My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


October 2015 virus activity review from Doctor Web

October 30, 2015

October proved to be a quiet month in terms of information security events. However, over the course of the second autumn month, a number of popular Internet resources still fell victim to attacks of cybercriminals—the hacked websites were used to distribute a dangerous program disguised as an anti-virus utility created by a well-known developer. Moreover, October witnessed emergence of new Trojans for Android and iOS—in particular, Android.BankBot.80.origin that was spread as an official online banking application of a Russian financial organization and IPhoneOS.Trojan.YiSpecter.2 designed to display advertisements and stealthily download other programs to compromised devices.


  • A number of websites got hacked by cybercriminals to distribute malware
  • Emergence of a new Trojan designed to perform web injections
  • Distribution of new malicious programs for Android

Threat of the month

In the middle of October, Doctor Web security researchers registered several cases of websites being hacked by cybercriminals. Among those resources was a webpage dedicated to one popular Russian TV series. If the user opened the link to the website from Google search results, and if certain conditions were met, a new tab with a webpage opened in the browser window. A special malicious script incorporated into that webpage by cybercriminals prevented the user from closing it. If the victim pressed any key or clicked anywhere in the window, an annoying dialog was displayed prompting the victim to install a browser extension supposedly created by an anti-virus developer.

screen Trojan.BPLug.1041 #drweb

The extension detected by Dr.Web as Trojan.BPLug.1041 serves the purpose of injecting arbitrary content into webpages browsed by the user. Moreover, on all websites, the malicious program blocks third-party advertisements from any domains, except for those listed in the configuration file. If the user logs in to the Odnoklassniki (“Одноклассники”) social networking website, Trojan.BPLug.1041 will try to provide a certain application with access to the API of this website on behalf of the user. As a result, the victim's data can be used to promote groups, send spam messages, and influence some poll results. For more information regarding this malicious program, refer to the news article published by Doctor Web.

According to the statistics gathered by Dr.Web CureIt!

По данным статистики лечащей утилиты Dr.Web CureIt! #drweb

According to Doctor Web statistics servers

По данным серверов статистики «Доктор Веб» #drweb

Statistics concerning malicious programs discovered in email traffic

Статистика вредоносных программ в почтовом трафике #drweb


Doctor Web security researchers continue to monitor botnets created by cybercriminals using the Win32.Rmnet.12 file infector. The average daily activity of these botnets is shown in the following graphs:



Rmnet is a family of viruses spread without any user intervention. They can embed content into loaded webpages (this theoretically allows cybercriminals to get access to the victim's bank account information), steal cookies and passwords stored by popular FTP clients, and execute other commands issued by cybercriminals.

The botnet consisting of computers infected with Win32.Sector is also still active. Its average daily activity can be seen in the following picture:


The malware can perform the following actions:

In October, cybercriminals controlling the Linux.BackDoor.Gates.5 botnet became considerably less active—in comparison with the previous month, the number of attacked IP addresses decreased by 33.29 per cent and was estimated 5,051. As before, most targets of the attacks were located in China, while the second and the third places were taken by France and the United States respectively.


Encryption ransomware

The number of requests for decryption received by Doctor Web technical support service

September 2015October 2015Dynamics

The most common ransomware program in October 2015 was Trojan.Encoder.567.

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows

Data Loss Prevention
Превентивная защитаЗащита данных от потери

More information

Dangerous websites

During October 2015, 264,970 URLs of non-recommended websites were added to Dr.Web database.

September 2015October 2015Dynamics

Online stores selling some strange items or goods of questionable quality can be usually found among Internet resources added by Doctor Web analysts to the database of non-recommended websites over the course of a month. From time to time such websites become main “heroes” of news articles issued by our company, as resourceful fraudsters never cease to amaze security researchers constantly coming up with various mind-blowing ideas for new products. Read about threads protecting from evil eye, lip enhancers, and other “magical” goods sold in online stores in the news article published by Doctor Web.

Non-recommended websites

Malicious and unwanted programs for mobile devices

In October, cybercriminals continued to target mobile devices' users. In particular, at the beginning of the month, security researchers detected a new Trojan for iOS—at that, this malicious program could be installed on smartphones and tablets with or even without “jailbreak”. Moreover, yet another Trojan managed to bypass Google protection mechanisms and get into Google Play. In the middle of the month, Doctor Web specialists registered a new case of Android firmware being infected with a malicious application and, some time later, detected a new banking Trojan designed to steal money from owners of smartphones and tablets.

Among the most noticeable events related to mobile malware we can mention

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews Laboratory-live