Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Your tickets

Profile

April 2018 virus activity review from Doctor Web

April 28, 2018

In early April Doctor Web virus analysts detected a new version of a dangerous banking Trojan, which infected Android mobile devices. In mid-April, distribution of the Windows encryption Trojan was also detected. Due to virus writers’ error, it corrupted files without the possibility of decrypting them.

Principal Trends in April

  • Detection of the dangerous Android banking Trojan
  • Spreading of the encryption Trojan that infected Windows devices

Threat of the month

The encryption Trojan, which was dubbed Trojan.Encoder.25129, is detected by the preventive protection of Dr.Web Anti-virus as DPH:Trojan.Encoder.9. Virus writers designed the malicious program so that it does not encrypt files if the infected device is located in Russia, Belarus and Kazakhstan, or if the Russian language and Russian regional parameters are set in the system preferences. However, the encoder encrypts files regardless of the IP address’s geographical location due to the code error.

Using the AES-256-CBC algorithms, Trojan.Encoder.25129 encrypts the folder contents of the current user’s folders, Windows Desktop, the AppData and LocalAppData system folders. The encrypted files are appended the TRON extension. The ransom amount that cybercriminals demand ranges from 0.007305 to 0.04 Btc.

#drweb Trojan.Encoder.25129

The Trojan’s creators have made an error in its code, so in most cases they will not be able to decrypt files encrypted by the encoder. For more information on the operation of Trojan.Encoder.25129 and its features, refer to this article published on our website.

According to Doctor Web’s statistics servers

According to Dr.Web Anti-virus statistics

JS.BtcMine.36
A JavaScript designed to stealthily mine cryptocurrencies (mining).
JS.Inject
A family of malicious JavaScripts. They inject malicious script into the HTML code of webpages.
Trojan.DownLoader
A family of malicious programs designed to download other malware to the compromised computer.
Trojan.Starter.7394
A Trojan whose main purpose is to launch in an infected system with an executable file possessing a specific set of malicious functions.
JS.DownLoader
A family of malicious JavaScripts. They download and install malicious software on a computer.

Statistics concerning malicious programs discovered in email traffic

Statistics concerning malicious programs discovered in email traffic #drweb

Trojan.PWS.Spy.20884
A spying Trojan for Windows that steals confidential information, including user passwords.
Trojan.DownLoader
A family of malicious programs designed to download other malware to the compromised computer.
JS.BtcMine.36
A JavaScript designed to stealthily mine cryptocurrencies (mining).
JS.Inject
A family of malicious JavaScripts. They inject malicious script into the HTML code of webpages.

Encryption ransomware

Encryption ransomware

In April, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service:

Dangerous websites

During April 2018, Doctor Web added 287,661 URLs to the Dr.Web database of non-recommended sites.

March 2018April 2018Dynamics
+ 624,474+ 287,661- 53.9%

Malicious and unwanted programs for mobile devices

In April, Doctor Web specialists detected a new modification of a dangerous Android Trojan, which was named Android.BankBot.358.origin. It attacked clients of a major bank and infected over 60,000 mobile devices. In the past month, virus analysts also detected numerous malicious programs on Google Play. They all belonged to the Android.Click family. Among them are Android.Click.245.origin, Android.Click.246.origin and Android.Click.458. Once launched, they downloaded websites specified by cybercriminals. These websites were used to trick users into signing up for expensive content services. Later riskware Program.PWS.2 was detected on Google Play. It allowed connection to Telegram that was blocked in Russia. This application did not encrypt the transferred confidential information, which could lead to Android smartphone and tablet owners’ confidential data being leaked. In late April Doctor Web specialists detected Android.RemoteCode.152.origin on Google Play. It downloaded and launched additional modules, and used them to create advertising banners. Then the malicious program tapped on them, generating income for cybercriminals. New spyware that tracked users was also detected in April. According to Doctor Web classification, these malicious programs were named Android.Spy.443.origin and Android.Spy.444.origin.

Among the most noticeable April events related to mobile malware, we can mention:

  • Spreading of a dangerous banking Trojan, which infected over 60,000 mobile devices of Russian users;
  • The emergence of new spyware Trojans;
  • The detection of malicious programs and riskware on Google Play.

Find out more about malicious and unwanted programs for mobile devices in our special overview.

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2018

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040