My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Doctor Web’s August 2016 virus activity review

August 31, 2016

The last summer month was quite eventful for Doctor Web’s analysts. At the beginning of August, they detected a Trojan capable of infecting POS (Point-Of-Sale) terminals. Shortly thereafter, they discovered two Linux Trojans written in Go, one of which is capable of creating peer-to-peer (P2P) botnets. Also found during the past month were another Trojan using the TeamViewer program and a Trojan designed to install a fake web browser.


  • New Trojan infecting POS terminals
  • New malicious programs for Windows
  • New Linux Trojans written in Go

Threat of the month

Malware programs that use the TeamViewer program are detected quite frequently by security researchers—one such Trojan was described in a news article published in May 2016. In the past month, its counterpart BackDoor.TeamViewerENT.1, which is also known as Spy-Agent, was examined by Doctor Web. However, unlike its predecessors, this Trojan uses TeamViewer specifically to spy on users.


In addition, this backdoor can download the necessary TeamViewer components from the command and control (C&C) server and execute the following commands:

Doctor Web’s security researchers found that the backdoor was targeting residents of particular countries and regions at different times. For more information about this Trojan, refer to the news article.

According to statistics collected by Dr.Web CureIt!

According to statistics collected by Dr.Web CureIt! #drweb

According to Doctor Web’s statistics servers

According to Doctor Web statistics servers #drweb

Statistics concerning malicious programs discovered in email traffic

Statistics concerning malicious programs discovered in email traffic #drweb

According to statistics collected by Dr.Web Bot for Telegram

In March 2016, Dr.Web Bot for Telegram was released. It checks links and files on the fly and informs users if any threats have been detected. For example, it can warn that a virus is present in an email attachment or warn against visiting a malicious website. Since March, tens of thousands of people have already used the bot. The statistics collected by Doctor Web’s specialists show that the bot is used to detect Trojans not only for Microsoft Windows but also for the Android platform. In addition, in August 2016, 5.9% of users used the EICAR test file to check the bot’s operation. Below is the list of the five Trojans that were most frequently detected by Dr.Web Bot for Telegram in August:

According to statistics collected by Dr.Web Bot for Telegram #drweb

Encryption ransomware

Encryption ransomware #drweb

In August, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service:

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows.

Data Loss Prevention
Preventive ProtectionData Loss Prevention

Dangerous websites

During August 2016, 245,394 URLs of non-recommended websites were added to Dr.Web database.

July 2016August 2016Dynamics
Non-recommended websites


At the beginning of August, Doctor Web’s analysts found a new Trojan written in the Go language. This Trojan, which was subsequently named Linux.Lady.1, is designed to download and run cryptocurrency mining software on a computer. Once Linux.Lady.1 is launched, it sends the following information to the C&C server: the current Linux version and the name of the operating system family it belongs to, the number of CPUs, the names and number of running processes, and so on. In return, the Trojan gets the configuration file it needs to download and launch a cryptocurrency mining program. The income generated is then transferred to an e-wallet belonging to cybercriminals.


For more information about Linux.Lady.1, please refer to the news article.

Another dangerous Linux Trojan—Linux.Rex.1—was discovered in mid August. Like Linux.Lady.1, it was written in Go, however, it can perform a wider variety of functions. Linux.Rex.1 is mainly designed to create P2P (peer-to-peer) botnets and to attack websites built with popular CMSs. In addition, it can send threatening emails to website owners, carry out DDoS attacks, and steal confidential information such as user lists, private SSH keys, logins, and passwords. When commanded by cybercriminals, the Trojan can also launch various applications.

Other threats

August began with the detection of Trojan.Kasidet.1 which is capable of infecting POS (Point-Of-Sale) terminals. In addition, it can steal passwords for the Outlook, Foxmail, and Thunderbird email applications and can be incorporated into Mozilla Firefox, Google Chrome, Microsoft Internet Explorer, and Maxthon browsers for the purpose of intercepting GET and POST requests. This malware program can also download and run another application or a malicious library on an infected computer, find a particular file on a disk, or generate a list of running processes and transmit it to the C&C server. You can find more information about Trojan.Kasidet.1 in this news article.

At the end of August, Doctor Web specialists discovered Trojan.Mutabaha.1, a Trojan that installs a fake Chrome browser on computers.


Although the browser is known under the name Outfire, the creators of Trojan.Mutabaha.1 distributed 56 similar browsers with different names. Outfire modifies the installed Google Chrome browser by removing or creating new shortcuts and copying current Chrome user account information into the new browser. The fake browser displays a home page that cannot be changed in the browser’s settings. In addition, it has a fixed extension designed to replace advertisements in browsed webpages. For more information about this malware program, refer to the review published by Doctor Web.

Malicious and unwanted programs for mobile devices

In August, Doctor Web’s specialists detected a Trojan for Android that displays advertisements on top of running applications and the operating system interface. The Trojan can also buy software on Google Play and download it onto a device. In addition, bogus Dr.Web for iOS products were found on Apple iTunes in the past month.

Among the most notable August events related to mobile malware, we can mention:

Learn more about malicious and unwanted programs for mobile devices in our special August overview.

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews