Doctor Web presents the virus activity review for February 2022

March 31, 2022

Our February analysis of Dr.Web’s statistics revealed a 42.2% increase in the total number of threats, compared with the previous month. The number of unique threats decreased by 2.87%. That said, adware still made up the majority of detected threats. These threats manifested with different types of malware. Different malware, including fishing websites, was most often distributed in mail traffic.

In February, the number of user requests to decrypt files affected by encoders decreased by 10.72% compared with January. Trojan.Encoder.26996 was the most active, accounting for almost a quarter of all incidents.

According to Doctor Web’s statistics service

The most common threats in February:

Adware.SweetLabs.5

An alternative App Store and Add-On for Windows GUI (graphical user interface) by the creators of Adware, like “OpenCandy".

Adware.Downware.19998

Adware that often serves as an intermediary installer of pirate software.

Adware.OpenCandy.247

A family of applications that install other software on the system.

Trojan.AutoIt.710

Trojan.AutoIt.961

A malicious utility program written in AutoIt language and distributed as part of a miner or RAT trojan.

Statistics for malware discovered in email traffic

W97M.DownLoader.2938

A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. It can also download other malicious programs to a compromised computer. It’s designed to download more malware onto a compromised computer.

HTML.Fisher.353

An HTML phishing page that includes a form for filling in credentials to access an email account.

BackDoor.SpyBotNET.25

The emergence of a new backdoor written in Python A backdoor written in VB.NET. It can operate with a file system (copy, create, delete catalogs, etc.), terminate processes, and take screenshots.

Trojan.PackedNET.1168

Packed malware.

HTML.FishForm.294

A web page spread via phishing emails. It is a bogus authorization page that mimics well-known websites. The credentials a user enters on the page are sent to the attacker.

Encryption ransomware

User requests to decrypt files affected by encoders decreased by almost 10.72% compared to January.

• Trojan.Encoder.26996 — 23.63%
• Trojan.Encoder.3953 — 11.99%
• Trojan.Encoder.567 — 3.77%
• Trojan.Encoder.11539 — 3.77%
• Trojan.Encoder.30356 — 3.42%

Dangerous websites

In February, Doctor Web’s analysts noticed increased fraud banking sites disguised as official online delivery services. For each user, a unique page with confidential data is created. The page asks the user to enter bank card details for payment.

The snapshot shows an example of a website like this. Here are the fake departure numbers and payment status.

Malicious and unwanted programs for mobile devices

According to the detection statistics of Dr.Web anti-virus products for Android, in February, the Android.Spy.4498 trojan became the most common threat again. This trojan steals information from notifications from other applications. This malware accounted for 47.83% of detections. At the same time, advertising trojans again showed high activity.

Among the threats identified by Doctor Web specialists in the Google Play catalog are new fake programs from the Android.FakeApp family, multifunctional Android.Triada trojans, and yet another malicious program from the Android.Subscription, designed to subscribe users to paid mobile services.

The following February events related to mobile malware are the most noteworthy:

• Growth in activity of trojan Android.Spy.4498;
• High activity of adware trojans
• Emergence of new malicious applications on Google Play

Find out more about malicious and unwanted programs for mobile devices in our special overview.