Your browser is obsolete!

The page may not load correctly.

  • add to favourites
    Add to Bookmarks

And things like this happen, too

Read: 306 Comments: 0 Rating: 4

What do you think: how interesting can a virus analyst’s job be? Do they come across notorious, sophisticated, and—just as important—operational malicious programs on a daily basis?

"An analyst’s workload is rather heavy. That's why security researchers are in high demand all over the world. These specialists must possess a unique skill set", said Igor Danilov.

News articles usually describe threats that are out of the ordinary—malicious programs with peculiar features or ones that have caused an outbreak. But not every piece of malicious code passing through an analyst’s hands is headline worthy. For example:

CERT-UA researchers examined a file that arrived as an email attachment.

It is typically spread via email.

If it has permission to run JavaScript files in a system, a script will download svc.exe, check the current date (which must be no later than 29.10.2017), and launch it.

An email contains a script that downloads an executable file to a computer. There is nothing unusual in that either.

Once encryption is complete, the system is not restarted, but files with a coin icon appear on the desktop along with temporary files that have been created while the documents were being encrypted.

While svc.exe is running, another executable with a random name (e.g. 623.exe) is created. This file is saved in the infected system and executed as a console application.

To elevate its privileges, the encryption ransomware program exploits the vulnerability CVE-2017-0263.

And again, there’s nothing special happening there. What is so unusual about this encryption ransomware species?

It turns out that it only operates if the file msxml2.dll is available in the system.

Otherwise, it just doesn’t work. And programs like this exist too! And yet we have to waste our time analysing this kind of garbage as well.

“One can still come across "interesting" samples, but they don't intrigue me. Yes, the implementation can be more sophisticated, but the ideas behind them are stale. What’s “new” is actually old, repackaged stuff".

Igor Danilov

P.S. The described malicious file is detected by Dr.Web as JS.Downloader.4232 and poses no threat to systems protected by our anti-viruses.


Dr.Web recommends

Our virus laboratory receives huge numbers of files for analysis. They are crafted by experienced hackers as well as by newbies. So the quality of malicious code varies accordingly. The incident we've described above is by no means unique; it’s a rather typical story. It shows that malicious programs aren’t necessarily ideal in terms of quality.But even inferior malware can cause irreparable damage in a system.

Therefore, no matter how crude a malicious program can be, it mustn't be allowed to infect computers.

And by the way… What will happen if an application we're installing requires msxml2.dll?



Yes, that’s right. Now imagine what would have happen if Dr.Web Security Space hadn't been installed on our computer.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.