Recently while I was analyzing a bunch of samples packed by custom packers, one of them struck me as a bit different than any others I saw before. At first glance, the outer layer of packing is a UPX stub, which is commonly used in malware. Especially...

This month's MSRT families included Win32/Rorpian (an autorun worm that exploits a vulnerability in shortcut files), Win32/Nuqel (another autorun worm that spreads via network drives, removable drives, and instant messaging programs) and Win32/Yimfoca...

The bootkit malware Trojan:Win32/Popureb.E has made some changes in its code compared to previous samples (specifically, Trojan:Win32/Popureb.B), and now it introduces a driver component to prevent the malicious MBR and other malicious data stored as...

This morning my Facebook email address was invaded with spam ( scam-spam as I call it) from people in my friends list with subject titles similar to the following: “ <Some Friend1> invited you to the event You Gotta See This Exciting Feature!!<random...

Last week, Adobe released an update ( APSB11-18 ) for Adobe Flash Player, fixing a memory corruption vulnerability (CVE-2011-2110) that would allow attackers to take control of the targeted system. In the Advisory, Adobe mentioned reports of active exploitation...

There's a WinRAR file floating around in the Internet named "2012桌面雪花.rar" * (SHA1: 889cf7076d4c08637e8aeedf7a90dc4a3808f991), which can be downloaded or may be sent out as an attachment in an email message, that contains a program that claims to display...

In this month's MSRT release, we added three new threat families to the detection capability. One of these three is Win32/Nuqel , which has been around for four years since its first variant was found. More than 60 variants of Win32/Nuqel have been identified...

On Feb. 8, Microsoft started releasing updates for the Windows XP and Vista platforms to make the Autorun feature more locked-down on those older platforms by preventing AutoPlay from being enabled automatically (except when it comes to "shiny media"...

In May, we added Win32/Ramnit to the Microsoft Removal Tool (MSRT) detection capability, as my colleague Scott Molenkamp blogged . As of May 20th, MSRT disinfected 52,549 computers from the Win32/Ramnit infection. Ramnit is one of the four parasitic viruses...

I awoke the other day to a friend calling me and exclaiming into the phone: “My Yahoo email account was hacked !!!” He had been angrily accused by others in his contact list of sending spam messages and sharing inappropriate website links. Most of the...