My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Doctor Web’s February 2021 virus activity review

March 17, 2021

Our February analysis of Dr.Web’s statistics revealed an increase in the total number of threats by 25.07% compared with the previous month. With that, the number of unique threats dropped by 7.57%. Adware continued to occupy the top spot for most common threats. Email traffic was dominated by various malicious scripts and the obfuscated modifications of the Bladabindi backdoor and the AgentTesla stealer. In addition, users continued to be exposed to malware exploiting vulnerabilities in Microsoft Office utilities.

The number of requests to decrypt files affected by trojan encoders decreased by 21.27% compared to January. Trojan.Encoder.26996 was the most active, accounting for 21.45% of all incidents.

Principal trends in February

  • Growth in malware spreading activity
  • Adware remain among the most active threats
  • The detection of new malicious programs in email traffic

According to Doctor Web’s statistics service

According to Doctor Web’s statistics service #drweb

The most common threats in February:

An alternative app store and add-on for Windows GUI from the creators of Adware.Opencandy.
Adware that spreads through file sharing services as a result of link spoofing. Instead of normal files, victims receive applications that display advertisements and install unwanted software.
Adware that often serves as an intermediary installer of pirate software.
Installation adware that spreads outdated software and changes browser settings.

Statistics for malware discovered in email traffic

Statistics for malware discovered in email traffic #drweb

A malicious script embedded into web pages. The script’s execution allows one to redirect visitors to the unwanted and dangerous websites, display annoying ads in the browser, or track user actions.
A family of downloader trojans that exploits vulnerabilities in Microsoft Office documents and can download other malicious programs onto a compromised computer.
The packed modification of the Bladabindi backdoor. Bladabindi is the common backdoor trojan with wide capabilities for remotely controlling an infected computer.
The web page spread via phishing emails. It is a bogus authorization page that mimics well-known websites. The credentials a user enters on the page is sent to the attacker.
The packed modification of the AgentTesla stealer.

Encryption ransomware

In February, Doctor Web’s virus laboratory registered 21.27% fewer requests to decode files encoded by trojan ransomware than in January.

Encryption ransomware #drweb

Dangerous websites

During January 2021, Doctor Web Internet analysts added numerous fraudulent and malicious resources to the Dr.Web database of non-recommended websites. In addition to exploiting the theme of payments and fake compensation, attackers returned to other well-known fraud schemes. So in February, analysts uncovered many bogus private cinema websites.


This is a snapshot of the fraudulent private cinema website. The cybercrook sends a site link to its potential victim.

Attackers actively used various social engineering methods to push potential victims into purchasing tickets for a film show on one of these sites. After paying for tickets, users simply lost their money, and their bank card data was transferred to the website operators. In some cases, the victim was then contacted by the fake technical support that, under the pretext of issuing a refund, sent another payment form.

Also in February, analysts found several websites inviting visitors to view videos for a reward.


In fact, the fraudsters used these sites to collect user data, for phishing, to distribute specialized unwanted software, to raise the number of views, and other similar purposes. In addition, the scammers themselves received the reward from partner services for user activity.

Malicious and unwanted programs for mobile devices

In February, malware that is able to download other software and execute arbitrary code, as well as trojans that showed ads were again among the most common mobile threats.

During the month, Doctor Web’s virus analysts discovered many malicious apps in the Google Play catalog. They include modifications of the multifunctional Android.Joker trojans capable of running arbitrary code and subscribing Android users to paid services, the Android.FakeApp trojans disguised as useful software, Android.HiddenAds advertising trojans, and other malware.

The following February events related to mobile malware are the most noteworthy:

Find out more about malicious and unwanted programs for mobile devices in our special overview.