January 22, 2019

Downloader Trojans are used to upload another malware to a victim’s device. Trojan.DownLoad4.11892 is no exception. When installed it downloads malicious software to steal private data from cryptocurrency holders.

In Autumn 2018 cryptocurrency mining enthusiasts began noticing messages suggesting they install a tool for monitoring cryptocurrency prices. The app developers promised a certified, trusted and free widget. At first glance, this program doesn’t raise any suspicions. It has a valid digital signature and works exactly as promised. But behind this seemingly flawless functionality, there’s a hidden catch: it will steal your private data.

Upon installation, the program compiles and runs malicious code downloaded from the developer’s personal Github account. Once completed, it uploads Trojan.PWS.Stealer.24943, also known among malware developers as AZORult, to a victim’s device. This Trojan allows cybercriminals to steal a vast amount of private data, including passwords from cryptocurrency wallets.

In most cases encountered by Doctor Web researchers, this malware was distributed in English on forums dedicated to cryptocurrency mining. It was seen less often on Polish and Russian forums dedicated to the same subject.

At present, the Trojan is still available on several file exchanges, as well as on the Github account mentioned earlier. Dr.Web products successfully detect and remove this type of malware. That said, our cybersecurity researchers strongly advise you to timely renew your anti-virus subscription and install all the latest updates.

Find out more about this Trojan

#cryptocurrency #mining #Trojan

January 28, 2019

Doctor Web has updated its Dr.Web Mobile Control Center for iOS to version 11.1.0. The update delivers minor tweaks to the application's features.

Specifically, it updates the license agreement and notification texts. iOS versions below 9 are no longer supported.

The update can be downloaded free of charge from the App Store.

January 28, 2019

Russian anti-virus company Doctor Web has updated its Dr.Web CureIt! utility to deliver state-of-the-art technologies that are already available in Dr.Web 12.0 products for Windows. The updated modules include cureit-starter (12.0.0.201812270), Dr.Web Anti-rootkit API (12.0.3.201811300), Dr.Web Scanning Engine (12.0.1.201811280) and Dr.Web Protection for Windows (12.00.02.11300).

Now Dr.Web CureIt! users can take advantage of the cutting-edge threat neutralisation technologies that have already been implemented in Dr.Web 12.0.

Also note that the utility no longer supports Windows XP SP2—Dr.Web CureIt! can only be used on computers running Windows XP3 (x86) or later. Furthermore, a system's CPU must support the instruction set SSE2.

Download Dr.Web CureIt!

#update #Windows

January 29, 2019

Russian anti-virus company Doctor Web has updated the design and features of its My Dr.Web Portal for business customers—the Portal now has an adaptive design and offers users widgets and new services.

New! Now you can access My Dr.Web Portal from a mobile device—thanks to its new adaptive design, you’ll be able to work comfortably with the Portal’s content from your smart phone or tablet.

New! Widgets at the top of each page let you contact Doctor Web's support service quickly or search the website.

Even more widgets will become available soon.

New! If some of your licenses haven't been activated yet, when you sign in to the Portal for the first time, you will instantly be directed to the Licensing page showing information about these licenses and an invitation to activate them.

New! In the Licensing menu you can now sort licenses by status: you can choose to view information only about the licenses you haven't renewed and renew them, filter the data to see only your active licenses, and download key files or applications. Information about all blocked licenses is available on a separate page.

New! Because website accounts are linked with the Portal, you no longer need to enter your login and password to move to drweb.com from the Portal and vice versa.

New! The Download Wizard is now accessible on the Portal. Just select the product you need from the list, and the information about all the licenses you have for the product will appear. Then you will only need to press Download—you will be directed to the Download Wizard as soon as you choose a product.

New! If you require complete information about a certain license—its validity period, available products, technical support availability, etc.— just click on the serial number link (available if the number has been activated). The License Manager will open. All the license information will be displayed automatically.

New! The Support section (probably the most important one) has been revamped to further improve its usability. Here, business customers can view all of their support queries (new, open, closed, pending) and quickly navigate to the desired request category.

You can also watch the video about the Portal's services (the information relevant to business users appears at 38 seconds).

New! The Self-support section contains links to the most useful information and services.

New! The Supplier section now also contains information about a supplier's certificates and the availability of Dr.Web-certified professionals on their staff. On this page, you can also recommend your supplier to other users. Now Dr.Web users can learn more about their license suppliers.

The Buy section is now also available on the Portal.

In the Accounts section, users with administrator permissions can create subsidiary User accounts for other staff members and manage My Dr.Web Portal access permissions.

If you have forgotten your My Dr.Web Portal password, recovering it will be easier: enter your registered email address or the login you received after registration.

Welcome to the redesigned My Dr.Web Portal:

• To access the portal, click here;
• If you are a registered user, use this link.

January 30, 2019

Russian anti-virus company Doctor Web has released Dr.Web Enterprise Security Suite 11.0.2 (REL-1102 201901120). The update delivers new features and resolves known issues.

New features and upgrades

• We’ve added the ability to change the number of anti-virus engines involved in scanning Windows hosts.
• Statistics tables, notifications and user routines now includes checksum information (SHA-1, SHA-256) about the threats that have been detected;
• Under Windows, Dr.Web agents now use the system language by default;
• We’ve improved the system for alerting administrators about insufficient permissions;
• Additional administrator options have been added for pre-defined user routines;
• The extended license usage report is now located in the Administration section of the Dr.Web Control Center.
• A new option in the Delayed Updates section can be used to stop agents from downgrading to earlier versions when revisions are being downloaded from the server.

Resolved issues:

• An issue allowing the anti-virus components to be started remotely without sufficient permissions;
• An issue preventing a host's MAC address from being displayed in its account properties;
• A filter issue preventing data from being sorted properly in the Control Center's Quarantine section;
• A filtering issue affecting statistics during export;
• An issue preventing anti-virus scanning from being launched on a remote host from the Web Console Notifications section;
• An issue interfering with IPv4 address validation in the network scanner settings.

The updated distributions can be downloaded from Doctor Web's site and from the GUS servers.

More information on Dr.Web Enterprise Security Suite version 11.0.2, including system requirements and installation details, can be found in the release notes.

January 30, 2019

Russian anti-virus company Doctor Web has updated Dr.Web Control Service (11.5.14.11130), the ES Service module (11.5.12.10260), Dr.Web Anti-rootkit API (11.5.6.201811150), Dr.Web Scanning Engine (11.5.5.201810250), Dr.Web Scanner SE (11.5.1.10300), the Dr.Web Shellguard anti-exploit module (11.05.02.10300), Dr.Web File System Monitor (12.00.01.11060), Dr.Web Protection for Windows (11.05.06.11300), and the Dr.Web Sysinfo (11.5.3.201811230) modules for the Dr.Web Enterprise Security Suite 11.0.2 agents.

The update enables the agents to transmit threat checksums (SHA-1, SHA-256) to the Dr.Web Enterprise Security Suite 11.0.2 server. In suite versions 11.0.0 and 11.0.1, the agents will operate as before.

The update will be performed automatically; however, a system reboot will be required.

January 31, 2019

Russian anti-virus company Doctor Web has updated Dr.Web Anti-rootkit API (12.0.4.201901180), the Dr.Web Shellguard anti-exploit module (11.05.04.01140), Dr.Web for Outlook Plugin (12.0.0.201812240), Dr.Web Anti-virus for Windows servers setup (12.0.4.01100), and the Dr.Web Protection for Windows module (12.00.03.12210) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, and Dr.Web 12.0 for Windows Servers. The update resolves known software issues.

Changes made to Dr.Web Anti-rootkit API:

• An issue that could cause memory leaks while running processes were being scanned has been resolved.
• A dwservice.exe process problem that could cause increased CPU usage when H.264 video files were being opened has been eliminated.

Changes made to the Dr.Web Shellguard anti-exploit module:

• An issue causing anti-exploit module false positives to occur while MS Office 2019 and the Office Tab 13.0 plugin or Habel software were in use has been fixed.
• Security has been enhanced for dll files being used by protected applications.

Changes made to Dr.Web for Outlook Plugin:

• A problem preventing file names of password-protected archives from displaying correctly when being added to the quarantine has been resolved.
• UI elements in the plugin settings window now display properly on high-resolution screens.
• An issue interfering with message sending in MS Outlook 2010 has been resolved.
• Issues involving anti-spam false positives have been addressed.
• Also addressed was an issue preventing the plugin from launching if MS Outlook started automatically before the Dr.Web modules.
• A performance issue occurring when switching between messages in MS Outlook (provided no anti-spam module was installed) has been resolved.

Changes made to Dr.Web Anti-virus for Windows servers setup in Dr.Web for Windows Servers:

• Improved Lithuanian language support.

The update will be performed automatically; however, a system reboot will be required.

January 31, 2019

Russian anti-virus company Doctor Web has updated Dr.Web for Outlook Plugin (11.5.1.201901183) and Dr.Web Shellguard anti-exploit module (11.05.04.01140) in Dr.Web Security Space 11.5, Dr.Web Anti-virus 11.5 and Dr.Web 11.5 for Windows Servers. The update resolves known software issues.

Changes made to Dr.Web for Outlook Plugin:

• Issues involving anti-spam false positives have been addressed.

Changes made to the Dr.Web Shellguard anti-exploit module:

• An issue causing anti-exploit module false positives to occur while MS Office 2019 and the Office Tab 13.0 plugin or Habel software were in use has been fixed.
• Security has been enhanced for dll files being used by protected applications.

The update will be performed automatically; however, a system reboot will be required.

January 31, 2019

Russian anti-virus company has updated the Dr.Web Shellguard anti-exploit module (11.05.04.01140) in Dr.Web Enterprise Security Suite 10.01 and Dr.Web AV-Desk 10.01. The update resolves known software issues.

Changes made to the Dr.Web Shellguard anti-exploit module:

• An issue causing anti-exploit module false positives to occur while MS Office 2019 and the Office Tab 13.0 plugin or Habel software were in use has been fixed.
• Security has been enhanced for dll files being used by protected applications.

The update will be performed automatically; however, a system reboot will be required.

February 1, 2019

Doctor Web presents its January 2019 virus activity review. During the first month of the new year we registered a significant increase in the number of devices infected by Windows OS blockers. Beyond that, our statistics showed a 50% higher rate of malicious documents being sent via email. Read more in our latest virus activity review.

Go to the review

February 1, 2019

2018 may have been a rollercoaster in terms of info security and privacy, but at the end of the year, we finally witnessed a long-awaited break. Cybercriminals decreased their activity during the holidays; but despite that, our statistics show a few peculiar and disturbing trends for January.

In the middle of the month, cryptocurrency holders were attacked by a monitoring tool that was disguised as a downloader Trojan. Later this month we registered a 28% increase in devices infected with the Trojan.Winlock.14244. Beyond that, our email traffic statistics show a 50% higher rate of distribution of malicious documents exploiting Microsoft Office vulnerabilities.

Threat of the month

In January Doctor Web’s researchers discovered a Trojan in a cryptocurrency monitoring tool. This malware downloaded other Trojans on a victim’s PC and used them to steal private data, including passwords from cryptocurrency wallets.

More about this Trojan

According to Doctor Web’s statistics servers

Growing threats of the month:

Trojan.Winlock.14244

Ransomware Trojan. Blocks or limits user’s access to the Windows operating system, and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.

Adware.Downware.19283

The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.

Trojan.DownLoader26.28109

Downloads and runs malicious software without the user’s permission.

Trojan.Encoder.11432

Infamous ransomware also known as WannaCry. Blocks access to users’ data by encrypting it and demanding payment for decrypting the data.

Decreased amount of threats from:

Trojan.Starter.7394

Trojan designed for launching other malicious software on a victim’s device.

Trojan.MulDrop8.60634

Installs malware in a system. All the components necessary for installation are usually stored inside the MulDrop itself.

Trojan.Zadved.1313

Adware. Alters search results and redirects users to advertising websites.

Statistics for malware discovered in email traffic

Increased number of threats from:

JS.DownLoader.1225

A variety of malicious code written in JavaScript and designed to download and install other malware on a computer.

Exploit.Rtf.CVE2012-0158

Modified Microsoft Office document. Exploits CVE2012-0158 vulnerability in order to run malicious code.

W97M.DownLoader.2938

A family of downloader Trojans that exploit vulnerabilities in office applications and can download other malicious programs to a compromised machine.

Exploit.ShellCode.69

Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882.

Trojan.PWS.Stealer.23680

A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.

Increased activity of following threats:

Trojan.Nanocore.23

This dangerous malware is from a remote access Trojan family(RAT). It has infected 4 times more devices than in the previous month. Nanocore allows complete remote control of an infected device, including control over the camera and microphone.

JS.Miner.28

Malicious JavaScript code. Its purpose is to mine Monero cryptocurrency in a browser without asking for a user’s permission. Often used as an alternative to the CoinHive miner.

Decreased the number of threats from:

Trojan.Fbng.8

The Trojan also known as FormBook. It’s designed to steal private data, but can also receive commands from the developer’s server.

Trojan.Encoder.26375

A malicious program from the encryption ransomware family. This Trojans encrypts files and demands a ransom for data decryption.

JS.Miner.11

This name belongs to a group of malicious JavaScript code. Its purpose is to mine Monero cryptocurrency in a browser without asking for a user’s permission. Uses CoinHive miner.

Trojan.SpyBot.699 multi-module banking Trojan was less active during December, but continued to spread in January. It was created to help cybercriminals download and launch various applications on an infected device, as well as execute different commands. The Trojan is intended to steal money from bank accounts.

Encryption ransomware

In January, Doctor Web’s technical support was most often contacted by victims of the following encryption ransomware:

• Trojan.Encoder.858—26.32% of requests;
• Trojan.Encoder.11464—12.63% of requests;
• Trojan.Encoder.11539—7.72% of requests;
• Trojan.Encoder.25574—1.58% of requests;
• Trojan.Encoder.567—5.96% of requests;
• Trojan.Encoder.5342— 0.88% requests;

Dangerous websites

During January 2019, 293,012 URLs of non-recommended websites were added to the Dr.Web database.

Malicious and unwanted programs for mobile devices

Throughout January InfoSec researchers continued discovering malware apps hidden in the Google Play Store. Among them — downloaders from the Android.DownLoader family that were deploying Android banking malware on victim devices. Another threat worth mentioning is adware. In particular, Android.HiddenAds.361.origin and Android.HiddenAds.356.origin. When launched they disappear from the desktop and begin to show ads. In the end of the month cybersecurity researchers uncovered a few new trojan-clickers( Android.Click), capable of loading any website on a developer’s command. To top it all off, new spyware was caught stealing private information from users - Trojan named Android.Spy.525.origin.

Among the most notable January events related to mobile malware we can report the following:

• The detection of new Android Trojans on Google Play;
• Distribution of a dangerous spyware.

February 1, 2019

Russian anti-virus company Doctor Web has updated the Dr.Web Link Checker browser plugin for Mozilla Firefox to version 3.9.15.

The update delivers tweaks and adjustments to comply with Mozilla’s requirements for browser extensions.

If you already use Dr.Web Link Checker, it will be updated automatically.

February 1, 2019

Doctor Web presents its January 2019 overview of malware for mobile devices. This month, we detected various malicious programs on Google Play, including adware Trojans, downloaders of Android bankers, Trojan spyware, and other threats. Read more about these events in our review.

Go to the review

February 1, 2019

In the past month, Android devices were targeted with a lot of malware. In early January, Doctor Web’s virus analysts investigated the Trojan Android.Spy.525.origin, designed for cyberspying. Later, several adware Trojans were discovered and dubbed Android.HiddenAds.361.origin and Android.HiddenAds.356.origin. In January our specialists also detected several new clickers from the Android.Click family, posing as official bookmaker applications. In addition, cybercriminals distributed downloader Trojans of the Android.DownLoader family, which downloaded Android bankers to smartphones and tablets.

Mobile threat of the month

In early January, the Dr.Web virus database was updated to detect the spyware Android.Spy.525.origin. It was distributed on Google Play under the guise of useful applications, as well as via a malicious website that redirected the potential victims to MediaFire, a popular file sharing resource that stored a copy of the Trojan.

Upon command from its command and control server, Android.Spy.525.origin could track the location of an infected smartphone or tablet, steal text message history, obtain information about phone calls, data from the phone book, files stored on the device, as well as display phishing windows.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A Trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.RemoteCode.197.origin

A malicious application designed to download and execute arbitrary code.

Android.HiddenAds.261.origin

Android.HiddenAds.659

Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install themselves in the system catalog.

Android.Mobifun.4

A Trojan that downloads various applications.

Adware.Zeus.1

Adware.AdPush.29.origin

Adware.Patacore.1.origin

Adware.Patacore.168

Adware.Jiubang.2

Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.

Threats on Google Play

Apart from Android.Spy.525.origin, other threats were discovered on Google Play in January. At the beginning of the month, the Dr.Web virus database was updated to detect the Trojans Android.HiddenAds.361.origin and Android.HiddenAds.356.origin. These malicious programs were modifications of Android.HiddenAds.343.origin, which we reported in the review as of December 2018. Android.HiddenAds.361.origin and Android.HiddenAds.356.origin were distributed under the guise of useful programs. When launched, they hid their icons and started displaying ads.

In addition, our malware analysts investigated a variety of downloaders. Cybercriminals presented them as useful programs, such as currency converters, official banking applications, and other software. These Trojans were dubbed Android.DownLoader.4063, Android.DownLoader.855.origin, Android.DownLoader.857.origin, Android.DownLoader.4102, and Android.DownLoader.4107. They downloaded and attempted to install Android bankers on mobile devices to steal confidential information and money from users’ accounts in financial institutions.

One of those banking Trojans was Android.BankBot.509.origin, a modification of Android.BankBot.495.origin, already reported by our company in December 2018. This banker used the Accessibility Service to covertly manage installed applications by pressing buttons and menu items. Another Trojan, dubbed Android.BankBot.508.origin, displayed phishing windows and attempted to steal users’ credentials and other personal information. It also hooked text messages with confirmation codes for transactions.

In late January, Doctor Web’s experts discovered new clicker Trojans from the family Android.Click, including Android.Click.651, Android.Click.664, Android.Click.665, and Android.Click.670. The cybercriminals distributed them under the guise of official applications of bookmaker companies. These malicious apps could load any websites at the command of the command and control server, which is a serious threat.

The Doctor Web specialists continue monitoring the situation with mobile viruses and promptly update the Dr.Web virus database to detect and remove malicious and unwanted programs. Thus, smartphones and tablets with Dr.Web for Android are safe and secure.

5 February 2019

Russian anti-virus company Doctor Web has updated Dr.Web for Outlook Plugin (12.0.1.201901250), the amsi-client module (12.0.1.201901150), and the configuration files Lua-script for main (12.0.4.01280), Lua-script for av-service (12.0.2.11200), and Lua-script for firewall (12.0.0.10190) in Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0. Furthermore, amsi-client, Lua-script for main, and Lua-script for av-service have also been updated in Dr.Web 12.0 for Windows Servers. The update resolves known issues and delivers minor upgrades.

Changes made to Dr.Web for Outlook Plugin:

• The update addresses an issue involving text files being generated only partially after a malicious email attachment was disarmed.

Changes made to amsi-client:

• An issue interfering with business automation software Ispro’s operation on machines running Windows 10 has been eliminated.

The update will be downloaded and installed automatically.

February 6, 2019

Russian anti-virus company Doctor Web has released Dr.Web CureNet! Master 11.1 for iOS. The update introduces a number of upgrades.

Specifically, it includes an updated EULA text and delivers minor tweaks and improvements.

To date, Dr.Web CureNet! Master for iOS supports the Russian, English, French, and German languages. Download Dr.Web CureNet! Master for iOS in the App Store.

6 February 2019

Russian anti-virus company Doctor Web has updated Dr.Web File System Monitor (12.00.01.02050), Dr.Web for Outlook Plugin (11.5.1.201901183), the Dr.Web Shellguard anti-exploit module (11.05.04.01140), Dr.Web Anti-rootkit API (11.5.6.201901161), ES Service (11.5.14.01220), amsi-client 12.0.1.201901150, and SpIDer Agent for Windows (11.5.6.12260) and its language files in Dr.Web Enterprise Security Suite 11.0. The update resolves known issues and delivers minor upgrades.

Changes made to Dr.Web File System Monitor:

• An issue causing DFS-related (Distributed File System) critical system errors has been eliminated.

Changes made to the Dr.Web for Outlook Plugin:

• Issues involving anti-spam false positives have been addressed.

Changes made to the Dr.Web Shellguard anti-exploit module:

• An issue causing anti-exploit module false positives to occur while MS Office 2019 and the Office Tab 13.0 plugin or Habel software were in use has been fixed.
• Security has been enhanced for dll files being used by protected applications.

Changes made to Dr.Web Anti-rootkit API:

• An issue that could cause memory leaks while running processes were being scanned has been resolved.
• A dwservice.exe process problem that could cause increased CPU usage when H.264 video files were being opened has been eliminated.

Changes made to Dr.Web ES Service:

• An issue involving the Task Scheduler disregarding the option “Disable after the first execution” (for protected hosts) has been resolved;
• Also resolved was a logging exceptions issue causing the service to terminate abnormally

Changes made to amsi-client:

• Fixed hangs of IS-Pro software if the product is installed on computers with MS Windows 10.

Changes made to Dr.Web SpIDer Agent for Windows:

• Information about the threats detected by the preventive protection is now displayed in the server message window.

The update will be performed automatically; however, a system reboot will be required.

February 12, 2019

Russian anti-virus company Doctor Web has updated Dr.Web Net filtering Service (12.0.3.01221) in Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0, as well as Dr.Web Scanning Engine (12.0.2.201812140), the Dr.Web Updater module (12.0.6.11260), Dr.Web Control Service (12.0.6.01250), Dr.Web Thunderstorm Cloud Client SDK (12.0.2.12250), the email-templates component (12.0.0.12060) and Dr.Web File System Monitor (12.00.01.02050) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, and Dr.Web 12.0 for Windows Servers.The update resolves known issues and delivers minor upgrades.

Changes made to the Dr.Web Net filtering Service:

• A connection loop issue that could occur if third-party software that uses WFP was present in the system has been resolved.

Dr.Web Control Service:

• An issue preventing the statistics database from being cleaned up when the maximum allowed number of entries was reached has been addressed.
• Also resolved was a redundant license expiry notification problem that could arise while firewall prompts were being displayed under Windows 10.

Changes made to email-templates:

• Minor adjustments were made to the email notification texts.

Changes made to Dr.Web File System Monitor:

• An issue involving Windows system crashes, which could occur while DFS (Distributed File System) file shares were being accessed, has been resolved.

The update will be performed automatically; however, a system reboot will be required.

February 13, 2019

Doctor Web has updated its Dr.Web for macOS to version 11.1.3. The update resolves a known issue and delivers minor upgrades.

Specifically, it eliminates an issue preventing users from being notified that their access to categories of sites has been restricted and that the SpIDer Gate HTTP monitor has blocked the download of known threats.

To update Dr.Web for macOS to version 11.1.3, you need to download the new distribution.

February 13, 2019

Russian anti-virus company Doctor Web has updated Dr.Web Control Service (12.0.7.02130) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0 and Dr.Web 12.0 for Windows Servers. The update delivers a fix for an identified problem.

Specifically, it eliminates an issue that in some cases could prevent Dr.Web components for Windows file servers from operating normally.

The update will be downloaded and installed automatically.