My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


January 2015 virus activity review from Doctor Web

April 2, 2015

The first spring month of 2015 was marked by the emergence of new malware for various platforms. Some Windows machines were compromised by the multi-purpose backdoor that entered the Dr.Web virus database under the name BackDoor.Yebot. Encryption ransomware programs demanding a ransom for the decryption of compromised files continued to spread—for example, a spam mailing distributing Trojan.Encoder.514 was registered by security researchers in March. Neither did criminals lose their interest in Android, unleashing a number of new malicious programs for this platform over the course of the past month.


  • Mass spam mailings spreading encryption ransomware.
  • New malicious programs for Android.

Threat of the month

In March 2015, Doctor Web security researchers completed their examination of the multi-purpose spying program BackDoor.Yebot. Another malicious program, dubbed Trojan.Siggen6.31836 by Dr.Web, facilitates the backdoor's distribution. BackDoor.Yebot' possesses the ability to:

For more information about this malware, and its distribution and operation, please refer to the review published on Doctor Web's site.

Encryption ransomware

March also witnessed the intensified activity of criminals who spread encryption ransomware with spam. For example, virus makers carried out mass mailings of new incoming fax messages bearing the headline "Incoming Fax Report". Disguised as a fax message, the attached ZIP archive contains a malicious SCR file detected by Dr.Web as Trojan.DownLoader11.32458.


If an attempt is made to open the attachment, the malicious program Trojan.DownLoader11.32458 extracts and launches the encryption ransomware Trojan.Encoder.514 on the target machine. The ransomware then encrypts data stored on the disk and demands a ransom for its recovery. More information about this incident can be found in a review published by Doctor Web.

The most common ransomware programs in March 2015:

February 2015March 2015Growth
1,8402,361+ 28.31%

The most common ransomware programs in March 2015:

Dr.Web Security Space 10.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows

Preventive protection Data Loss Prevention
Preventive protection Data Loss Prevention

More information Watch the video tutorial

According to statistics gathered by Dr.Web CureIt!


According to Doctor Web's statistics servers


Statistics concerning malicious programs discovered in email traffic



Doctor Web's security researchers continue to monitor the botnet created by criminals using the file infector Win32.Rmnet.12. The average daily activity of the botnet's two subnets is shown in the following graphs:



Rmnet is a family of viruses spread without any user intervention. They can embed content into loaded webpages (this theoretically allows cybercriminals to get access to the victim's bank account information) as well as steal cookies and passwords stored by popular FTP clients and execute other commands issued by cybercriminals.

Also operational was the botnet consisting of machines compromised by the file infector Win32.Sector. This malicious program performs the following tasks in an infected system:

The average daily activity of this botnet in March 2015 is illustrated in the graph below:


Meanwhile, Doctor Web security researchers continue to monitor the BackDoor.Flashback.39 botnet:


The malicious program Linux.BackDoor.Gates.5 continued to carry out DDoS attacks on various websites. In March 2015 Doctor Web security researchers registered 2,236 IP addresses on which attacks were mounted—nearly twice as many compared with the previous month. As before, most targets of the attacks were located in China; the United States ranked second:


Fraudulent and non-recommended sites

Parental Control, which is available in Dr.Web Security Space 10.0, can provide protection from various Internet scams. The Parental Control component lets you limit access to websites related to a certain topic and filter suspicious content. In addition, using its database of non-recommended URLs, the component can shield users from fraudulent sites, potentially dangerous and shocking content, and from sites known to distribute malware.

During March 2015, Doctor Web added 74,108 URLs into the Dr.Web database of non-recommended sites.

February 2015March 2015Movement
22,03374,108+ 236.35%
Learn more about Dr. Web non-recommended sites

Malicious and unwanted software for Android

March proved to be a turbulent month for Android devices: Criminals were relentless in their attacks, employing both known and new malicious programs. The most common Trojans for Android in March:

For more information about malicious programs for Android, please refer to our corresponding review.

Find out more with Dr.Web

Virus statistics Virus encyclopedia All virus reviews Laboratory-live