Doctor Web’s February 2019 virus activity review

March 1, 2019

In February Dr.Web’s statistics showed a 9.73% decrease in the number of unique threats compared to January. Malware activity this month barely topped the numbers of December 2018, but for some threats there are clear dynamics. For example, the activity of the JS.Miner.28 which had been increasing in January, continued to grow and finally outperformed its competitor - JS.Miner.11. At the same time, Trojan.Starter.7394 grew by 14.29% compared to January, when Trojan.DownLoader26.28109 on the other hand, had a three-fold decrease in the number of detected threats. Additionally, the amount of URLs added to Dr.Web’s database of non-recommended and dangerous websites decreased by 1.68%. And the technical support statistics registered a decrease in the number of applications submitted by the ransomware victims.

According to Doctor Web’s statistics servers

Threat of the month:

Adware.Softobase.12

Installation adware that spreads outdated software and changes the browser’s settings. Installation adware that spreads outdated software and changes the browser’s settings.

Adware.Ubar.13

A torrent client designed to install unwanted programs on a user’s device.

Trojan.Starter.7394

Trojan designed for launching other malicious software on a victim’s device.

Adware.Downware.19283

The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission. The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.

Trojan.MulDrop8.60634

Install—install the Trojan Installs malware in a system. All the components necessary for installation are usually stored inside the MulDrop itself.

Decreased amount of threats from:

Trojan.Encoder.11432

Infamous ransomware also known as WannaCry. Blocks access to users’ data by encrypting it and demanding payment for decrypting the data.

Trojan.DownLoader26.28109

Downloads and runs malicious software without the user’s permission.

Statistics for malware discovered in email traffic

JS.DownLoader.1225

A family of malicious JavaScripts. They download and install malicious software on a computer.

W97M.DownLoader.2938

A family of downloader Trojans that exploit vulnerabilities in office applications. Designed for downloading other malware to a compromised computer.

Exploit.ShellCode.69

Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882. Использует vulnerability CVE-2017-11882.

Exploit.Rtf.CVE2012-0158

Modified Microsoft Office document. Exploits CVE2012-0158 vulnerability in order to run malicious code.

JS.Miner.28

JavaScript miner called «CryptoLoot». Its purpose is to mine the Monero cryptocurrency in a browser without asking for the user’s permission. Often used as an alternative to the CoinHive miner.

Trojan.PWS.Stealer.23680

A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.

Encryption ransomware

In February, Doctor Web’s technical support was most often contacted by victims of the following encryption ransomware:

• Trojan.Encoder.858 - 31.39% of requests;
• Trojan.Encoder.18000 - 10.18% of requests;
• Trojan.Encoder.11464 - 4.67% of requests;
• Trojan.Encoder.11539 - 4.67% of requests;
• Trojan.Encoder.567 - 2.34% of requests;
• Trojan.Encoder.25814 - 2.34% of requests.

Dangerous websites

During February 2019, 288 159 URLs of non-recommended websites were added to the Dr.Web database.

Malicious and unwanted programs for mobile devices

Last month Dr.Web’s analysts found many malicious and unwanted programs designed for Android OS. The analysts also uncovered an advertising campaign that helped spread trojans of Android.HiddenAds family. Android.HiddenAds. The ads were placed on YouTube and Instagram and invited users to download applications for video and photo editing, which turned out to be carrying malware inside them.

In February our researchers added a few new entries for detecting the Android.FakeApp type of malware. Android.FakeApp. Those trojans opened websites that suggested completing a survey for some substantial reward. In order to receive the promised reward a user had to pay commission fees or complete a test transaction to confirm their identity. If they agreed, the money would be lost and no reward would be granted.

Beyond that, malware developers were spreading a dangerous trojan called Android.RemoteCode.2958, which downloaded other malware by executing remote code. A Android.RemoteCode.2958 that distributes and installs other malicious programs on Android devices. Another malware found by our analytics - Android.Proxy.4, it was used for creating proxy servers on a compromised device. And Doctor Web’s virus database got updated with new entries of adware families called Adware.Sharf.2 and Adware.Patacore.

The most noticeable February event related to mobile malware:

• The spreading of malicious programs on Google Play.

Find out more about malicious and unwanted programs for mobile devices in our special overview.