Microsoft Malware Protection Center

Threat Research & Response Blog

December, 2008

  • Just in time for New Year's....

    Hello again from Melbourne! We've seen another resurgence of Worm:Win32/Conficker , this time as Worm:Win32/Conficker.B . We've already received a number of reports of this new variant from the wild from affected users. Not surprisingly, a majority of the new infections we’re seeing are on machines that are yet to install the MS08-067 update (see our previous posts ' More MS08-067 Exploits ' and ' A Quick Update About MS08-067 Exploits '). This new variant also spreads via network shares by...
  • Namaskar from New Delhi - AVAR 2008

    Recently I returned from the Association of anti-Virus Asia Researchers Conference (known as AVAR 2008 ) in New Delhi, India. Microsoft was a Gold Sponsor of the conference, at which there were a number of interesting presentations. This was also a great opportunity to meet other researchers in the anti-malware industry. Subratam from MMPC Redmond also attended. As I’d not visited India before, I took some annual leave before the conference so I could visit more of the surrounding area....
  • Now I've Seen It All (Maybe)

    I've been coding anti-virus routines for 1, 2, 5... 10, 15, 20... a really long time. Starting with the Apple II, before there was even an anti-virus industry, and continuing on the PC (and funnily enough, joining the industry wasn't the obvious choice for me when I left school). In between times, I've analysed viruses for the Commodore 64, Amiga, Macintosh, and Itanium platforms, macros, scripts, things on phones, things on devices... even things on calculators! My website is full of descriptions...
  • MSRT Review - Win32/FakeXPA and Win32/Yektel Rogues

    As mentioned previously on this blog, we added two “rogue” families to MSRT this month: Win32/FakeXPA and Win32/Yektel . We’ve known that rogues in general have been growing in prevalence for some time and with two months of MSRT data (last month we added a family of rogues called Win32/FakeSecSen ) we’re seeing that confirmed. In analysing the data, however, we have also found some surprises. Here are the numbers: Threat Family Distinct machines cleaned Win32/FakeXPA...
  • The new IE exploits for Advisory 961051, Now Hosted on Pornography Sites

    Two days ago, we blogged about attacks that involve exploits of the recently discovered vulnerability in Internet Explorer. We would like to give you a quick update about these attacks. Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability. That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going...
  • Limited Exploitation of Microsoft Security Advisory 961051

    The MSRC released a security advisory yesterday about a vulnerability in Internet Explorer. Just like our colleagues at the MSRC , we're tracking the situation very closely as we've observed the vulnerability exploited in the wild, however within a relatively limited context. Virtually all the malicious sites we've seen taking advantage of the vulnerability thus far are hosted on a variety of Chinese domains. According to the investigation thus far, the vulnerability affects Windows Internet Explorer...
  • Win32/Yektel - the Other Kind of Rogue

    In addition to Win32/FakeXPA we added another rogue-related malware family to MSRT this month - Win32/Yektel . Win32/Yektel is a different kind of rogue. Like other rogues, it displays fake warnings about possibly malware or spyware, but rather than pretending to be a security product itself, it tries to blend in with its surroundings. There is a very good reason to target Win32/Yektel and Win32/FakeXPA together: most of the current incarnations of FakeXPA download Yektel. Nevertheless, Yektel works...
  • FakeXPA... Journey of a Rogue

    Rogue security products have been around for some years, and now they seem to be everywhere. In my previous blog about Trojan:Win32/Antivirusxp I talked about the relationships between rogue products and various other threats. One common behavior of rogue products is their ever-changing domain names and user interfaces. Most rogue products emerge and then disappear into thin air. However, a few persist and remain the "big fish" to catch. This month's addition to MSRT, Trojan:Win32/FakeXPA , is...
  • O Come All Ye Malware

    Well, after our last post, it certainly didn't take long to see some examples of festive malware from the wild. (You'd almost think that we've seen this kind of behavior before - again and again and again...) In the last couple of days, we (and other AV vendors) have observed the arrival of several new 'merry' malware on the scene. First, we have Worm:Win32/Prolaco.A@mm - this is a worm that spreads via e-mail and peer-to-peer file sharing networks. It also appears to be able to spread via removable...
  • General Anti-Malware Advice

    As always, Microsoft continues to encourage customers to follow all of the steps of the “Protect Your PC” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Unfortunately, technology alone cannot stop the impact of this malicious activity so Microsoft continues to recommend that people adhere to its online safety guidance, which is also outlined at www.microsoft.com/protect : Keep personal information to yourself. Guard account...