Microsoft Malware Protection Center

Threat Research & Response Blog

March, 2013

  • ​Ramnit - The renewed bot in town

    Ramnit is one of the most prevalent threat families still active in the wild today. Two years ago, we talked about the infection method it uses in the Microsoft Malware Protection Center (MMPC) blog Little red Ramnit: My what big eyes you have, Grandma! by Scott Molenkamp. We are still keeping an eye on this threat and we have found a major change in Ramnit in the latter half of 2012. What we have found is that the newer version of Ramnit has stripped off all of its infection function routine but...
  • When fake malware phones

    The other day I was hard at work trying to find and stop actual computer viruses and other malware when my home phone rang. A pleasant man, who gave his name as "David" with what sounded like an Indian accent, said that he had a report about my computer being infected with a virus at their website. I was immediately very interested, because I work in the Microsoft Malware Protection Center (MMPC), and I've heard of these calls. What luck that I would happen to get one myself? David was very...
  • There was a flash, and then my startpage was gone…

    We recently came across the file 1ac150ddb964722b6b7c96808763b3e4d0472daf during the course of regular research. We detect this file as Trojan:Win32/Preflayer.A. The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish: Obviously, it’s disguised as an Adobe Flash Player 11 installer. The text section of the agreement doesn’t have a scroll bar – which makes it kind of tricky to see...
  • MSRT March '13 - Wecykler

    Wecykler is a family of worms, that shares some similarities with the Worm:Win32/Autorun family, in that it takes advantage of removable drives attached to an infected system in order to propagate to other machines. They target users' familiarity with the content of drives (files and directories) disguising as directories with existing and catchy names while hiding the original, for example: Figure 1 . Image of files detected as Wecykler disguised as existing directories Below are filenames...