My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


January 2016 virus activity review from Doctor Web

January 29, 2016

The first month of 2016 saw the emergence of new various Trojans for Linux including yet another modification of a ransomware Trojan and a dangerous backdoor capable of screenshot taking, keylogging, and executing commands from cybercriminals. Besides, in January, security researchers detected a Trojan for Android pre-installed on the firmware of a smartphone produced by a well-known electronics manufacturer. Moreover, at the end of the month, Doctor Web security researchers detected various malware programs on Google Play.

Principal trends in January

  • Emergence of new malicious programs for Linux
  • Appearance of new encryption ransomware for Linux
  • Distribution of a dangerous Trojan in Android firmware

Threat of the month

At the end of January, Doctor Web specialists examined a multipurpose backdoor Trojan for Linux devices. It consists of a dropper and a payload that is responsible for executing main malicious functions. Once launched, the dropper displays the following dialog:

screen #drweb

If the Trojan is successfully run, it extracts the backdoor—its main malicious component—from its body and saves it into some folder on the infected computer’s hard drive. In total, this module is capable to execute more than 40 commands. Among them are keylogging—recording of keystrokes on the infected device—and downloading and running of different software. Besides, it can also send file names in a specified directory and upload selected files to the server. In addition to this, the Trojan creates, removes, and renames files and folders, takes screenshots, executes the bash commands; and performs many other malicious functions. For more information about this dangerous Trojan, refer to the news article published by Doctor Web.

According to statistics collected by Dr.Web CureIt!

screen #drweb

According to Doctor Web statistics servers

screen #drweb

Statistics concerning malicious programs discovered in email traffic

screen #drweb


Doctor Web's security researchers continue to monitor the botnets created by criminals with the file infector Win32.Rmnet.12.

screen #drweb

screen #drweb

Rmnet is a family of viruses spread without any user intervention. They can embed content into loaded webpages (this theoretically allows cybercriminals to get access to the victim's bank account information), steal cookies and passwords stored by popular FTP clients, and execute other commands issued by cybercriminals.

The botnet consisting of computers infected with the Win32.Sector file virus is still active. This malicious program can perform the following actions:

Its average daily activity can be seen in the following picture:

screen #drweb

Encryption ransomware

screen #drweb

The most common ransomware programs in January 2016

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows

Data Loss Prevention
Превентивная защитаЗащита данных от потери


January 2016 turned out to be rather fruitful due to a record-breaking number of Trojans for Linux detected during this month. At the beginning of January, Doctor Web security researchers examined a new modification of Linux.Encoder.3. Virus makers have improved this version of the ransomware Trojan by fixing code mistakes that had been made previously. Nevertheless, some architectural features of Linux.Encoder.3 make it possible to decrypt corrupted files.

Linux.Encoder.3 does not require root privileges—web server privileges are enough for the Trojan to encrypt all files in the home directory of a website. A key feature of Linux.Encoder.3 lies in its capability to remember dates of files creation or modification that are then replaced with dates specified before the encryption. Moreover, cybercriminals have changed encryption algorithms used by the Trojan: every sample of this malicious program uses its unique encryption key created based on parameters of encrypted files and values generated randomly. For more information about this Trojan, refer to the review published by Doctor Web.

Shortly after that, Doctor Web specialists detected Linux.Ekoms.1, about which you can read in our news article. Every 30 seconds, Linux.Ekoms.1 takes a screenshot and saves it into a temporal folder in the JPEG format. The temporary folder is uploaded to the server in specified intervals. This malicious program can also send files from the infected machine to cybercriminals and download and save files received from them.

It should be noted that Trojan.Ekoms.1, a Windows version of Linux.Ekoms.1, was registered by Doctor Web in January. Once launched, it checks the %appdata% folder for specified executable files in order to prevent infections by other Trojans. Apart from screenshot taking, Trojan.Ekoms.1 creates a file with the .kkt extension that stores information on key strokes and a file that is appended with the .ddt extension and contains a list of files in folders. These two files are then sent to the server. It is noteworthy that these files are also mentioned in Linux.Ekoms.1, but the similar Trojan for Linux does not have a code responsible for their processing. Like the Trojan for Linux, Trojan.Ekoms.1 can record sound and save it in the WAV format. However, this function is not used in this modification as well. The Trojan has a valid digital signature registered to some company named “Issledovaniya i razrabotka”, and a root certificate is issued by Comodo.

screen #drweb

At the end of January, several popular websites and blogs published information about an allegedly brand new Trojan for Linux—“TheMoon”. However, this Trojan dubbed Linux.Themoon.2 has been detected by Dr.Web for Linux since December 14, 2015. To learn more about technical details of this malicious program, refer to the review.

Dangerous websites

During January 2016, 625,588 URLs of non-recommended websites were added to Dr.Web database.

December 2015January 2016Dynamics

Find out more about Dr. Web non-recommended sites

Malicious and unwanted programs for mobile devices

The previous month showed once again that cybercriminals do not intend to lose their interest in Android mobile devices. In particular, in mid-January, Doctor Web security researchers detected Android.Cooee.1, a dangerous Trojan designed to download and install various applications, on the Philips s307 firmware. At the end of the month, Doctor Web analysts found that more than 60 games on Google Play were affected by Android.Xiny.19.origin. This Trojan can covertly run apk files received from the server, download applications, and prompt a user to install various software. It also displays annoying advertisements.

Among the most noticeable January events related to mobile malware we can mention

Find out more about malicious and unwanted programs for mobile devices in our special overview.

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews Laboratory-live