My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Doctor Web presents the virus activity review for February 2015

March 4, 2015

The shortest month of a year did not go without new malware. At the beginning of February, Doctor Web security researchers finished their examination of a complex multi-purpose Trojan for Linux, while at the end of the month they published results of their analysis of a new version of backdoor for Mac OS X. Also, during February 2015 malicious programs for Android were still active.


  • New Linux Trojans
  • Virus writers still show their interest in Mac OS X.
  • New malicious programs for Android continue to spread.

Threat of the month

At the end of February, Doctor Web analysts have completed a study of the Trojan-backdoor Mac.BackDoor.OpinionSpy.3, allowing attackers to spy on Mac OS X users. It spread via sites that are offering free software, together with harmless applications whose distributions incorporated an additional executable file. Being launched with administrator privileges during the installation, this program would download and install the backdoor on the Mac.


This malicious program is detected and successfully removed by Dr.Web Anti-virus for Mac OS X. More information about this backdoor can be found in the corresponding news article.

Encryption ransomware

The number of requests for decryption received by the Doctor Web technical support service

January 2015February 2015 Movement

Encryption ransomware, that encrypts files on personal computers and demands a ransom for their decryption, still poses a serious threat.

The most common ransomware programs in February 2015:

Use Data Loss Prevention to save your files from encryption ransomware

Only available in Dr.Web Security Space 9 and 10.
More about
encryption ransomware
What do I do, if… Configuration tutorial Free

According to the statistics gathered by Dr.Web CureIt!


According to Doctor Web's statistics servers


Statistics concerning malicious programs discovered in the email traffic



Despite the numerous reports of news agencies, that on February 24, 2015, the command and control servers of Rmnet were shut down by the combined efforts of several organizations, Doctor Web security researchers have registered no significant decline in the botnet's activity. Doctor Web’s anti-virus laboratory monitors the subnets' activity of the botnet which was created by cybercriminals using the Win32.Rmnet.12 file infector. This activity is shown in the charts below:



More information about the activity of the botnet can be found on our website in a corresponding news article.

The botnet, which was created using the Win32.Sector file injector, is still active:


The Win32.Sector file infector's key functions are to:


Linux threats

Attackers' interest in Linux doesn't appear to decrease either. In particular, in early February, Doctor Web security experts researched a complex multi-purpose backdoor for Linux named Linux.BackDoor.Xnote.1. This malware is able to perform the following operations with the file system upon a corresponding command from hackers:

In addition, the backdoor can run a shell with the specified environment variables and grant the command and control server access to this shell, start SOCKS proxy on the infected machine, start its own portmap implementation and carry out DDoS-attacks.

More information about how to distribute and how to work Linux.BackDoor.Xnote.1 can be found in a published by Doctor Webnews article.

Linux-Trojan Linux.BackDoor.Gates.5 is still active and continue to carry out DDoS attacks on various sites in the Internet. In February, Doctor Web registered 1,129 IP addresses that were attacked (that is 3,880 less than in November). As before, most of them were located in China:


Fraudulent and non-recommended sites

During February 2015, Doctor Web added 22,033 URLs into the Dr.Web database of non-recommended sites.

January 2015February 2015Movement
10 43122 033+111,2%

Parental Control, which is available in Dr.Web Security Space 10.0, can provide protection from various Internet scams. The Parental Control component lets you limit access to websites related to a certain topic and filter suspicious content. Besides, using its database of non-recommended URLs, the component can shield users from fraudulent sites, potentially dangerous and shocking content, and from sites which are known to distribute malware.

Learn more about Dr. Web non-recommended sites

Malicious and unwanted software for Android

In February a large variety of malicious programs and riskware for Android was discovered. It included:

Find out more with Dr.Web

Virus statistics Virus encyclopedia All virus reviews Laboratory-live