The Microsoft Malware Protection Center has been tracking a recent threat that attacks cloud-based antivirus technology provided by popular major antivirus software vendors in China. The malware is named Win32/Bohu ( TrojanDropper:Win32/Bohu.A ). The Bohu malware is native to the China region. Bohu attracts user installation by social engineering techniques, for example, using attractive file names and dropping a fake video player named “Bohu high-definition video player”. The more...

It is that time of the year again to start anew. In terms of personal computers, the act of restarting the machine is called a reboot – an action that triggers execution of code from a special part of the disk called the Master Boot Record (a.k.a. MBR). As the year 2010 ended, I looked at some of the threats targeting the MBR.   Microsoft TechNet has this to say about the MBR: “The MBR, the most important data structure on the disk, is created when the disk is partitioned. The MBR contains a...

Win32/Lethic is a trojan that communicates with a remote server to distribute spam. Variants of Lethic install executable files with varied file names such as “ shelldm.exe ” or “ xcllsx.exe ”. The malware loads as a process when Windows starts. The trojan establishes a connection to remote servers using varied TCP ports, such as 1430, 8900, 8090 and so on. It communicates with servers with names such as “ dqglobex.com ”, “ verywellhere.cn ”, “ iamnothere.cn ” among others. Once connected, the trojan...

In another instance of malware utilizing holiday-themed spam emails, our researchers had the opportunity to review in detail the threat we call Backdoor:Win32/Kelihos.A . An interesting aspect to this threat is its use of fast-flux in much the same way as the Win32/Waledac family. This similarity is not a coincidence. Analysis of Kelihos shows large portions of the code of Kelihos are shared with Waledac suggesting it is either from the same parties or that the code was obtained, updated and reused...