My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


February 2017 virus activity review from Doctor Web

February 28, 2017

The last month of winter was marked by the emergence of a new banking Trojan that inherited fragments of the source code of another widespread banker family—Zeus (Trojan.PWS.Panda). This malware injects arbitrary content into user-loaded web pages and runs a VNC server on the infected computer. Also in February, Doctor Web security researchers detected a new Trojan for Linux. New entries were also added to the Dr.Web virus databases for Android.

Principal trends in February

  • The distribution of a new banking Trojan
  • The detection of a new malicious program for Linux
  • The emergence of new malware for Android

Threat of the month

Banking Trojans are considered one of the most dangerous types of malware programs since they are capable of stealing money directly from the bank accounts of their victims. The new banking Trojan examined by Doctor Web security researchers was dubbed Trojan.PWS.Sphinx.2. It performs web injections, i.e., it injects arbitrary content into user-loaded web pages. Thus, it can, for example, send cybercriminals user login credentials to access online banking services. The user enters this data into fake forms created by the Trojan. Below is an example of the code that Trojan.PWS.Sphinx.2 embeds in the pages of the website:


Furthermore, Trojan.PWS.Sphinx.2 can run a VNC server on an infected computer, and cybercriminals can use it to connect to the infected device and install digital certificates in the system for organizing attacks based on MITM (Man-in-the-middle) technology. The Trojan has a grabber—a module that intercepts and sends data entered by the user into various forms to a remote server. It is notable that the automatic launch of Trojan.PWS.Sphinx.2 is executed via a special PHP script. More information about this malicious program can be found in the corresponding review published by Doctor Web.

According to statistics collected by Dr.Web CureIt!

According to statistics collected by Dr.Web CureIt! February, 2017 #drweb


Statistics concerning malicious programs discovered in email traffic

Statistics concerning malicious programs discovered in email traffic February, 2017 #drweb

According to Dr.Web Bot for Telegram data

According to Dr.Web Bot for Telegram data February, 2017 #drweb

Encryption ransomware

Encryption ransomware February, 2017 #drweb

In February, Doctor Web’s technical support was most often contacted by victims of the following modifications of encryption ransomware:

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows

Data Loss Prevention
Preventive protection Data Loss Prevention

More information

During February 2017, 134,063 URLs of non-recommended websites were added to the Dr.Web database.

January 2017February 2017Dynamics
+ 223,127+ 134,063-39.9%

Non-recommended websites

Linux malware

Trojans that infect Linux devices are no longer considered rare. However, in February Doctor Web security researchers detected an unusual malicious program. Once launched on a Microsoft Windows computer, it attempts to find and infect various Linux devices.

This Trojan was dubbed Trojan.Mirai.1. After downloading the list of IP addresses from its command and control server, it launches a scanner on the infected machine. The scanner that checks these addresses and attempts to log into them using the login and password combination indicated in the configuration file. While connecting to the Linux device via Telnet protocol, the Trojan downloads a binary file onto the compromised device, and this file subsequently downloads and launches Linux.Mirai. In addition, Trojan.Mirai.1 can execute cybercriminals’ commands and perform other malicious functions. For more information, refer to this news article.

Also in February, Doctor Web security researchers examined the Trojan Linux.Aliande.4. Written in the language Go, it is designed to hack into remote network server login systems by engaging in dictionary attacks (brute-force attacks). For its operation, Linux.Aliande.4 uses the list of IP addresses obtained from the command and control server. The SSH protocol is used to access the remote devices. The Trojan sends the list of successfully generated login and password combinations to the cybercriminals.

Malicious and unwanted programs for mobile devices

In February, Android.Click.132.origin was detected. It was spread via Google Play. This malicious program covertly opened websites and could independently tap on advertisements. Cybercriminals were remunerated for that activity.

The most noticeable February event related to mobile malware:

Find out more about malicious and unwanted programs for mobile devices in our special overview.

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews

© Doctor Web
2003 — 2023

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies