My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


September 2015 virus activity review from Doctor Web

October 1, 2015

The beginning of autumn was marked by high activity on the part of virus makers—in September, security researchers detected several installers of unwanted and adware applications designed for Windows and OS X. Moreover, various malicious programs for Linux and Android and a new Trojan targeting POS terminals came into light.


  • Emergence of a new Trojan for POS terminals
  • Distribution of new installers of adware and unwanted applications for Windows and OS X
  • Distribution of new malicious programs for Android and Linux

Threat of the month

For many years POS terminals running Windows operating systems remain one of the most favorite targets for virus makers. Various methods of stealing bank card data stored by such devices have been known to cybercriminals for quite some time. In September, Doctor Web security researchers examined a malicious program that was used for exactly that purpose—the Trojan, which turned out to be a modification of BackDoor.Neutrino.50, was dubbed Trojan.MWZLesson.

Trojan.MWZLesson can execute the following commands:

For more information regarding this Trojan, refer to the news article published by Doctor Web.

According to the statistics gathered by Dr.Web CureIt!

Over the course of September, Dr.Web CureIt! detected 155,554,503 unwanted, potentially dangerous, and malicious objects.


According to Doctor Web statistics servers


Statistics concerning malicious programs discovered in email traffic



Doctor Web security researchers continue to monitor botnets created by cybercriminals using the Win32.Rmnet.12 file infector. The average daily activity of these botnets is shown in the following graphs:



Rmnet—is a family of viruses spread without any user intervention. They can embed content into loaded webpages (this theoretically allows cybercriminals to get access to the victim's bank account information), steal cookies and passwords stored by popular FTP clients, and execute other commands issued by cybercriminals.

The botnet consisting of computers infected with Win32.Sector is also still active. Its average daily activity can be seen in the following picture:


Win32.Sector can perform the following actions:

In September, cybercriminals controlling the Linux.BackDoor.Gates.5 botnet became more active and intensified DDoS attacks on various Internet resources—in comparison with the previous month, the number of attacked IP addresses increased by 263.5 per cent and was estimated 7,572. At that, the United States were ranked first, while China took the second place. Detailed information on locations of cybercriminals' targets is presented in the following picture:


Encryption ransomware

The number of requests for decryption received by Doctor Web technical support service

August 2015September 2015Dynamics

The most common ransomware programs in September 2015

Dr.Web Security Space 10.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows

Preventive ProtectionData Loss Prevention
Превентивная защитаЗащита данных от потери

More information


In September 2015, Doctor Web security researchers had to face Linux Trojans once again—among them, Linux.Ellipsis.1 and Linux.Ellipsis.2 are the most noteworthy. The latter Trojan is designed to brute-force login systems of various devices using a special vocabulary. To ensure anonymous access to devices hacked by means of Linux.Ellipsis.2, cybercriminals employ Linux.Ellipsis.1. This malicious program has a rather interesting behavior described by Doctor Web security researchers as “paranoid”.

Linux.Ellipsis.1 is designed to set up a proxy server on the infected machine allowing cybercriminals to get anonymous access to compromised devices. For that, the Trojan monitors connections on a local address and port proxying all traffic transmitted via them.

The “paranoid” behavior of Linux.Ellipsis.1 also lies in the fact that the Trojan encompasses a large list of strings for which it searchers network traffic. If any of the strings is detected, the Trojan blocks data transfer to the remote server at the corresponding IP address. Apart from blocking remote nodes from the list, the malware checks all network connections and sends the remote server the IP address to which the connection is established. If the server responds with the “kill” command, the Trojan shuts down the application that established the connection and blocks the IP address for two hours. For more information regarding these Trojans, refer to the news article published by Doctor Web.

Dangerous programs targeting OS X

Installers of adware and unwanted applications for Windows do not come as a surprise to the majority of Internet users. However, in September, Doctor Web security researchers detected an installer that targeted not Windows but OS X. This sample, which was dubbed Adware.Mac.WeDownload.1, is disguised as a distribution package of Adobe Flash Player and spreads by means of an affiliate program focused on generating income from file downloads.

screen Adware.Mac.WeDownload.1 #drweb

Once an appropriate request is sent, Adware.Mac.WeDownload.1 receives from the command and control server a list of applications that the user will be prompted to install. The list has not only unwanted programs but also malicious ones, including Program.Unwanted.MacKeeper, Mac.Trojan.Crossrider, Mac.Trojan.Genieo, Mac.BackDoor.OpinionSpy, various Trojans belonging to the Trojan.Conduit family, and some other dangerous applications. At that, the total number and types of programs depend on the victim's geolocation.

Find out more about the installer in this news article.

Other malicious applications

In September 2015, installers of unwanted, adware, and even dangerous applications distributed via affiliate programs focused on generating income from file downloads became especially widespread.

In particular, at the beginning of the month, Doctor Web security researchers examined Trojan.InstallCube.339—this malicious program can be downloaded by potential victims from various fake file-sharing resources and torrent trackers. Once launched, the Trojan retrieves the configuration file from the server and then demonstrates the user a dialog with information on the downloaded object. At that, the dialog supposedly belongs to the well-known mTorrent application. Servers that control this program have a rather interesting way of behavior—they allow Trojan.InstallCube.339 to download the payload only if the infected computer has a Russian IP address.

Another dangerous installer was dubbed by security researchers as Trojan.RoboInstall.1. Like many other programs belonging to this category, the Trojan is distributed though file-sharing websites, fake torrent trackers, and other similar Internet resources created by cybercriminals. Moreover, some developers of free applications also employ such malicious programs to generate income. As a result, they receive monetary compensation for every additional tool downloaded by Trojans to victims' computers. However, this particular installer has one characteristic feature—sometimes dialogs displayed by Trojan.RoboInstall.1 do not contain installation check boxes, and files downloaded by the Trojan get installed without any conditions.

At the end of September, cybercriminals made an attempt to distribute a malicious application via email messages claiming to be from Doctor Web.


Cybercriminals offered their victims to take part in testing of some tool called Dr.Web CureIt 2. However, instead of this “tool”, Trojan.PWS.Stealer.13052 was downloaded to users' computers. This Trojan is designed to steal passwords and other confidential information stored on compromised machines. To make the number of infected devices larger, cybercriminals prompted users to turn off their anti-virus software, because it can be incompatible with the “tool”. For more information regarding the incident, refer to this news article.

Dangerous websites

During September 2015, 399,227 URLs of non-recommended websites were added to Dr.Web database.

August 2015September 2015Dynamics
Non-recommended websites

Malicious and unwanted programs for Android

September proved to be quite rich in terms of mobile security events. Over the course of the first autumn month, security researchers detected a large number of programs containing a Trojan in the App Store. Moreover, once again, cybercriminals used Google Play to distribute their malicious creations. In the middle of the month, Doctor Web analysts registered yet another incident of Trojans being embedded in official Android firmware. Banking Trojans, Android ransomware, and other malicious applications also continued to threaten mobile devices' users.

Among the most noticeable events related to mobile malware we can mention

Find out more about malicious and unwanted programs for mobile devices in our special overview.

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews Laboratory-live