My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Doctor Web’s November 2016 virus activity review

November 30, 2016

November was quite eventful in terms of information security. Doctor Web’s specialists found a botnet targeting Russian banks and a Trojan carrying out targeted attacks on companies producing construction cranes. In addition, more than one million users downloaded a malware program embedded in a Google Play application.


  • The emergence of a botnet attacking Russian banks
  • A targeted attack on companies producing construction cranes
  • The detection of an Android Trojan on Google Play

Threat of the month

Malicious programs for specialty or so-called targeted attacks are detected quite rarely. In 2011, Doctor Web published a news article about the Trojan BackDoor.Dande, which was designed to steal information from drugstores and pharmaceutical companies. Four years later, Doctor Web specialists found BackDoor.Hser.1, which was intended for use against defense companies. Later that month, they discovered a new backdoor—BackDoor.Crane.1— that stole important documentation and internal business correspondence from computers belonging to Russian companies engaged in the production of construction cranes. In addition, these Trojans periodically made screenshots and sent them to the command and control (C&C) server.

Doctor Web’s specialists have surmised that the authors of BackDoor.Crane.1 took part of the code from various sources—in particular, from the website This is evidenced by the “RSDN HTTP Reader” value of the User-Agent parameter used by the Trojan when accessing web resources, and by the invisible window “About the Bot project” which appears to have been overlooked in its resources.

screen BackDoor.Crane.1 #drweb

BackDoor.Crane.1 has several modules. Each of them is responsible for performing one particular function:

In addition, the backdoor can download and run two other Trojans written in Python—Python.BackDoor.Crane.1 and Python.BackDoor.Crane.2. To learn more about these malicious programs, please refer to our previously published review.

According to statistics collected by Dr.Web CureIt!

According to statistics collected by Dr.Web CureIt! #drweb

According to Doctor Web’s statistics servers

According to Doctor Web statistics servers #drweb

Statistics on malicious programs discovered in email traffic

Statistics on malicious programs discovered in email traffic #drweb

According to statistics collected by Dr.Web Bot for Telegram

According to statistics collected by Dr.Web Bot for Telegram #drweb

Encryption ransomware

Encryption ransomware #drweb

In November, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service:

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows

Data Loss Prevention
Preventive ProtectionData Loss Prevention

Dangerous websites

During November 2016, the URLs of 254,736 non-recommended websites were added to the Dr.Web database.

October 2016November 2016Dynamics

Some web resources are not actually fraudulent; however, they are made to resemble official government websites. They deceive users by implementing methods similar to those used by fraudsters who create phishing webpages. The owners of these sites are commercial organizations that have stooped to engaging in dishonest advertising.

Non-recommended websites


Since the beginning of November, Doctor Web’s specialists have registered 389,285 attacks by Linux Trojans—79,447 of them were performed over the SSH protocol and 309,838 of them over the Telnet protocol. The below diagram shows the proportional relationship between the most frequently detected Linux Trojans:

Linux #drweb

Other threats

In November, Doctor Web’s security researchers discovered a botnet designed to carry out DDoS attacks. Its creators used the Trojan BackDoor.IRC.Medusa.1—a malicious IRC bot. While linked to a particular chat channel, the Trojan received commands over the IRC (Internet Relay Chat) protocol.

screen BackDoor.IRC.Medusa.1 #drweb

BackDoor.IRC.Medusa.1 performs several types of DDoS attacks and, when commanded by cybercriminals, downloads and runs executable files. Doctor Web’s specialists believe that this Trojan was involved in mass attacks on servers belonging to Sberbank of Russia. From November 11 to November 14, 2016, the cybercriminals attacked the following websites multiple times: (Rosbank) and (Eximbank of Russia). For more information about this incident, please refer to our previously published news article.

Malicious and unwanted programs for mobile devices

In November, Doctor Web’s security researchers found Android.MulDrop.924 which was being distributed as a benign Google Play application. The Trojan downloaded malicious programs and displayed annoying advertisements. In total, over one million downloads of this Trojan were registered. Later in the month, Android.Spy.332.origin—a Trojan preinstalled on some popular Android devices—was discovered. That malware program downloaded, installed, and removed applications, and sent private information to a criminal-owned server.

The most notable November events related to mobile malware were as follows:

To learn more about the malicious and unwanted programs targeting mobile devices in November, please refer to our special overview.

Learn more with Dr.Web

Virus statistics Virus descriptions Monthly virus reviews