Warning: Malicious emails claiming to be from Doctor Web

September 29, 2015

Virus makers often use names of well-known anti-virus companies to gain their victims' trust and make them install some malicious program on their computers. At the end of September, cybercriminals employed this method to distribute a dangerous Trojan designed to steal passwords.

Lately, some Internet users have received email messages claiming to be from Doctor Web. The messages having the “Hello [user name], we would like to invite you to become our Tester" header (“Здравствуйте, [имя пользователя], станьте нашим Тестером”) offer users to take part in testing of some tool called “Dr.Web CureIt 2”. At that, cybercriminals prompt the user to turn off their anti-virus software because it can be incompatible with the “tool”.

One known case of this malicious mailing was registered on September 29, 2015, at 04:10 (Moscow time). The link from the message leads to a fraudulent website from which a Trojan, dubbed Trojan.PWS.Stealer.13052, gets downloaded to the victim's computer.

This malicious program is designed to steal passwords and other confidential information stored on the compromised computer. Doctor Web would like to inform users that we are not conducting any tests of “Dr.Web CureIt 2”. Moreover, we strongly advise against installing and running any applications downloaded by opening links from such email messages.

The signature of Trojan.PWS.Stealer.13052 has been added to Dr.Web virus databases, and the fraudulent website has been added to the base of non-recommended websites. Do not, under any circumstances, disable your anti-virus software.