users a special content account designed specifically for the debiting of subscription payments. This account eliminates any chance of spending money from the user’s main account. To get this free service, users must contact the technical support service or visit the provider’s office.
There is also an alternative method of avoiding WAP-click subscriptions—MegaFon suggests sending the special request “УСТЗАПРЕТ1” (“USTZAPRET1”) to its service number. However, it should be noted that this ban on subscriptions is valid only for 90 days, after which a MegaFon user can once again accidentally subscribe to some paid service.
If you notice that funds are regularly being debited from your mobile account, you should absolutely check whether you are being charged for any paid subscriptions. It is also recommended that you connect a content account in order to keep the funds in your main account with the mobile network provider secure. Doctor Web advises you to be alert when using mobile Internet, and in case you discover you have accidentally subscribed to some paid services, it is recommended that you cancel them as soon as possible—on your own or by contacting your network provider’s support service.
March 17, 2017
Warning!!! All your files are encrypted with AESalgorithm! For decrypt use this instructions: Download tor browser Run tor and go to: http://vejtqvliimdv66dh.onion Or you can use tor2web services http://vejtqvliimdv66dh.onion.to in log panel enter your id (CRPTksrjghkrkwkrjthkewVM) follow next instructions if server is down, try connect later locker version 3.0.0
The id parameter can assume various values on different infected computers.
If you have fallen victim to this malicious program, follow the recommendations below:
- do not remove any files from your computer or reinstall the operating system. It is also not recommended to use the infected computer until you get detailed instructions from Doctor Web’s technical support;
- if you have run an anti-virus scan, do not try to cure or remove the threats that were detected—our technical support specialists may need them during their search for a decryption key;
- try to remember as much about the circumstances of the infection as possible: this can involve receiving dubious email messages, downloading programs from the Web, or visiting websites;
- if you have the email message containing the attachment that infected your computer after you opened it, do not remove it—our specialists may need it to identify which version of the Trojan is involved.
To decrypt files corrupted by
Once again, we would like to point out that our free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. Doctor Web cannot guarantee that all of your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.
March 3, 2017
Doctor Web specialists examined an on-screen keyboard app called TouchPal. Mobile device owners can use it instead of the standard one. It does indeed work as stated but contains an unwanted advertising module. In keeping with the Dr.Web classification system, the module was named
This plug-in displays several types of ads. For example, on the home screen it creates widgets that can’t be deleted until the device owner clicks on them. When the widget is clicked on,
Despite the fact that TouchPal itself is not a malicious program, the unwanted module within it—
February 13, 2017
This malicious program, which is based on the source code of another banking Trojan—Zeus (
Worth highlighting is the unique way in which the Trojan automatically launches itself on an infected machine:
Dr.Web successfully detects and removes