My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


April 2015 virus activity review from Doctor Web

April 30, 2015

April 2015 proved to be quite eventful in terms of information security.


  • Cybercriminals' attempts to attack a number of Russian defense enterprises
  • New multicomponent banking Trojan targeting customers of several credit organizations
  • Distribution of dangerous backdoors for Windows and Linux OSes
  • New malicious programs for Android

Threat of the month

At the beginning of April, Doctor Web security researchers finished their examination of the dangerous multicomponent banking Trojan named Trojan.Dridex.49. This malware has a component that generates configuration required for the Trojan's functioning and launches the Trojan. It also includes the engine and additional modules. The Trojan's special feature is the use of a P2P protocol for establishing connection to the server.

Depending on the specified parameters, Trojan.Dridex.49 embeds itself in processes of Explorer (explorer.exe) or web browsers (chrome.exe, firefox.exe, iexplore.exe). All information transmitted between the server and the Trojan is encrypted. The Trojan can have one of the following roles on the infected computer:

In other words, the Trojan.Dridex.49 botnet uses the following scheme for message exchange: bot → node → admin node → other admin nodes → command and control server. For security reasons, the Trojans exchange keys. The entire interaction pattern of the botnet is as follows:


The main purpose of Trojan.Dridex.49 is web injection; that is, injecting arbitrary content into web pages viewed by customers of financial organizations.

The Trojan can collect confidential data entered in web forms, which allows cybercriminals to get access to victims' bank accounts and steal their money. Doctor Web's security researchers have learnt about more than 80 bank websites and other Internet resources, where the Trojan can steal confidential data; among them are well-known financial organizations such as Royal Bank of Scotland, TCB, Santander, Bank of Montreal, Bank of America, HSBC, Lloyds Bank, Barclays and many more. The signature of Trojan.Dridex.49 has been added to virus databases; so, Dr.Web users are protected from this malware.

According to statistics gathered by Dr.Web CureIt!

In April, 73 149 430 malicious programs and riskware were detected.


According to Doctor Web's statistics servers


Statistics concerning malicious programs discovered in email traffic



Doctor Web's security researchers continue to monitor the botnet created by criminals with the file infector Win32.Rmnet.12.


Rmnet is a family of viruses spread without any user intervention. They can embed content into loaded webpages (this theoretically allows cybercriminals to get access to the victim's bank account information) as well as steal cookies and passwords stored by popular FTP clients and execute other commands issued by cybercriminals.

The botnet consisting of computers infected with the Win32.Sector file virus is still active. This malware can perform the following actions:


The number of Apple computers infected with the BackDoor.Flashback.39 Trojan remains almost the same and equals about 25 000:


In April, cybercriminals intensified their attacks on Internet resources with the use of Linux.BackDoor.Gates.5. In comparison with the previous month, the number of attacked IP addresses increased by more than 48 per cent and was estimated 3320. Curiously, most targets of the attacks were located in the USA, but previously the country leading in the number of compromised resources was China. The image below provides information about the geographic distribution of the attacks.


Encryption ransomware

The number of requests for decryption received by the Doctor Web technical support service

March 2015April 2015Growth
23611359- 42.4 %

The most common ransomware programs in April 2015

Dr.Web Security Space 10.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows

Preventive protection Data Loss Prevention
Preventive protection Data Loss Prevention

More information Watch the video tutorial

Threats to Linux

In April, Doctor Web security researchers examined a new Trojan that can infect computers with Linux operating system — Linux.BackDoor.Sessox.1. Cybercriminals can control the backdoor by using the IRC (Internet Relay Chat) text-messaging protocol: the bot receives their commands from a chat running on the cybercriminals' server. To spread itself, the Trojan scans remote computers and searches for a vulnerability which allows starting a third-party script on an unprotected server. The script then installs a copy of the Trojan in the infected system.

The Trojan can launch an attack by sending repeating GET requests to the website specified by cybercriminals.

Learn more about Linux.BackDoor.Sessox.1.

Other threats in April

At the beginning of the month, Doctor Web security researches detected targeted mass mailing to work and personal email addresses of Russian defense enterprises employees. The mass mailing distributed a dangerous Trojan.


Upon receiving a command from cybercriminals, this malicious program, named BackDoor.Hser.1, can send the remote server a list of active processes running on the infected computer, as well as download and launch another malicious program, open the command console and execute input/output redirection to the cybercriminals’ server, which allows cybercriminals to get control over the infected computer. Find out more about the incident in this news item.

Another malicious program, named VBS.BackDoor.DuCk.1, was also examined in April. This malware can execute cybercriminals’ commands and send the remote server screenshots made on the infected computer. This backdoor is able to check the infected computer for virtual environment and anti-virus programs. News item about this dangerous Trojan was published on the Doctor Web's site.

Dangerous websites

During April 2015, 129,199 URLs of non-recommended sites were added to Dr.Web database.

March 2015April 2015Growth
74 108129 199+ 74.3%
Learn more about Dr. Web non-recommended sites

Malicious and unwanted programs for Android

In April, cybercriminals continued their attacks on users of Android devices. Thus, this month was rich in virus events. Among the most noticeable events related to malicious and unwanted programs for Android we can mention

Find out more about malicious and unwanted programs for Android in our special overview.

Find out more with Dr.Web

Virus statistics Virus encyclopedia All virus reviews Laboratory-live