Home / The latest news and reviews / Threats of the month: February 2017 virus activity review
Movavi Video Suite Personal – Coupon Code (30% Off)

Threats of the month: February 2017 virus activity review

A new banker, a Windows Trojan that infects Linux devices, and other events of February 2017…

Russian anti-malware company Doctor Web presents its February 2017 virus activity review. In the last month of winter, Doctor Web security researchers detected a new banking Trojan and a dangerous malicious program for Windows-running computers that actually infects Linux devices.

February 2017 virus activity review

The last month of winter was marked by the emergence of a new banking Trojan that inherited fragments of the source code of another widespread banker family—Zeus (Trojan.PWS.Panda).

This malware injects arbitrary content into user-loaded web pages and runs a VNC server on the infected computer. Also in February, Doctor Web security researchers detected a new Trojan for Linux. New entries were also added to the Dr.Web virus databases for Android.

Dr.Web Anti-Virus LogoPrincipal trends in February 2017

  • The distribution of a new banking Trojan
  • The detection of a new malicious program for Linux
  • The emergence of new malware for Android

Threat of the month

Banking Trojans are considered one of the most dangerous types of malware programs since they are capable of stealing money directly from the bank accounts of their victims. The new banking Trojan examined by Doctor Web security researchers was dubbed Trojan.PWS.Sphinx.2. It performs web injections, i.e., it injects arbitrary content into user-loaded web pages. Thus, it can, for example, send cybercriminals user login credentials to access online banking services. The user enters this data into fake forms created by the Trojan. Below is an example of the code that Trojan.PWS.Sphinx.2 embeds in the pages of the bankofamerica.com website:

#drweb

Furthermore, Trojan.PWS.Sphinx.2 can run a VNC server on an infected computer, and cybercriminals can use it to connect to the infected device and install digital certificates in the system for organizing attacks based on MITM (Man-in-the-middle) technology. The Trojan has a grabber—a module that intercepts and sends data entered by the user into various forms to a remote server. It is notable that the automatic launch of Trojan.PWS.Sphinx.2 is executed via a special PHP script. More information about this malicious program can be found in the corresponding review published by Doctor Web.

According to statistics collected by Dr.Web CureIt!

According to statistics collected by Dr.Web CureIt! February, 2017 #drweb

  • Trojan.InstallCore
    A family of installers of unwanted and malicious applications.
  • Trojan.LoadMoney
    A family of downloader programs generated by servers belonging to the LoadMoney affiliate program. These applications download and install unwanted software on the victim’s computer.
  • Win32.Virut.5
    A complex polymorphic virus that infects executable files and contains functions that allow infected computers to be controlled remotely.

#drweb

  • Trojan.Zadved
    This Trojan displays fake search results in the browser window and imitates pop-up messages from social networking sites. In addition to this, the malware can replace advertisements displayed on different Internet resources.
  • Trojan.InstallCore
    A family of installers of unwanted and malicious applications.
  • JS.DownLoader
    A family of malicious JavaScripts. Download and install malicious software.
  • BackDoor.IRC.NgrBot.42
    A fairly common Trojan which is known to the information security researchers since 2011. Malicious programs of this family are able to execute intruder-issued commands on infected machines, and cybercriminals use the IRC (Internet Relay Chat) text-messaging protocol to control those PCs.

Statistics concerning malicious programs discovered in email traffic

Statistics concerning malicious programs discovered in email traffic February, 2017 #drweb

  • JS.DownLoader
    A family of malicious JavaScripts. Download and install malicious software.
  • Trojan.Zadved
    This Trojan displays fake search results in the browser window and imitates pop-up messages from social networking sites. In addition to this, the malware can replace advertisements displayed on different Internet resources.
  • Trojan.PWS.Stealer
    A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.

According to Dr.Web Bot for Telegram data

According to Dr.Web Bot for Telegram data February, 2017 #drweb

  • Android.Locker.139.origin
    A ransomware Trojan for Android. Different modifications of these malicious programs can lock a device after alleging, via an on-screen warning, that the device owner has done something illegal. To unlock the device, the owner has to pay a ransom.
  • Joke.Locker.1.origin
    A joke program for Android that blocks a mobile device’s screen and displays the Windows BSOD (“Blue Screen of Death”).
  • Android.HiddenAds.24
    A Trojan designed to display unwanted ads on mobile devices.
  • Android.SmsSend.15044
    One of the Trojans belonging to the family of malicious programs that are designed to send SMS messages to premium numbers and subscribe users to chargeable services and services providing paid content.
  • BackDoor.Comet.2020
    A representative of the malware family that executes commands received from cybercriminals on an infected device and provides them with unauthorized access to it.

Encryption ransomware

Encryption ransomware February, 2017 #drweb

In February, Doctor Web’s technical support was most often contacted by victims of the following modifications of encryption ransomware:

This article was originally published on https://news.drweb.com/

Trojan.PWS.Panda

 

Added to Dr.Web virus database: 2011-06-12
Virus description was added: 2011-06-14

 

Technical Information

 
To ensure autorun and distribution:

Modifies the following registry keys:

  • [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] ‘userinit’ = ‘<SYSTEM32>\userinit.exe,<SYSTEM32>\sdra64.exe,’

Modifies file system :

Creates the following files:

  • <SYSTEM32>\sdra64.exe

Sets the ‘hidden’ attribute to the following files:

  • <SYSTEM32>\sdra64.exe

Miscellaneous:

Searches for the following windows:

  • ClassName: ‘??A’ WindowName: ”
Extremely Popularity Premium WordPress Themes at discount prices

Check Also

Baby Boomers on YouTube

Online Marketing: A cautionary note for all online marketers

Marketers Ignoring Baby Boomers on YouTube Missing Out Big Time Performance Marketing Insider recently published …