Microsoft Malware Protection Center

Threat Research & Response Blog

August, 2011

  • More on Morto

    As some of you might be aware, we've recently been seeing low levels of reports of Win32/Morto - a worm that causes headaches for users who may have less than ideal password policies - so we thought we'd look at this in more detail. The number of computers reporting infections or infection attempts continues to remain quite low . In total, the MMPC has seen only a few thousand unique computers report this issue. For an idea of how this kind of volume compares to other families, see the following...
  • New worm targeting weak passwords on Remote Desktop connections (port 3389)

    We've had reports of a new worm in the wild and that generates increased RDP traffic for our users on port 3389. Although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable. The worm is detected as Worm:Win32/Morto.A and you can see a detailed description of it at Worm:Win32/Morto.A . Morto attempts to compromise Remote Desktop connections in order to penetrate remote systems, by exploiting weak...
  • Keeping malware away - how do some countries do it?

    Our friend Tim Rains over at Trustworthy Computing (TwC) has just concluded a six-part series in which he took a closer look at the threat landscape in locations that have the lowest infection rates in the world. Using data from our Security Intelligence Report , the series investigates why the same countries and regions consistently pop up as having relatively low malware infection rates, as normalized using a metric called Computers Cleaned per Mille (CCM) . The series is available in the following...
  • Can we believe our eyes?

    Several days ago, one of our customers submitted a sample (SHA1: fbe71968d4c5399c2906b56d9feadf19a35beb97, detected as TrojanDropper:Win32/Vundo.L ). This trojan hijacks  the hosts “ vk.com ” and “ vkontakte.ru ” (both social networking sites in Russia)and redirects them to 92.38.209.252, but achieves this in an unusual way. A common  method used to hijack a website and redirect it to a site of the attacker’s choice is to add an entry in the Windows hosts file located in the %SystemRoot...
  • MSRT August '11: FakeSysdef

    This month's Malicious Software Removal Tool ( MSRT ) includes Win32/FakeSysdef - one of the most prevalent trojans affecting our support groups over the past few months. We've discussed this threat in previous blogs ( 1 , 2 ), and turn to this excerpt from our encyclopedia for some more detail: Win32/FakeSysdef is a family of programs that claim to scan for hardware defects related to system memory, hard drives and over-all system performance. They scan the system, show fake hardware problems...
  • A Bit of Archaeology

    This entry has nothing to do with malware. Just so you know. Some people know that I like the demo scene. I've been following it for more than 20 years now, but it's even older than that. I like the size-optimisation competitions best, and I've even participated in a few - most recently, smallest downloader on 32-bit Windows XP: 233 bytes (255 bytes on Vista and later), print the EICAR test string: 56 bytes. Of particular interest to me are the demos in 512 bytes or less. They are so small that...
  • UAC plays defense against Malware

    User Account Control (UAC) was probably the first new feature of Windows Vista that most users encountered, and received considerable attention when the OS was released. UAC gives a way for users to act as computer administrators just for administrator tasks. This is important to only allow software that requires elevated rights to run with such powerful (and potentially dangerous) rights. Over time, UAC prompts have diminished, especially with the release of Windows 7. But it's clear malware authors...
  • MMPC Portal available in 35 languages

    ​ We’d like to announce the launch of the automatic translations feature on the MMPC Portal. Take a look at http://www.microsoft.com/security/portal/ , scroll down to the bottom of the page, and translate to the language of your choice. These translations are completely automatic, and are using Microsoft Bing technology . This technology is considered state of the art in machine translation, and the quality is undergoing constant improvements. When applying the translation, the original...