Microsoft Malware Protection Center

Threat Research & Response Blog

June, 2011

  • Malware packer integrates with UPX

    Recently while I was analyzing a bunch of samples packed by custom packers, one of them struck me as a bit different than any others I saw before. At first glance, the outer layer of packing is a UPX stub, which is commonly used in malware. Especially when combined with a custom packer, UPX can provide an excellent compression ratio. Since it's packed by UPX, I first unpacked it with a static unpacker and examined the dump. The heavily obfuscated code at the entry point easily leads me to think there...
  • MSRT June 2011: Targeting Yimfoca

    This month's MSRT families included Win32/Rorpian (an autorun worm that exploits a vulnerability in shortcut files), Win32/Nuqel (another autorun worm that spreads via network drives, removable drives, and instant messaging programs) and Win32/Yimfoca . The last, Yimfoca, is a prevalent IM worm that uses common instant messaging applications and social networking websites to spread. It also affects security settings on the infected computer. Aside from stopping the Windows Update service and thus...
  • Don’t write it, read it instead!

    The bootkit malware Trojan:Win32/Popureb.E has made some changes in its code compared to previous samples (specifically, Trojan:Win32/Popureb.B), and now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way – by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The following steps describe the trick: It calls IoGetDeviceAttachmentBaseRef...
  • Getting tagged and your privacy

    This morning my Facebook email address was invaded with spam ( scam-spam as I call it) from people in my friends list with subject titles similar to the following: “ <Some Friend1> invited you to the event You Gotta See This Exciting Feature!!<random number>" “ <Some Friend 2> tagged you on Facebook ” The messages appeared suspicious to me, enough to trigger my “internal alert system”, and it made me wonder why so many of my friends fell for these silly antics? The scam is...
  • Exploits for CVE-2011-2110 focus on Korea

    Last week, Adobe released an update ( APSB11-18 ) for Adobe Flash Player, fixing a memory corruption vulnerability (CVE-2011-2110) that would allow attackers to take control of the targeted system. In the Advisory, Adobe mentioned reports of active exploitation. We have been tracking the use of this exploit through our signatures (originally as Exploit:SWF/ShellCode.A, and then later as Exploit:SWF/CVE-2011-2110.A ) released to Microsoft Security Essentials and Forefront customers for a number of...
  • Interesting Snowflake

    There's a WinRAR file floating around in the Internet named "2012桌面雪花.rar" * (SHA1: 889cf7076d4c08637e8aeedf7a90dc4a3808f991), which can be downloaded or may be sent out as an attachment in an email message, that contains a program that claims to display beautiful snowflakes on your desktop. If you run the executable contained in the archive (file name "桌面雪花.exe" - SHA1: 7255f61cada0815bc0fa2fb12f5b3c89db7e786d), it does what it claims: It is beautiful, right? But wait, non-beautiful things...
  • MSRT June Release, taking care of a few worm families

    In this month's MSRT release, we added three new threat families to the detection capability. One of these three is Win32/Nuqel , which has been around for four years since its first variant was found. More than 60 variants of Win32/Nuqel have been identified in the wild. This worm spreads itself via network shares, removable drives and instant messenger programs. These combined spreading methods make it very efficient in propagating, and it has gained prevalence lately. Aside of the typical Autorun...
  • Autorun-abusing malware (Where are they now?)

    On Feb. 8, Microsoft started releasing updates for the Windows XP and Vista platforms to make the Autorun feature more locked-down on those older platforms by preventing AutoPlay from being enabled automatically (except when it comes to "shiny media" such as CDs and DVDs). We knew we would want to come back sometime later to measure how the update changed the rate of infection for these families. That time is now. Let's have a look. As reported in volume 10 of the Microsoft Security Intelligence...
  • May MSRT by the numbers

    In May, we added Win32/Ramnit to the Microsoft Removal Tool (MSRT) detection capability, as my colleague Scott Molenkamp blogged . As of May 20th, MSRT disinfected 52,549 computers from the Win32/Ramnit infection. Ramnit is one of the four parasitic viruses out of the top 10 detected threat families. Top 25 detections by MSRT, May 10 – May 20 Family Machine Count Note Sality 202,351 Classic parasitic virus Taterf 77,236 Worm Rimecud 65,149 Worm Vobfus 59,918 Worm Alureon 58,884 Evolved parasitic...
  • Fake Canadian pharma site causing headaches

    I awoke the other day to a friend calling me and exclaiming into the phone: “My Yahoo email account was hacked !!!” He had been angrily accused by others in his contact list of sending spam messages and sharing inappropriate website links. Most of the questions he fielded had the same query: " Why did you send me to this site!? " He was pretty shocked about the ordeal and called me for help.   After checking my inbox, I too had received a message from my friend. We did a quick check...