Microsoft Malware Protection Center

Threat Research & Response Blog

December, 2009

  • MSRT slices the Hamweq for Christmas

    This month, Worm:Win32/Hamweq has been added to the Malicious Software Removal Tool (MSRT) in time for the holidays. Hamweq makes it on to MSRT’s “naughty” list as an IRC-controlled backdoor that spreads via removable drives. It has multiple means of hiding its presence; it installs itself into a hidden directory which it disguises as a recycle bin, and, once run, it injects various code sections, and separately injects each of the encrypted strings it uses, into the explorer.exe process. This means...
  • If at first you don't succeed...

    ...it might be because you weren't meant to. Last year, the EOF virus-writing group decided to release a virus zine with the help of DoomRiderz and rRlf. Well, here is how that turned out: rRlf backed out of the project at the last minute and then folded, and DoomRiderz folded shortly after the zine was released. The zine itself contained some buggy contributions, and the majority of them were extremely primitive. The only new techniques came from the oldest of the virus writers. One of those...
  • Surveying the Hamweq-age - Threat Reports for MSRT December

    In the week since its release on December 8, MSRT has cleaned over 2.5 million machines of malware. The new family for December was Win32/Hamweq , an IRC controlled backdoor which spreads via removable drives. Hamweq was removed from 638,491 machines, making it the most prevalent family for the month, with around double the number of removals of Win32/Taterf , the next most prevalent family. Taterf, which is perennially one of the highest reported families by MSRT, also had more than twice the number...
  • Microsoft privacy portal a target of rogue security software

    Reports of rogue security programs have been more prevalent as of late. These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software. Some of these programs may display product names or logos in an apparent and unlawful attempt to impersonate Microsoft products. Earlier in 2009, the Microsoft privacy homepage became the target of rogue security software developers looking to make a fast buck. The developers of the rogue...