September 20, 2021

Russian anti-virus company Doctor Web has rolled out the new version of its anti-virus application for the Apple operating system—Dr.Web Security Space 12.5 for macOS. Now that the application's modules have been redesigned and thoroughly tested, the product is ready to protect Mac computers running the latest Apple OS version—macOS Big Sur. Furthermore, Dr.Web can now also work on machines powered by Apple M1.

MacOS Big Sur supported

Because third-party driver functionality is limited under this operating system version, Dr.Web for macOS had to be redesigned. Doctor Web’s programmers created the traffic-filtering and file-monitor modules literally from scratch, and now they both help keep macOS Big Sur protected. These components are installed on a computer as system extensions and can access all the operating system venues needed to maintain reliable anti-virus security.

Support for ARM64

Doctor Web does its best to keep up with the ever-growing popularity ARM64 enjoys among CPU makers and users. Back in 2020, support for ARM64 was implemented in Dr.Web 11.1 applications for Unix-like systems. Now Dr.Web Security Space for macOS also supports this platform. Thanks to this, Dr.Web can also operate smoothly on computers featuring Apple’s powerful M1 CPUs.

In addition, the product is also using the most up-to-date version of Dr.Web Virus-Finding Engine (7.00.51.06150) for ARM64.

Centralised protection mode

To connect to a Dr.Web Enterprise Security Suite or Dr.Web AV-Desk server, the new version relies on certificates, rather than public encryption keys.

Because Dr.Web Security Space 12.5 for macOS and Dr.Web 11.1 applications for Unix-like systems utilise the same set of components, the application can only be run in centralised protection mode when linked up with the server software featured by Dr.Web Enterprise Security Suite 11 and later suite releases and Dr.Web AV-Desk 13.0.

Dr.Web Security Space for macOS User Manual has been updated to include information about the new features found in version 12.5.

To upgrade to the new version, users will need to download a new distribution file and install the application.

September 14, 2021

New anti-virus server features make it even more versatile and reliable and easier to administer.

Dr.Web AV Desk 13 is a universal solution, allowing you to deploy a distributed anti-virus network and remotely administer end-point security on all the hosts that receive the anti-virus software on a subscription basis.

The subscription-based Dr.Web Anti-virus protects PCs, servers and mobile devices, regardless of their actual location and how they connect to the Internet. An IT service provider can employ Dr.Web to protect its customers’ devices. It is also an ideal choice for organisations with complex distributed infrastructures that have a large number of devices outside the protected corporate network.

With Dr.Web AV-Desk, operators can closely monitor and keep track of all security incidents, collect statistics and promptly adjust the anti-virus software parameters to respond to emerging threats.

Nowadays, the subscription-based Dr.Web keeps over half a million devices across the world protected from malware and their number is growing daily.

Key innovations

• ystem resources are used more sparingly, thanks to the ability to delegate anti-virus protection tasks to a separate designated virtual machine that runs certain anti-virus routines for other VM agents on the same physical server.
• Advanced remote installation and updating options for Dr.Web Agent running under Windows, Unix-like systems and Android.
• Upgraded routines for collecting and analysing statistics on identified threats. The ability to look for information using file hashes.
• Improved subscription usage reports.

September 14, 2021

Russian anti-virus company Doctor Web has released a software update affecting versions 11.5 and 12.0 of Dr.Web Security Space, Dr.Web Anti-virus and Dr.Web Anti-virus for Windows Servers as well as Dr.Web Enterprise Security Suite 12.0 and Dr.Web AV-Desk 13.0. These changes have made the applications more secure and easier to use.

The self-protection module Dr.Web Protection for Windows (12.06.04.09070) in version 12 of the corporate and home anti-virus products and in Dr.Web AV-Desk 13.0 has been updated to enhance product security.

Furthermore, changes have been introduced to the Dr.Web Updater update module (12.0.36.09020):

• An issue causing incorrect information about running protection components to be displayed has been addressed. Corresponding adjustments have been made to the configuration script Lua-script for main (12.10.12.09010);
• An issue that could cause the module to terminate abnormally has been resolved;
• To keep users well informed about the module's operation, an Error 2 message is now displayed if an update mirror directory is unavailable;
• Minor tweaks have also been introduced.

In addition, the module Dr.Web Thunderstorm Cloud Client SDK (12.0.17.08271) has been updated in Versions 11.5 and 12.0 of Dr.Web Security Space, Dr.Web Anti-virus and Dr.Web Anti-virus for Windows Servers as well as in Dr.Web AV-Desk 13.0. Now the module uses OpenSSL 1.1.11, which contributes to an overall security boost in Dr.Web software’s operation.

The update will be performed automatically; however, a system reboot will be required.

September 9, 2021

Russian anti-virus company Doctor Web has updated version 12 of its Dr.Web plugin for Microsoft Exchange, which protects corporate networks and the information within them from threats carried by email messages.

Now the administrator console can provide more license information.

You can download the updated distribution file from Doctor Web's site.

Also note that Dr.Web for Microsoft Exchange is part of the email-filtering software suite—Dr.Web Mail Security Suite. Because mail traffic still remains the main medium for transmitting malicious programs and unsolicited emails across networks, Dr.Web anti-viruses filter out spam messages and prevent trojans from sneaking into corporate infrastructures. They also make sure that users receive their correspondence more quickly and will remove previously unknown malware from their mailboxes.

September 8, 2021

The August analysis of Dr.Web’s statistics revealed a notable increase in the total number of detected threats—by 16.8% compared to the previous month. The number of unique threats increased by 5.6%. Adware still made up the majority of detected threats. A variety of malware, including malicious PDF files, was most often distributed in mail traffic.

In August, the number of user requests to decrypt files affected by encoders increased by 4.2% compared with July. Trojan.Encoder.26996 was the most active threat, accounting for 52.54% of all incidents.

According to Doctor Web’s statistics service

The most common threats in July:

Adware.SweetLabs.5

An alternative app store and add-on for Windows GUI from the creators of Adware.Opencandy.

Adware.Elemental.17

Adware that spreads through file-sharing services as a result of link spoofing. Instead of normal files, victims receive applications that display advertisements and install unwanted software.

Adware.Downware.19856

Adware often serving as an intermediary installer of pirate software.

Trojan.AutoIt.980

A malicious utility program written in the AutoIt language and is distributed as part of a miner or RAT trojan. It performs various malicious actions that make it difficult to detect the main payload.

Trojan.MulDrop16.4830

A malicious program that downloads unwanted applications to a victim's computer.

Statistics for malware discovered in email traffic

W97M.DownLoader.2938

A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents and are designed to download other malicious programs onto compromised computers.

Trojan.PackedNET.964

Packed malware written in VB.NET.

BackDoor.SpyBotNET.25

A backdoor written in .NET and designed to operate with a file system (copying, creating, deleting, etc. catalogs), terminate processes, and take screenshots.

PDF.Phisher.267

A PDF document used in phishing newsletters.

HTML.FishForm.171

A web page spread via phishing emails. It is a bogus authorization page that mimics well-known websites. The credentials a user enters on the page are sent to the attacker.

Encryption ransomware

User requests to decrypt files affected by encoders increased by almost 4.2% compared to July.

• Trojan.Encoder.26996 — 52.54%
• Trojan.Encoder.567 — 5.07%
• Trojan.Encoder.30356 — 2.13%
• Trojan.Encoder.11539 — 0.80%
• Trojan.Encoder.11432 — 0.27%

Dangerous websites

In August 2021, Doctor Web’s analysts’ attention was drawn to increased incidents of distribution links to suspicious sites offering online psychic services. Consulting “experts” in divination, astrology, and extrasensory perception costs a lot of money, but it is not possible to check the quality of the implemented service.

The screenshot shows the main page that contains cliches “best site”, “highly skilled experts”, and “money-back guarantee”. However, in reality, this site shows another fraudulent scheme involving “experts” recruited from social networks. Similar resources are not blocked by the government, but Dr.Web sent them into a database of non-recommended websites.

Malicious and unwanted programs for mobile devices

In August, Doctor Web’s malware analysts uncovered many threats on Google Play. Among them were various fake Trojans from the Android.FakeApp family that downloaded fraudulent websites. In addition, our specialists have identified another Trojans in Android.Joker, capable of running arbitrary code, as well as subscribing victims to paid services. In addition, trojans that steal logins and passwords from Facebook accounts were detected.

During August 2021, adware and trojans that download malicious software were the threats recorded most often on Android devices protected by Dr.Web.

The following August events related to mobile malware are the most noteworthy:

• Detection of new threats on Google Play
• Advertising trojan and adware remain amongst the most active threats.

Learn more about malicious and unwanted programs for mobile devices in our August overview.

September 8, 2021

Doctor Web is pleased to present the newly released version 12 of its Dr.Web Light for Android. Users will discover the qualitative changes that have been made to the program's operation and the pleasant innovations that have been introduced to the application's design and structure, including the addition of a dark theme. See what’s new!

We listen carefully to our users' opinions and that's why, in the new version of Dr.Web Light, we have significantly updated the design and added the option to switch to a dark theme. The application menu has become more structured and user-friendly, so now all the functions can easily be found. The notification bar and application widget have also been updated.

Of course, we did not limit ourselves to making just visual updates. In addition to the changes we made to the interface, in response to user requests, automatic file system scanning has been replaced with on-demand scanning—now Dr.Web Light will use even fewer resources. In the "Custom scan", users can now take advantage of convenient sorting for the list of files needing scanning, and detailed information about each event has been added to the "Statistics" section. In addition, the application now works better with Android 11.

МWe have already updated the documentation «Dr.Web Light User Guide», which now contains a detailed description of all the changes made to the new version—so you can use it at any time.

Users who downloaded Dr.Web Light from our site need to download the distribution again or update the application on Google Play.

If you downloaded the Dr.Web application from Google Play, the updates will be downloaded and installed automatically. If automatic updates are disabled on your device, you need to go to Google Play, choose Dr.Web Light on the application list, and click on "Update".

Note! We recommend that you use Dr.Web Security Space (for Android) to fully protect your system from all types of modern-day threats. It incorporates other components in addition to the anti-virus:

• Parental Control will protect adults and children from Internet threats;
• The Call and SMS Filter will shield against unwanted calls and SMS messages;
• The Anti-theft will help locate a mobile device if it has been lost or stolen, and, if necessary, wipe confidential information from it remotely;
• The Firewall will monitor application network activity and protect sensitive information from being leaked over a network;
• The Security Auditor will inspect and analyse a mobile device’s security and offer solutions to address security problems and vulnerabilities.

Dr.Web for Android has been downloaded more than 140 million times on Google Play alone! Every month, our specialists discover a multitude of malicious applications, add thousands of websites to the non-recommended list, analyse millions of files and links, and support our users 24/7.

Try Dr.Web and leave your feedback on Google Play.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

September 8, 2021

According to Dr.Web for Android anti-virus products detection statistics, the most common malware users encountered in August were adware trojans and malware capable of executing arbitrary code and downloading other software.

Over the past month, Doctor Web specialists uncovered many threats on Google Play. Fake apps from the Android.FakeApp malware family that load fraudulent sites were among them. Moreover, another trojan designed to steal logins and passwords of Facebook accounts was also found. In addition, the attackers have spread trojans from the Android.Joker family that subscribe victims to paid mobile services.

According to statistics collected by Dr.Web for Android

Android.HiddenAds.1994

Trojan designed to display obnoxious ads. Trojans of this family are often distributed as harmless applications and, in some cases, are installed in the system directory by other malware.

Android.Triada.510.origin

Android.Triada.4567

Multifunctional trojans performing various malicious actions. This malware belongs to the trojan family that infects other app processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.

Android.RemoteCode.284.origin

A malicious application that download and execute arbitrary code. Depending on their modification, trojans of this family can also load various websites, open web links, click on advertising banners, subscribe users to premium services, and perform other actions.

Android.MobiDash.5162

A trojan that displays obnoxious ads. It represents a special software module that is incorporated into the applications by the developers.

Program.FakeAntiVirus.1

The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them, and demand they purchase the full version of the software.

Program.KeyStroke.1.origin

An Android application capable of intercepting keystrokes. Some modifications of this software can also track incoming SMS, control calls history, and record phone calls.

Program.FreeAndroidSpy.1.origin

Program.Mrecorder.1.origin

Applications that spy on Android users and can be used for cyber espionage. Depending on their modification and version, they can control the location of the device, collect the information on calls, SMS, and social media chats, gain access to a phone book and user contact list, record the surroundings, and can also copy multimedia and other files, such as photos, videos, documents, etc.

Program.CreditSpy.2

The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history, and other information to the remote server.

Tool.SilentInstaller.14.origin

Tool.SilentInstaller.13.origin

Tool.SilentInstaller.6.origin

Tool.SilentInstaller.7.origin

Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.

Tool.Packer.1.origin

The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.

Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.

Adware.SspSdk.1.origin

Adware.AdPush.36.origin

Adware.Adpush.6547

Adware.Dowgin.5.origin

Adware.Myteam.2.origin

Threats on Google Play

In August, a large number of malware was found on Google Play. Fake apps of the Android.FakeApp family that are used in various scam schemes were among them. For example, some of them were again spread under the guise of official software for popular Russian lotteries “Русское лото” (Russian Lotto) and “Гослото” (Gosloto), as well as their official distributor “Столото” (Stoloto). These fakes were added to the Dr.Web virus base as Android.FakeApp.307, Android.FakeApp.308, Android.FakeApp.309, Android.FakeApp.310, Android.FakeApp.311, Android.FakeApp.312, Android.FakeApp.325, Android.FakeApp.328, Android.FakeApp.329, Android.FakeApp.330, Android.FakeApp.332, Android.FakeApp.333, Android.FakeApp.334, Android.FakeApp.335, and Android.FakeApp.341.

Upon launch, the apps loaded fraudulent sites where potential victims were offered to get allegedly free lottery tickets and to play the game to win prizes. However, it was nothing but a scam. The so-called “game” was scripted and the “winners” were asked to pay a “fee” or a “custom”, and this money then ended up going to the fraudsters' pockets.

An example of how one of these fake applications operates is shown below:

The following are examples of how such apps can be seen on Google Play:

Other fakes were apps that were allegedly designed to help Russian users to search for information about state social benefits and to receive this financial support to their bank accounts and cards. Similar to fake lottery schemes, such apps only loaded fraudulent websites, where, to receive the “funds”, potential victims were asked to pay a “fee”.

The trojans were added to the Dr.Web virus base as Android.FakeApp.306, Android.FakeApp.313, and Android.FakeApp.325.

Moreover, new scam software disguised as investing and trading software was also discovered. Some of these apps were spread under the name of famous companies.

The trojans, dubbed Android.FakeApp.305, Android.FakeApp.314, Android.FakeApp.315, and Android.FakeApp.316, loaded various “financial” decoy sites where users were offered to register to start earning the money. In some cases, the victims were asked to provide their first and last name, their email address, and mobile number. In others, only the mobile number was requested. Next, users could be redirected to other fraudulent sites, received a notification that there is no more room for new clients, or were asked to wait for the “operator” calling back.

The examples of how these apps operate are shown below:

Using such fake investing apps, the malicious actors not only collect victims’ personal information and steal their money but can also drag them into other scam schemes by selling obtained personal data to a third party, for example.

New trojans from the dangerous Android.Joker family were among discovered threats as well. They were added to the Dr.Web virus base as Android.Joker.320.origin, Android.Joker.858, and Android.Joker.910. The first one was spread as an animated wallpaper called 3D Live Wallpaper. The second one was disguised as a music app called New Music Ringtones. And the third one was labeled, Free Text Scanner app, designed to scan texts and create PDF documents. All these apps subscribed Android users to paid mobile services and could also load and execute arbitrary code.

In addition, our malware analysts have found a new trojan designed to steal Facebook accounts’ logins and passwords. It was spread as an application that protects installed apps from unauthorized access. This trojan was added to the Dr.Web virus base as Android.PWS.Facebook.34.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

September 8, 2021

Doctor Web presents its August 2021 mobile malware activity review. Last month, our specialists discovered many threats on Google Play. Trojans that download fraudulent sites, malware that subscribes victims to paid mobile services, and the trojan designed to steal logins and passwords of Facebook accounts were among them. At the same time, the most active threats on protected Android devices were again adware trojans and malware that download other software. Read more about these and other events in our August review.

Go to the review

September 8, 2021

Doctor Web presents its August 2021 virus activity review. The total number of unique detected threats increased compared to July. According to statistics, adware and unwanted programs continue to be popular threats. Malicious files and backdoors were most often distributed in email traffic. User requests to decrypt files affected by encoders increased by almost 4.2% compared to July. Read more about these and other events in our August virus review.

Go to the review

September 6, 2021

Russian anti-virus company Doctor Web continues to improve its anti-virus software and reports that a number of software components have been updated in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, Dr.Web Anti-virus 12.0 for Windows Servers, Dr.Web Enterprise Security Suite 12.0 and Dr.Web AV-Desk 13.0.The changes introduced improve the reliability of the applications, deliver feature upgrades and resolve known software issues.

Specifically, improvements have been made to the Dr.Web Updater module (12.0.34.08300) to improve application security.

Furthermore, the module has had the following software issues resolved:

• A defect preventing Dr.Web AV-Desk Agent 10.1 from upgrading to version 13 on PCs whose operating systems do not support SHA-256;
• An issue disrupting Dr.Web Control Service’s operation during system shutdowns while the updating module was still running;
• An issue preventing Dr.Web from receiving updates over the anti-virus network if a computer’s name contained ideograms;

Adjustments have also been made to logging routines for the configuration script Lua-script for spider-agent (12.10.0.07300).

The update delivers minor tweaks and upgrades and will be downloaded and installed automatically.

September 6, 2021

Russian anti-virus company Doctor Web has updated the drweb-openssl (11.1.6-2108241855) and drweb-openssl-libs1.1 (11.1.6-2108241855) modules in Dr.Web Anti-virus 11.1 for Linux, Dr.Web Anti-virus 11.1 for Unix Mail Servers, Dr.Web Anti-virus 11.1 for Unix Server, and Dr.Web Anti-virus 11.1 for Internet gateways Unix.

This release updates the OpenSSL library to the latest version (1.1.11) to further improve the security of Dr.Web products for Unix-like systems.

The update is performed via the Dr.Web repository.

Dr.Web solutions for Unix-like systems enjoy widespread popularity among business customers and regularly have their features upgraded. These products boast support for a wide range of operating systems and platforms, including ARM64, and can be used to maintain anti-virus protection in infrastructures with the highest security standards.

September 2, 2021

Russian anti-virus company Doctor Web has updated Dr.Web Anti-rootkit API (12.6.9.202108300) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, Dr.Web Anti-virus 12.0 for Windows Servers, Dr.Web Enterprise Security Suite 12.0 and Dr.Web AV-Desk 13.0.

The module has been upgraded to enhance the preventive protection routines.

The update delivers minor tweaks and upgrades and will be downloaded and installed automatically.

August 30, 2021

Doctor Web has once again improved one of its most popular solutions—Dr.Web CureIt! The utility now detects malicious objects even more efficiently and, in general, works faster.

The updated modules include Dr.Web Anti-rootkit API (12.6.8.202108050) and Dr.Web Protection for Windows (12.06.03.08040).

The applied changes have improved the virus detection mechanism and optimised anti-rootkit module routines.

The documentation in English has been updated too.

Download Dr.Web CureIt!

August 26, 2021

Russian anti-virus company Doctor Web announces the newest improvements made to its products Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, Dr.Web 12.0 for Windows Servers, Dr.Web Enterprise Security Suite 12.0 and Dr.Web AV-Desk 13.0. The changes introduced resolve known issues and add new features that enhance product usability.

SpIDer Agent for Windows (12.10.10.08090) has been updated in all the above-listed products. A folder named Dr.Web Update Mirror has been created to improve usability and to keep user files safe when a new update mirror is created.

In addition, the agent has had the following defects corrected:

• a problem causing the time to be displayed incorrectly in the Firewall packet filter’s log has been eliminated;
• also resolved was an error causing the focus to be set incorrectly on menu items;
• changes have been made to ensure error-free interaction with screen readers (the corresponding changes have been made to product Russian language support);
• other minor improvements have been made.

In addition, Dr.Web Control Service (12.11.2.08090) has been updated in all the above-listed products: here, along with internal changes, an error has been fixed that prevented the service from starting when a PC’s system time was changed at startup.

The Dr.Web ES Service (12.11.2.08041) module has been improved in Dr.Web Enterprise Security Suite 12.0 and Dr.Web AV-Desk 13.0: it now has a new command-line option—"--change-loglevel", which allows the logging level of Dr.Web ES Service and DwService to be increased.

Also, Dr.Web Agent for Windows setup AVD (13.0.6.08060), which is incorporated into Dr.Web AV-Desk 13.0, has been updated—the update delivers minor improvements and fixes an error that caused protection components operating in standard mode to be displayed as inactive.

The update will be downloaded and installed automatically.

August 26, 2021

Russian anti-virus company Doctor Web continues to improve its anti-virus products and is pleased to announce the update of certain components incorporated into Dr.Web 11.1 for UNIX. The changes introduced make administration easier, save system resources and resolve known issues.

Changes made to Dr.Web Anti-virus 11.1 for UNIX Mail Servers, Dr.Web Anti-virus 11.1 for Linux, Dr.Web Anti-virus 11.1 for UNIX Server and Dr.Web Anti-virus 11.1 for Internet gateways UNIX:

• the drweb-configd (11.1.14-2108031732) component has been improved: for easy administration, it now incorporates comments in the converted lua-hook in the form of a used rule set, and it now has the option to set the FixedSocketPath and the FixedSocket parameters separately for the drweb-netcheck and drweb-antispam components;
  In addition, the log now has a description of a new error that occurs when the wrong license is used for the drweb-smbspider and drweb-nss components;
• the drweb-esagent (11.1.12-2108021911) component has been updated: a number of internal changes were made to it;
• the drweb-filecheck (11.1.8-2107281923) component enjoys improved optimisation—the update has accelerated the scanning process;
• the drweb-netcheck (11.1.5-2107281923) component now incorporates the option to get the hash sums of detected files in a report at the administrator's request—provided the "threat_hash" parameter is specified as "true". This change allows system resources to be used more sparingly;
• an issue with the drweb-repo (11.1.4-2107231418) component has been fixed; previously the repository was added incorrectly after a run package was installed on PCs running Alt9 OS on the ARM64 platform;
• a number of internal changes have been made to the drweb-ctl (11.1.10-2108031732) and drweb-libs (11.1.5-2106081936) components. For the Elbrus architecture, the following component versions have been added—drweb-libs (11.1.6-2106081936) and drweb-libs32 (11.1.6-2106081936).
  Changes made to Dr.Web 11.1 for UNIX Mail Servers, Dr.Web 11.1 for UNIX Server, and Dr.Web Anti-virus 11.1 for Internet gateways UNIX:
• a new API scanning feature has been added to the drweb-httpd (11.1.7-2107281923) and drweb-httpd-bin (11.1.7-2107281923) components; a defect causing the drweb-httpd component to terminate abnormally has been fixed; the update also delivers other improvements.

Changes made to Dr.Web Anti-virus 11.1 for Linux:

• the built-in Russian and English Help texts in the drweb-gui (11.1.9-2108131146) component have been updated;
• also fixed was an error that occurred in the drweb-session (11.1.8-2107271934) component on PCs running Astra Linux 1.7 and that was related to the confidentiality and integrity level not being displayed for users in the Dr.Web Enterprise Security Suite Control Center when a threat was detected;
• in drweb-uninst (11.1.3-2108061159), an error that led to a currently uninstalled component not being displayed during product uninstallation has been fixed.

Changes made to Dr.Web 11.1 for Internet gateways UNIX:

• in accordance with user wishes, the option to obtain anti-virus kernel and database information using the OPTIONS request has been added.

In addition to the changes mentioned above, internal changes have affected the following components:

• drweb-cgp-plugin (11.1.3-2108131051) in Dr.Web Anti-virus 11.1 for UNIX Mail Servers;
• drweb-file-servers (11.1.3-2108061003), drweb-luaposix (11.1.2-2106291833), drweb-luaposix (11.1.3-2106291833 - for Elbrus) and drweb-nss (11.1.2-2107281849) in Dr.Web Anti-virus 11.1 for UNIX Servers;
• drweb-gated (11.1.7-2107271629) in Dr.Web Anti-virus 11.1 for UNIX Mail Servers, Dr.Web Anti-virus 11.1 for Linux and Dr.Web Anti-virus 11.1 for Internet-gateways UNIX;
• drweb-maild (11.1.12-2108031732) in Dr.Web Anti-virus 11.1 for UNIX mail servers and in Dr.Web Anti-virus 11.1 for Linux.

The update is performed via the Dr.Web repository.

August 25, 2021

Russian anti-virus company Doctor Web continues to improve its anti-virus products and is pleased to announce the update of certain modules incorporated into Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, Dr.Web 12.0 for Windows Servers, Dr.Web Enterprise Security Suite 12.0 and Dr.Web AV-Desk 13.0. The applied changes have significantly increased the level of product security.

Important changes have been made to Dr.Web Anti-rootkit API (12.6.8.202108050): a new mechanism has been introduced that protects all Dr.Web products from being compromised and having vulnerabilities exploited. In addition, the update has enhanced the preventive protection against Internet threats and has improved the virus detection mechanism. At the same time, the optimisation of Dr.Web Anti-rootkit API has been improved.

Dr.Web Protection for Windows (12.06.03.08040) has also been improved—it now more effectively resists attempts to leverage the recently revealed critical Windows vulnerability PrintNightmare, about which we reported in our recent news post.

A number of changes have been made to Dr.Web Scanner SE (12.10.6.06290). The update has corrected an error that occurred if the MS Groove collaboration solution was installed in MS Office 2007 when the Scanner was launched. Also corrected was a UI-related issue that could cause a loss of scanner control with the help of a mouse. In general, the service’s level of security has been enhanced.

These changes affect all of the above-listed products.

In addition, several more fixes have been made. An error that occurred in Dr.Web device Guard for Windows (12.6.2.08120) when working with flash drives on Windows 7 computers. This module has been updated in Dr.Web Security Space 12.0, Dr.Web 12.0 for Windows Servers, Dr.Web Enterprise Security Suite 12.0 and Dr.Web AV-Desk 13.0. Lua-script for win-avd-agent-setup (12.10.0.08180) has been updated in Dr.Web AV-Desk 13.0—this was done to correct an error that caused the Dr.Web Cloud service to turn off in its own.

The update will be performed automatically; however, a system reboot will be required.

August 25, 2021

Russian anti-virus company Doctor Web is offering users its updated DrWebBot for VK and Telegram. Recall that our bots are able to check links and files in user messages, which makes online communication more secure. With this update, Internet surfing has become even more comfortable. The key component DrWebBotChecker, which is responsible for object scanning, has been improved in both bots.

In addition, the following changes have been made to each of the products.

Changes made to Dr.Web for VK:

• an issue that caused messages containing a space at the beginning or end of a message to be regarded as a mention of the bot has been resolved;
• an issue that caused the bot not to recognise links written in Cyrillic characters has been fixed;
• other minor changes and improvements have been made.

To get started with DrWebBot for VK, follow this link. To configure the bot, enter the command: /settings. Here, you can select the language for communicating with the bot and the type of notifications you want to receive about the performed check.

Changes made to Dr.Web for Telegram:

• now, when users send multiple links in one message, scanning results will also be returned in one message;
• the update also delivers minor routine tweaks.

To use the bot, find the Telegram account @DrWebBot (or go to telegram.me/drwebbot) and send it a file or a link. The bot will instantly check it for viruses and report on the results.

August 23, 2021

For the last week of summer, Doctor Web has decided to delight its users with a large discount on Dr.Web anti-virus protection—instantly for multiple devices. From August 23 till August 31, customers get a discount of up to 40% off when they purchase Dr.Web Security Space (PC protection) to protect 3 computers for 2 years.

During the promotional period, the cost of the protection provided by the comprehensive Russian anti-virus Dr.Web will be 54.24 € (VAT included) instead of the usual 86.24 €.

Thus, together with 32 € savings, users will get the complete array of components needed to protect all of a family’s devices—this includes Dr.Web Parental Control, which watches over the smallest of Internet surfers. And it’s not only the 3 computers that will be staunchly protected from all Internet threats—3 Android devices will be too. And 2 of the 3 PCs and all the mobile gadgets will be protected free of charge. And if you take advantage of this special offer in order to renew your current Dr.Web license (one that is valid for at least 3 months), you will also be gifted 150 days of protection for free.

So while summer is coming to an end, the benefits of Dr.Web’s protection are beginning—don’t miss out on them!

Our promotional Dr.Web Security Space can only be purchased on a special page of our website. To get your discount, click on this button:

Buy Dr.Web at a discount

August 11, 2021

In July, Doctor Web’s malware analysts discovered various threats on Google Play. Trojans from the Android.Joker family subscribing victims to premium mobile services, as well as a phony application from the Android.FakeApp trojan family that offered Russian users to receive government financial support and lured them to fraudulent sites were among them.

Our specialists also discovered a new family of Android banking trojans dubbed Android.BankBot.Coper.

Adware trojans and malware capable of executing arbitrary code and downloading other software were among the most common threats detected on protected Android devices.

Mobile threat of the month

Last month, Doctor Web’s malware analysts discovered a new family of Android banking trojans dubbed Android.BankBot.Coper. Initially, these malicious applications attacked Colombian users. Later, however, our specialists uncovered modifications targeting European Android users.

These banking trojans have a modular architecture and a number of protective mechanisms allowing them to operate more successfully. Upon receiving the malware authors’ commands, the trojans are able to intercept and send SMS, control push notifications, display phishing windows, and even hijack information entered on the keyboard.

More information on this malware family can be found in this news release.

According to statistics collected by Dr.Web for Android

Android.HiddenAds.1994

Android.HiddenAds.615.origin

Trojans designed to display obnoxious ads. They are distributed as harmless applications and, in some cases, are installed in the system directory by other malware.

Android.RemoteCode.284.origin

Android.RemoteCode.6122

Malicious applications that download and execute arbitrary code. Depending on their modification, they can load various websites, open web links, click on advertising banners, subscribe users to premium services, and perform other actions.

Android.Triada.510.origin

A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other app processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.

Program.FakeAntiVirus.1

The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them, and demand they purchase the full version of the software.

Program.WapSniff.1.origin

An Android program designed to intercept messages from WhatsApp.

Program.KeyStroke.1.origin

An Android application capable of intercepting keystrokes. Some modifications of this software can also track incoming SMS, control calls history, and record phone calls.

Program.FreeAndroidSpy.1.origin

An application that spies on Android users and can be used for cyber espionage. It controls the location of the device, gains access to a phone book and user contact list, and can also copy multimedia files, such as photos and videos.

Program.CreditSpy.2

The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history, and other information to the remote server.

Tool.SilentInstaller.6.origin

Tool.SilentInstaller.7.origin

Tool.SilentInstaller.13.origin

Tool.SilentInstaller.14.origin

Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.

Tool.Packer.1.origin

The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.

Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.

Adware.SspSdk.1.origin

Adware.AdPush.36.origin

Adware.Adpush.6547

Adware.Myteam.2.origin

Adware.Dowgin.5.origin

Threats on Google Play

In July, Doctor Web’s malware analysts uncovered other threats on Google Play. New trojans from the Android.Joker family that were added to Dr.Web virus database as Android.Joker.803, Android.Joker.837, and Android.Joker.846 were among them. They were hidden in seemingly harmless apps such as Background Changer image editor, Sweet Emoji SMS messenger, and Flashlight LED Pro flashlight software. The trojans did work as users expected, but also covertly subscribed victims to premium mobile services and were able to execute arbitrary code.

Additionally, a new modification of the Android.FakeApp.299 fraudulent app was found. It was spread among Russian-speaking users as a software helping them receive financial support such as allowances and social compensation from the government. The real functionality, however, was to load fraudulent websites that scammers used to steal confidential information and money from Android users.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

August 11, 2021

The July analysis of Dr. Web’s statistics revealed a 3.44% increase in the total number of threats compared to the previous month. The number of unique threats decreased by 9.5%. Adware still made up the majority of detected threats. A variety of malware, including backdoors, were the most frequently detected threats in email traffic.

In July, the number of user requests to decrypt files affected by encoders increased by 35.2% compared with June. Trojan.Encoder.26996 was the most active, accounting for almost half of all incidents.

According to Doctor Web’s statistics service

The most common threats in July:

Adware.SweetLabs.5

An alternative app store and add-on for Windows GUI from the creators of Adware.Opencandy.

Adware.Elemental.17

Adware that spreads through file sharing services as a result of link spoofing. Instead of normal files, victims receive applications that display advertisements and install unwanted software.

Adware.Downware.19856

Adware that often serves as an intermediary installer of pirate software.

Trojan.MulDrop16.4830

A malicious program that downloads unwanted applications to a victim's computer.

Trojan.AutoIt.289

A malicious utility program written in the AutoIt language and is distributed as part of a miner or RAT trojan. It performs various malicious actions that make it difficult to detect the main payload.

Statistics for malware discovered in email traffic

W97M.DownLoader.2938

A family of downloader trojans that exploits vulnerabilities in Microsoft Office documents and are designed to download other malicious programs onto compromised computers. It is designed to download other malware onto a compromised computer.

BackDoor.SpyBotNET.25

A backdoor written in .NET and designed to operate with a file system (to copy, create, delete, etc. catalogs), terminate processes, and take screenshots.

HTML.FishForm.123

The web page spread via phishing emails. It is a bogus authorization page that mimics well-known websites. The credentials a user enters on the page are sent to the attacker.

BackDoor.RatNet.2

A backdoor that reads passwords stored in the browser.

Trojan.MulDrop17.58659

A malicious program that downloads unwanted applications to a victim's computer.

Encryption ransomware

User requests to decrypt files affected by encoders increased by almost 35.2% compared to June.

• Trojan.Encoder.26996 — 47.8%
• Trojan.Encoder.567 — 10.44%
• Trojan.Encoder.11539 — 1.10%
• Trojan.Encoder.858 — 0.82%
• Trojan.Encoder.11464 — 0.82%

Dangerous websites

In July 2021, Doctor Web analysts’ attention was drawn to increased incidents of distribution threatening SMS. In our latest virus review, we wrote about user offers to buy fake certificates or QR codes, but the criminals have taken things further - for 50,000 rubles, they now offer users the opportunity to cover up any traces of their having bought the fake products.

The screenshot shows an example of a threatening SMS that contains a proposition to send money to the cybercriminals card. However, there is no information about the possible consequences should the recipient of the chain letter not follow the attacker’s instruction.

Malicious and unwanted programs for mobile devices

In July, Doctor Web analysts discovered a new family of banking trojans for the Android OS, named Coper. These malicious applications have a modular architecture and a number of defense mechanisms. The trojans are able to intercept and send SMS, control notifications, display phishing windows over launched programs, track information entered on the keyboard, and perform other malicious actions.

There was also the emergence of new malware in the Google Play catalog. Among the malware were trojans from the Android.Joker,family, which subscribe victims to paid services, and a malicious program from the Android.FakeApp family. You remember this program as the application that downloaded fraudulent sites where potential victims were asked to receive "payments" from the state.

Among the recorded threats, the most active were again adware trojans and trojans that execute arbitrary code and download other software.

The following July events related to mobile malware were the most noteworthy:

• detection of a new family of banking trojans for Android OS
• the detection of threats on Google Play
• adware activity and trojans capable of downloading and executing arbitrary code

Find out more about malicious and unwanted programs for mobile devices in our special overview.

August 11, 2021

Doctor Web presents its July 2021 virus activity review. The total number of unique detected threats decreased compared to June. According to statistics, adware and unwanted programs continue to be popular threats. Malicious files and backdoors were most often distributed in email traffic. User requests to decrypt files affected by encoders increased by almost 35.2% compared to June. Read more about these and other events in our July virus review.

Go to the review

August 11, 2021

Doctor Web presents its July 2021 mobile malware activity overview. Last month, our malware analysts discovered a new family of Android banking trojans. In addition, malicious apps were uncovered on Google Play. Meanwhile, adware trojans and trojans capable of executing arbitrary code and downloading other software were among the most active threats detected on protected Android devices. Read more about these and other events in our July review.

Go to the review

August 5, 2021

Russian anti-virus company Doctor Web has updated version 12 of its Dr.Web plugin for Microsoft Exchange, which protects corporate networks and the information within them from threats carried by email messages. This update delivers upgrades requested by users and brings the product’s documentation up to date.

Specifically, irrelevant Spam Details information no longer appears in the Dr.Web CMS console’s logs.

Furthermore, additional information has been added to the administrator guide’s Anti-spam section. The guide now also notifies users that an OS update providing SHA-256 support must be installed in the system.

Note that in order for the Dr.Web software to operate correctly under Windows Server 2008 or Windows Server 2008 R2, Microsoft security updates providing SHA-256 support must be installed in these systems. For additional information, please refer to this guide.

You can download the updated distribution file from Doctor Web's site..

August 5, 2021

Russian anti-virus company Doctor Web is pleased to present DrWebBot for VK 1.0—an innovative tool for safer interaction in the social media network VKontakte. Similarly to Dr.Web for Telegram, this bot scans links and files in social media posts, comments and messages.

Users can interact with the bot either by forwarding their links and files to the bot with their personal messages or adding the bot to their conversations. If the second option is selected, the bot will examine the content in real time. Please note that the bot will require administrator permissions in your conversation in order to scan links.

Documents (archives, text files, ebooks, etc.), as well as links and attachments in comments and posts (documents, wiki pages and notes), are examined. Because on VKontakte all uploaded images are compressed to the JPEG format and no original images are saved, the images aren't scanned by the bot. The maximum allowed file size for scanning is 200 MB.

The bot makes use of Dr.Web Cloud and the virus databases to detect and neutralise brand-new threats that may lurk in social media messages.

You can configure the bot to report on the results of each scan or instruct it to only alert you when an actual threat is detected.

To start using DrWebBot for VK, open this link. To configure the bot, use the ‘/settings’ command. Here you can also select the language for interacting with the bot and how the bot will notify you about scan results.

Please note that currently the bot can only communicate with users in two languages: English and Russian.

July 26, 2021

Russian anti-virus company Doctor Web has released a hotfix for the configuration script Lua-script for av-engine (12.10.2.07230) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, Dr.Web Anti-virus 12.0 for Windows Servers and Dr.Web AV-Desk 13.0.

Adjustments have been made to the script to avoid possible issues involving synchronisation failures occurring while Dr.Web AV-Desk anti-virus software was being updated on protected hosts.

The update will be performed automatically. No system reboot will be required.