Microsoft Malware Protection Center

Threat Research & Response Blog

November, 2011

  • Microsoft Security Essentials beta registration opens

    Today we announce that the Beta for the next version of Microsoft Security Essentials is open for registration. Do you want to try out our latest innovations in protection and performance? Are you interested in helping to improve Security Essentials? The number of users than can participate in the Beta is limited, so sign up today and we will notify you once the Beta is available for download. We anticipate the Microsoft Security Essentials beta to be available to the general public...
  • MSRT Nov' 11: Cridex - the hex of Skidlo

    Earlier, we discussed Win32/Carberp , a malware family included in the November release of the Malicious Software Removal Tool. In this post, we discuss another included malware, Win32/Cridex . Win32/Cridex is a relatively new family; we discovered its first variant in the wild in August 2011. This trojan is primarily downloaded and installed by other malware, detected as TrojanDownloader:Win32/Skidlo. Win32/Skidlo is commonly distributed as an attachment to spammed email, using various names...
  • MSRT November: Dofoil

    As previously noted , one of the three families added to the November release of the Microsoft Malicious Software Removal Tool is Win32/Dofoil . TrojanDownloader:Win32/Dofoil is a configurable downloader. Dofoil will attempt to receive control instructions from a remote server. The response contains encrypted configuration data containing download URLs and execution options, as visible in a partially decrypted Dofoil configuration shown below: Figure 1. Partially decrypted Dofoil configuration...
  • Easy Money: Program:Win32/Pameseg (part one)

    Nowadays many people believe in the opportunity to achieve great wealth without much effort, not leaving the house, not interrupting their favorite computer games, forums, social networking and so on. This type of opportunity is widely marketed by companies providing paid digital content services. You may have seen online advertising banners such as: " Make a million bucks without picking your backside off the chair! Vasya Pupkin earned 2000 a day practically doing nothing and it's not the end...
  • MSRT November '11: Carberp

    We included three threat families in the November edition of the Microsoft Malicious Software Removal Tool - Win32/Carberp , Win32/Cridex and Win32/Dofoil . In this post, we discuss Win32/Carberp. The first variant of Win32/Carberp was discovered early last year. This malware has evolved from a trojan downloader that downloads an additional password stealer, such as PWS:Win32/Ldpinch , to a full-fledged banking trojan and user-mode rootkit with the ability to load malicious plugins on-the-fly. One...
  • Keep your Facebook friends close and your antivirus closer

    Facebook malware attacks are not new. Scams spreading via status updates have been around for a long time, but in recent weeks one threat has been getting creative in terms of social engineering. Backdoor:Win32/Caphaw.A can intercept URL requests in both Firefox and Internet Explorer and it has been observed to post very personable updates on friends' walls in Facebook, gaining access if the user is logged in. The message links to a video posted on a Youtube-like website, which suggests that...
  • Poison and EyeStye, by the numbers

    The latest MSRT release included coverage for two more malware families, one being Win32/EyeStye , which we discussed earlier this month , and the other being Win32/Poison . In tandem with our efforts to provide an antidote to the scourge of Win32/Poison infections via the MSRT, we've also today published a detailed MMPC Threat Report on the same family. This Microsoft Malware Protection Center (MMPC) Threat Report provides an overview of the Win32/Poison (Poison Ivy) family of malware. The report...
  • Easy Money: Program:Win32/Pameseg (part 2)

    In the previous post , we gave an introduction to how file partnership programs work and how they make money off unsuspecting users by charging them for installing software that is actually free. In this post, we'll walk you through a sample of these "paid archives". The following "paid archive" simulates the appearance of the Adobe Flash Player 10 installer. Let's look deeper into this sample and try to figure out what the typical scenario is. We detect this sample as Program:MSIL/Pameseg.G (with...