My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


March 2017 virus activity review from Doctor Web

April 3, 2017

The beginning of spring was marked by intense activity on the part of cybercriminals involved in Internet scams and the distribution of malicious software. Moreover, in March a Trojan for Linux, designed to mount DDoS attacks, was detected. On Google Play, Doctor Web security researchers detected a program with an embedded module that displayed annoying ads on screens of Android devices. At least 50 million users have already installed this application. In addition, during the first month of spring, numerous potentially dangerous Internet resources were added to the database of non-recommended websites.

Principal Trends in March

  • The appearance of a new Trojan for Linux
  • The detection of numerous fraudulent websites
  • The distribution of aggressive advertising modules and Trojans targeting the Android OS

Threat of the month

Linux malware usually downloads other Trojans onto an infected device, sets up a proxy server, or mounts DDoS attacks. A Trojan detected by Doctor Web security researchers in March that was subsequently named Linux.DDoS.117 executes that last task.

This malicious program has versions for the following architectures: Intel x86, M68K, MIPS, MIPSEL, SPARC, SH4, Power PC, and ARM. Once launched, Linux.DDoS.117 waits for an Internet connection, and when one appears, it sends the attackers information about the infected device. The Trojan can receive commands and execute them using the command interpreter SH. With the help of a special command, cybercriminals send the name of the attacked host and the duration data of the DDoS attack to the Trojan. More detailed information about Linux.DDoS.117 can be found in the technical description of this malicious program.

According to Dr.Web Anti-virus statistics

According to Dr.Web Anti-virus statistics #drweb

According to Doctor Web statistics servers

According to Doctor Web statistics servers #drweb

Statistics concerning malicious programs discovered in email traffic

Statistics on malicious programs discovered in email traffic #drweb

According to Dr.Web Bot for Telegram data

According to statistics collected by Dr.Web Bot for Telegram #drweb

Encryption ransomware

Encryption ransomware #drweb

In March, Doctor Web’s technical support was most often contacted by victims of the following modifications of encryption ransomware:

At the beginning of March, a user of the forum published a link to the list of private keys used by the Dharma ransomware Trojan. According to Doctor Web classification, this is Trojan.Encoder.3953. This is already the second case of the private keys for this encoder being leaked. Once encrypted by this Trojan, files are appended with a suffix containing an email address of the cybercriminals and the following extensions: .xtbl, .CrySiS, .crypted, .crypt or .lock. Thanks to the fact that the keys were leaked, Doctor Web security researchers—as early as March 2—were able to develop a decryption method for files encrypted by Trojan.Encoder.3953.

Also in March, Doctor Web’s specialists created a decryption algorithm for data encrypted by Trojan.Encoder.10465. The malicious program is written in Delphi and appends the extension .crptxxx to infected files. For more information about this encoder and recommendations as to what its victims can do, please refer to this article.

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows.

Data Loss Prevention
Preventive ProtectionData Loss Prevention

More information

During March 2017, Doctor Web added 223,173 URLs into the Dr.Web database of non-recommended sites.

February 2017March 2017Dynamics
+ 134,063+ 223,173+ 66.46%

In March, Doctor Web security researchers detected more than 500 fraudulent websites aimed at owners and administrators of Internet resources. Many of them received an email claiming to be from Yandex with an offer to improve their website rankings in Internet search results. It contained a link to a page containing a payment form for the offered service.

screenshot #drweb

This offer was common fraud: after paying, victims did not get what was promised. Cybercriminals created more than 500 such pages and distributed them over several leased online media sites.

Non-recommended websites

Malicious and unwanted programs for mobile devices

In March, Doctor Web specialists found a new advertising module on Google Play that was dubbed Adware.Cootek.1.origin. It was embedded in a program called TouchPal, which operates as an on-screen keyboard. After this application was installed, Adware.Cootek.1.origin displayed several types of annoying advertisements; for example, it created unremovable widgets and embedded banners in the lock screen. In addition, it displayed ads on mobile devices right after they were unlocked.

The most noticeable March event related to mobile malware:

Find out more about malicious and unwanted programs for mobile devices in our special overview.

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews