Microsoft Malware Protection Center

Threat Research & Response Blog

February, 2009

  • MSRT February 2009 - Win32/Srizbi

    This month's MSRT takes on one of the largest botnets currently active worldwide – Win32/Srizbi . The Srizbi family of malware consists of trojan droppers and rootkits that often spread through spam e-mails containing download links to the malware. Much like its alleged close cousin Win32/Rustock (which is removed by the MSRT MSRT since Oct 2008), the Srizbi family of malware was developed mainly for the purpose of spam-for-hire operations. The Srizbi malware authors offer the botnet as an efficient...
  • Updated Conficker Functionality

    We’ve been getting questions from some of our customers about a new sample of Win32/Conficker , dubbed by some as Conficker.B++. We’re aware of this sample and our definitions already detect this sample as Worm:Win32/Conficker.B , but given the new functionality described in this blog post, we’re updating our definitions as of 1.51.856.0 to distinguish it as Worm:Win32/Conficker.C . Future versions of the MSRT will detect this sample as Worm:Win32/Conficker.C while the MSRT which was released earlier...
  • Detection Added For The New 0-day In Excel

    The MSRC released an advisory about 0-day exploits in Excel and they also have blogged about it. These exploits currently are being used for targeted and limited attacks. We released definition 1.51.1105.0 today to help protect customers against these attacks and the detection name is Exploit:Win32/Evenex.gen . Forefront Client Security, Windows Live OneCare and Windows Live OneCare safety scanner use this definition which detects such malicious Excel files. The attack triggers a buffer overrun...
  • MSRT Observations – Online Game Password Stealers

    The February release of MSRT added a new threat family, Win32/Srizbi , as Vince discussed last week. As of February 16, MSRT has cleaned 38,697 machines from Srizbi infections, which is 14.1% of the total September 2007 removals of Win32/Nuwar or the “Storm” worm during the same timeframe. So what tops the detection and removal list this month? Online game password stealers (PWS) Win32/Taterf and Win32/Frethog are the top two threat families, with 981,051 and 316,971 machines cleaned respectively...
  • We Read Their Forums Too

    I received an e-mail to my personal account, from a student who wanted to ask me about how to detect a paticularly complex virus. This happens occasionally, so no surprises there. The virus in question was one on whose detection I had worked several years ago, but which even today remains one of the most complex that we have ever seen. The detection code was almost as complex, given the limitations on the framework that I had available to me at the time. I managed to invent some new techniques within...
  • Little Red Riding Hood or Big Bad Wolf? Your Sweetheart or Waledac?

    Valentine's Day is almost here. While your friends and loved ones are crafting their e-cards, malware authors are also releasing their annual love letters into the mix. Win32/Waledac started a bit early, we noticed it’s Valentine theme spam mails as early as January 26th. However, as Valentine's Day draws near, we still see a spike in the release of new variants. It's sometimes difficult to identify malicious emails by subjects and message bodies alone. With malware such as Win32/Waledac sending...
  • Announcing the MMPC Portal v2 Beta Release!

    Where you can find it: www.microsoft.com/security/portal/beta How you can give us feedback: Please give us feedback via MS Connect or directly from the MMPC Portal V2 Beta . So now that the important details have been shared, let’s talk about the more interesting part: What is it? The MMPC Portal V2 Beta is a preview of the next version (V2) of the MMPC Portal, which contains a subset of the final V2 features. These features include stream-lined sample submission ; which is made possible by creating...
  • There's a New Virut on the Block

    After quite a while with no new activity, there's a new Virut variant. We detect the new variant as Virus:Win32/Virut.BM . Like the previous versions, Virut is a polymorphic file infecting virus that infects PE executable files like EXE and SCR files. The virus also opens a backdoor connection to an IRC server. This Virut variant has learned some new polymorphic tricks, so we've spent a couple long days (and nights) creating detection and curing. Unlike previous variants, Virus:Win32/Virut.BM also...