Microsoft Malware Protection Center

Threat Research & Response Blog

April, 2010

  • Internet Café, DirectX, and Online Games

    Last February, our colleague Chun blogged about trojanDownloader:Win32/Chekafe.A, which checks if the system is in an Internet Cafe and if so, downloads password-stealing trojans related to MMORPG online games. Now, we look deeper into one of the downloaded trojans, which is PWS:Win32/OnLineGames.GP (example SHA1: 935c02f86ed1212237a6a78801f41eb4a43d9ade). PWS:Win32/OnLineGames.GP, just like other password-stealing trojans, monitors certain processes related to MMORPG online games in order to...
  • Gamania: Ill-gotten game gains

    Well kids it’s that time of the month again; MSRT Tuesday! Continuing the trend on from last month , the target du jour is password stealers that target online games (we like to do these things in groups you see). Our motif for this month is a lovely shade of grey I call ‘password stealer’, with juxtapositions of process injection, with a penchant for passwords of the online game variety; but of course we are referring to PWS:Win32/Magania , mon ami. Win32/Magania is another delivery mechanism...
  • A case of mistaken identity

    There have been many instances where a virus infects an unintended target; this time it's a variant of Virus:Win32/Huhk. As the name indicates, this virus usually attempts to infect x86 PE files. I came across a sample which contains the virus code, but there was something different about it... Yes, the infected file is a Windows CE binary for the ARM architecture. When virus writers don't perform more than the basic checks such as ensuring the file is a windows executable: we end...
  • Announcing Microsoft Security Intelligence Report, Volume 8!

    The eighth volume of the Microsoft Security Intelligence Report is going live today. Inside, you’ll find 248 pages of in-depth information about malware, spam, malicious Web sites, vulnerabilities, and exploits that are relevant to the Windows platform. This volume contains a new Mitigation Strategy section that provides collective advice and best practices from our own Microsoft IT organization along with other security experts from all around Microsoft. We’ve also greatly expanded our international...
  • MSRT April Threat Reports & Alureon

    Following up on the blog post that our friends in the Microsoft Security Response Center posted a few weeks ago, we wanted to share the results from the April edition of MSRT. As part of our ongoing updates to families already in MSRT, we have added support for more variants of the Win32/Alureon rootkit/infector, including the ones responsible for the issues widely reported with Microsoft Security Bulletin MS10-015 . Below is a summary of the Alureon cleaning using MSRT in April: Variant...