My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


April 2016 virus activity review from Doctor Web

April 29, 2016

April 2016 began with a new version of the Gozi Trojan, which now could create peer-to-peer botnets. Later this month, cybercriminals started to spread a backdoor for Linux via a hacker utility. Besides, security researchers detected the intensified activity of Internet scammers who have already tricked a big number of gullible users by creating fake online stores.


  • New version of the Gozi Trojan
  • New backdoor for Linux
  • Intensified activity of Internet scammers

Threat of the month

Instead of contriving brand new banking Trojans, attackers prefer to modify old versions of popular financial malware programs—for example, Trojan.Gozi, which is able to carry out a wide range of malicious activities: it can steal information entered by the user into web data forms and perform web injections and keylogging functions. In addition, the Trojan is also designed to get remote access to the user’s machine by means of Virtual Network Computing (VNC). Moreover, upon a command, the Trojan can run the SOCKS proxy server and download and install various plug-ins.

screen #drweb

However, unlike its counterparts, Trojan.Gozi can also generate peer-to peer (P2P) botnets, which allows the Trojan to transmit encrypted information directly to the infected machines. You can find more about this malware program in the news article published by Doctor Web.

According to statistics collected by Dr.Web CureIt!

screen #drweb

According to Doctor Web statistics servers

screen #drweb

Statistics concerning malicious programs discovered in email traffic

screen #drweb

Encryption ransomware

screen #drweb

Trojan.Encoder.858 is the most frequently detected Trojan in April 2016.

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows.

Data Loss Prevention
Preventive ProtectionData Loss Prevention

Dangerous websites

During April 2016, Doctor Web added 749,173 URLs into the Dr.Web database of non-recommended sites.

March 2016April 2016Dynamics

April witnessed a big number of Internet users who fell victim to online shopping scams. Numerous fake online stores have all the typical features of real online shops. Yet, web design of these fraudulent websites is always identical.

screen #drweb

To learn more about how this scheme of online shopping fraud works, refer to the article.

Other threats

To illegally infiltrate computer systems and remote networks, attackers often use software vulnerabilities. Yet, incorrect configurations of server applications and other programs may pose a more dangerous threat. In April, Doctor Web specialists discovered some misconfiguration of hardware belonging to a large company that supplies DNS and web hosting services. Thus, its clients revealed a list of their registered subdomains—in particular, ones for internal use— to the world. These domains can be used to organize internal non-public servers, version control systems (VCS), bug trackers, various monitoring services, wiki resources, etc. Having this domain list, attackers can easily examine the network of a potential victim in order to find vulnerabilities. For more details, refer to the article.

Furthermore, Doctor Web security researchers detected a new backdoor for Linux—Linux.BackDoor.Xudp.1. Its key feature lies in the fact that it infiltrated the system via some hacker utility designed to send out UDP packets to a specified address. It means that the Linux user, in their attempts to attack a server, fell victim to the Trojan.

Security researchers registered that Linux.BackDoor.Xudp.1 can continuously send various requests to the specified remote server, carry out DDoS attacks, and execute arbitrary commands. In addition, it can scan ports within a specified range of IP addresses, run certain files, send any file to cybercriminals, and execute other functions. All the features of this Trojan are described in our review.

In the end of the month, security researchers detected Trojan.BPlug.1074, a malware program masquerading as a plug-in for Google Chrome which sent out spam messages to Facebook users. This Trojan was used to distribute other dangerous extensions for Chrome. As of April 29, 2016, more than 12,000 Facebook users have already fallen victim to Trojan.BPlug.1074. For more about this incident, refer to the news article.

Malicious and unwanted programs for mobile devices

According to the statistics collected by Dr.Web for Android, aggressive advertising modules became the most frequently detected programs among other malicious and unwanted applications in April. Such modules are often designed not only to display annoying advertisements but also to steal confidential information and to download and install various software, which helps cybercriminals make money from victims. In addition, a new Trojan named Android.GPLoader.1.origin, which was designed to covertly install other applications, was detected in the past month.

Among the most noticeable April events related to mobile malware, we can mention

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews