Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

If you don't know how, don't even try it

Read: 1373 Comments: 2 Rating: 10

Astute Dr.Web users have probably noticed that some threats in our database have slightly weird names. In addition to obvious things like Android.* or Trojan.*, you can come across things like Tool.*. What does that mean?

Well, those threats are tools that can be dangerous. They may include, for example, applications that mine cryptocurrencies. On the one hand, nothing is inherently wrong with mining. One can install and use a miner to the extent permitted by law. But criminals are also eager to get hold of a few bitcoins, and they use the same applications to do so. But they install them on computers without user consent.

It should be noted that cybercriminals use a different tool to mine electronic currency. That tool was created by another developer and is detected by Dr.Web as a program belonging to the Tool.BtcMine family. The developer of this application distributes it on one condition—2.5 per cent of the electronic currency stolen with the help of the tool must be forwarded to the developer’s account. Thus, cybercriminals automatically send a portion of their “earnings” to the tool’s creator.

The application cpuminer is used to mine cryptocurrency. However, in an infected system it operates as %APPDATA%\Intel\explorer.exe.

And sometimes unscrupulous employees install mining software on their company's servers—naturally they don't notify the management about that.

As a rule, in our laboratory the prefix Tool is appended to the names of special utilities—file content viewers, system tuning utilities… These programs are regarded as potentially dangerous because if users don't know exactly what they are doing and how they need to do it, they may cause damage in the system. Furthermore, programs of this kind can have flaws or malfunction under certain circumstances—and the consequences can be dire for the operating system.

However, even more dangerous incidents can happen. For example, keyloggers (which record key strokes and thus enable password information to be extracted and other people's activities to be monitored) are also placed in the Tool.* category. Another example of something that can be a threat is Tool.DroidSheep—it scans unencrypted Wi-Fi traffic to check for the presence of cookie files from popular social media websites and websites offering services—e.g., VKontakte (, Facebook, Amazon and Google. Harvested data can be used by attackers to sign in to them under the compromised accounts.

How do Tool threats differ from ordinary Trojans? If, for example, a keylogger is distributed in the guise of a harmless application or as part of a game or another program, a Trojan is involved. But if it is clearly stated that the program is a keylogger that can be installed when a friend steps away from their computer, the threat involved belongs in the Tool category.

Surely, applications of this sort can be used for legitimate purposes, e.g., one of the files detected under this category can be used as a simple utility that extracts passwords saved in browsers to help users with memory problems. But the utilities may also perform dubious tasks. For example, Tool.VkObmen can send multiple queries and adjust vote counters on

If you know what you’re doing, you can add such a program to your anti-virus's whitelist and use it. Most important, remember that you are solely responsible for the possible consequences. Otherwise, you are better off without applications of this sort. After all, an axe can be used just as well to chop wood or to commit a crime that then incurs a punishment.

#anti-virus #Dr.Web #malware

The Anti-virus Times recommends

  • Protect your anti-virus’s settings with a password. By doing so, you will make sure that no one will be able to "smuggle" a potentially dangerous program from the Tool category onto your computer and turn it into a real threat.
  • If your anti-virus regards a certain application as a threat and you don't quite agree with it—just trust the anti-virus.
  • If you are certain that you want to use a program detected by Dr.Web and it falls in the Tool category and you know exactly what you want to do with it—add it to your whitelist and use it, but remember that there may be consequences.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.