Doctor Web’s March 2019 virus activity review

April 3, 2019

In March, Doctor Web’s analysts finished studying the trojan that threatened the Counter-Strike 1.6 players. Included in the main threats identified in March is a dynamic in how principal threats compare to the previous month’s. For example, the activity of Trojan.MulDrop8.60634 has decreased three times since February, while the number of threats like Trojan.Packed.24060 and Adware.OpenCandy.243 increased in March. Additionally, the number of domain names added to Dr.Web’s database of non-recommended and dangerous websites has decreased. Doctor Web has also received more data decoding requests from ransomware victims.

Threat of the month

In March Doctor Web’s analysts published a thorough study of the Belonard trojan, which exploits zero-day vulnerabilities in the Counter-Strike 1.6 Steam client. Once on the victim’s computer, the trojan replaces the client files and creates proxies to infect other users. The number of malicious CS 1.6 servers created by the Belonard trojan rose to 39% of all official servers registered on Steam. Now all modules of the Belonard Trojan have been successfully detected by Dr.Web’s products and no longer pose a threat to our customers.

More about this Trojan

According to Doctor Web’s statistics servers

Threats of the month:

Trojan.Packed.24060

This program installs malicious browser extensions that redirect search results to different websites.

Adware.Softobase.12

Installation adware that spreads outdated software and changes the browser’s settings. Installation adware that spreads outdated software and changes the browser’s settings.

Adware.OpenCandy.243

A family of applications designed to install other software in the system. These programs are used by free software developers in order to monetize their apps. A family of applications designed to install other software in the system. These programs are used by developers of free software in order to monetize their apps.

Adware.Ubar.13

A torrent client designed to install unwanted programs on a user’s device.

Trojan.Starter.7394

A trojan designed to launch other malicious software on a victim’s device.

Decreased amount of threats from:

Trojan.MulDrop8.60634

Installs malware in a system. All the components necessary for installation are usually stored inside the MulDrop itself.

Adware.Downware.19283

The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.

Statistics for malware discovered in email traffic

Exploit.ShellCode.69

Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882.

W97M.DownLoader.2938

A family of downloader Trojans that exploit vulnerabilities in office applications. Designed to download other malware onto a compromised computer.

Exploit.Rtf.CVE2012-0158

A modified Microsoft Office document. It exploits the CVE2012-0158 vulnerability in order to run malicious code.

Trojan.SpyBot.699

A multi-module banking trojan. It allows cybercriminals to download and launch various applications on an infected device and to execute their commands. The trojan is intended to steal money from bank accounts.

JS.DownLoader.1225

A variety of malicious code written in JavaScript and designed to download and install other malware on a computer.

Trojan.PWS.Stealer.23680

A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.

Encryption ransomware

In March, Doctor Web’s technical support was most often contacted by victims of the following encryption ransomware:

• Trojan.Encoder.858 —28.39%;
• Trojan.Encoder.18000 —9.54%;
• Trojan.Encoder.27210 —4.25%;
• Trojan.Encoder.11464 —4.14%;
• Trojan.Encoder.11539 —4.14%;
• Trojan.Encoder.567 —2.76%;
• Trojan.Archivelock —2.34%

Dangerous websites

During March 2019, Doctor Web added 270,227 URLs into the Dr.Web database of non-recommended sites.

Malicious and unwanted programs for mobile devices

In the past month Doctor Web specialists found many new malicious programs on Google Play. Among them was the infamous family of Android.FakeApp trojans that are distributed as programs for making money online. These trojans open websites that invite users to complete surveys for sponsored companies in exchange for some monetary prize. In order to receive the promised reward, a user must pay commission fees or complete a test transaction to confirm their identity. If they agree, the money gets lost and no reward is granted.

Beyond that, more trojans of the Android.HiddenAds family were discovered last month. Those trojans constantly show annoying ads on top of other program windows and the system’s interface, which makes it difficult to use the infected Android device.

Additionally, hackers continued to spread banking trojans. Doctor Web reported on one such trojan at the end of March. The malicious software known as Flexnet steals money from banking accounts and mobile phones balance.

At the end of the month, Doctor Web’s researchers disclosed details about the vulnerability in the popular Android browser, “UC Browser”, which was able to download plug-ins bypassing the Google Play servers. This vulnerability could have been exploited by hackers in order to spread malware.

Among the most noticeable events related to mobile malware in March:

• the detection of a vulnerability in the UC Browser;
• the spread of malicious programs on Google Play.
• the distribution of banking trojans.

Find out more about malicious and unwanted programs for mobile devices in our special overview.