My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Doctor Web’s October 2016 virus activity review

October 27, 2016

In October, Doctor Web’s specialists investigated the first ransomware Trojan written in Go and developed a technique for decrypting files compromised by this Trojan. Soon thereafter, they discovered a backdoor for Linux that was capable of executing commands received from cybercriminals. In addition, Trojans for Android devices continued to spread all month long.


  • The emergence of a ransomware Trojan written in Go
  • New malicious programs for Linux
  • New malicious programs for Android

Threat of the month

Ransomware Trojans are rightfully considered the most dangerous malicious programs. New versions of these programs appear on a monthly basis; however, until recently Doctor Web’s specialists had never encountered ransomware programs written in Go. The first Trojan of this kind, named Trojan.Encoder.6491, was added to the Dr.Web virus databases in October.

The Trojan uses the AES algorithm to encrypt 140 different types of files. Trojan.Encoder.6491 encrypts original file names with the Base64 method and appends the .enc extension to the files it compromises. For example, the file name Test_file.avi is changed to VGVzdF9maWxlLmF2aQ==.enc. Then, in a browser window, the Trojan opens the file Instructions.html, which orders the user to pay a ransom in Bitcoin cryptocurrency:

Trojan.Encoder.6491 #drweb

Trojan.Encoder.6491 regularly checks the Bitcoin wallet to which the victim is to transfer the ransom amount. Once payment is made, the Trojan uses an internal function to automatically decrypt the files. Doctor Web’s security researchers have developed a new technique that can help decrypt files compromised by this malware. You can read about this technique in the news article published by Doctor Web.

According to statistics collected by Dr.Web CureIt!

According to statistics collected by Dr.Web CureIt! 10.2016 #drweb

According to Doctor Web’s statistics servers

According to Doctor Web’s statistics servers 10.2016 #drweb

Statistics concerning malicious programs discovered in email traffic

Statistics concerning malicious programs discovered in email traffic 10.2016 #drweb

According to statistics collected by Dr.Web Bot for Telegram

According to statistics collected by Dr.Web Bot for Telegram 10.2016 #drweb

Encryption ransomware

Encryption ransomware 10.2016 #drweb

In October, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service:

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows.

Data Loss Prevention
Preventive ProtectionData Loss Prevention

Dangerous websites

During October 2016, the URLs of 338,670 non-recommended websites were added to the Dr.Web database.

September 2016October 2016Dynamics

Among the non-recommended websites that were added to the database are fraudulent web resources. Fraudsters continue contriving new ways of tricking Internet users—one of them is described in our overview.

The creators of the fraudulent website “Detector Millionaire” use mass spam mailings to get gullible users to test their program “Detector Millionaire.” This scam has reportedly already benefited the program’s creators to the tune of several million dollars. To start using it, a potential victim has to transfer a certain sum of money to the cybercriminals’ account. Obviously, all the money deposited is irrevocably gone. In addition, a simple search of the domain registration database reveals that is administrated by one Bob Douglas, who owns many other suspicious web resources.

Find out more about Dr. Web non-recommended sites


Since the beginning of October, Doctor Web’s specialists have registered 40,756 attacks by Linux Trojans—35,423 of them were performed over the SSH protocol and 5,333 of them over the Telnet protocol. The below diagram shows the proportional relationship between the most frequently detected Linux Trojans:

The most frequently detected Trojans for Linux 10.2016 #drweb

Below you can see the geographical spread of the IP addresses from which malware programs were installed onto Linux devices:

Spread of the IP addresses for Linux 10.2016 #drweb

The end of October was marked by the emergence of Linux.BackDoor.FakeFile.1, a backdoor Trojan for Linux spread as a PDF, Microsoft Office, or Open Office file. This Trojan could:

For more information about Linux.BackDoor.FakeFile.1, refer to the news article published by Doctor Web.

Malicious and unwanted programs for mobile devices

October began with the appearance of Android.SockBot.1, a Trojan that can redirect Internet traffic through infected mobile devices, transforming them into proxy servers.

The following October events related to mobile malware are the most noteworthy:

Find out more about malicious and unwanted programs for mobile devices in our special overview.

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews