Microsoft Malware Protection Center

Threat Research & Response Blog

Browse by Tags

  • Blog Post: MSRT January 2014 – Bladabindi

    This month the Malicious Software Removal Tool (MSRT) includes a new malware family - MSIL/Bladabindi . An interesting part of this family is that the author made three versions of this RAT, written in VB.NET, VBS and AutoIt. The malware builder is also publically available for download. Because of...
  • Blog Post: Tackling the Sefnit botnet Tor hazard

    Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer . In this blog...
  • Blog Post: MSRT August ’12 – What’s the buzz with Bafruz?

    For this month's Microsoft Malicious Software Removal Tool (MSRT) release, we will include two families: Win32/Matsnu and Win32/Bafruz . Our focus for this blog will be Bafruz, which is a multi-component backdoor that creates a Peer-to-Peer (P2P) network of infected computers (using C&C, for instance...
  • Blog Post: MMPC Encyclopedia Top 5: Mostly Vundo

    The following is a list of our top five most commonly viewed encyclopedia pages last month: TrojanSpy:Win32/Bancos.gen!A Win32/Vundo Trojan:Win32/Vundo.gen!H Trojan:Win32/Vundo.gen!P Win32/Alcan It looks like our readers are really interested in Win32/Vundo , also known as Win32...
  • Blog Post: MSRT January ‘11: Win32/Lethic

    Win32/Lethic is a trojan that communicates with a remote server to distribute spam. Variants of Lethic install executable files with varied file names such as “ shelldm.exe ” or “ xcllsx.exe ”. The malware loads as a process when Windows starts. The trojan establishes a connection to remote servers using...
  • Blog Post: May MSRT by the numbers

    In May, we added Win32/Ramnit to the Microsoft Removal Tool (MSRT) detection capability, as my colleague Scott Molenkamp blogged . As of May 20th, MSRT disinfected 52,549 computers from the Win32/Ramnit infection. Ramnit is one of the four parasitic viruses out of the top 10 detected threat families...
  • Blog Post: MSRT Review on Win32/FakeSecSen Rogues

    Win32/FakeSecSen was added to MSRT November release as Hamish mentioned in his MMPC blog . We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines. Breakdown of these removals by regions is shown as below. Region/Country Distinct Machines Cleaned ...
  • Blog Post: MSRT and MMPC in 2H08 – Microsoft Security Intelligence Report

    The MSRT added the following threat families in 2H08. Rogues and botnet malware were the focus during the six months. New Family Note Added in Computers Cleaned by the MSRT in 2H08 Win32/Horst CAPTCHA breaking threat July 235,318 ...
  • Blog Post: Welcome to the New Look Microsoft Malware Protection Center Blog

    Hi, Vinny here Welcome to our newly refreshed blog! We wanted to create a new home for the Microsoft Malware Protection Center (MMPC) blog that was easier to navigate, and more in synch with our security colleagues within Microsoft such as the Microsoft Security Response Center . If you are new to our...
  • Blog Post: MSRT: Helping us de-Helpud you

    Greetings purveyors of the Internet! Welcome to another thrilling installment of "MSRT: Miami", aka "What's new in MSRT this month?"! It's Win32/Helpud . What, anti-climactic? Perhaps. However that doesn't take away from the importance of this addition to MSRT; we're extending our coverage of online...
  • Blog Post: MSRT November '11: Carberp

    We included three threat families in the November edition of the Microsoft Malicious Software Removal Tool - Win32/Carberp , Win32/Cridex and Win32/Dofoil . In this post, we discuss Win32/Carberp. The first variant of Win32/Carberp was discovered early last year. This malware has evolved from a trojan...
  • Blog Post: MSRT Released Today Addressing Conficker and Banload

    Back on Oct. 23, 2008, Microsoft released a critical security update for Windows: MS08-067 . Isolated attacks existed at the time of the bulletin release and in our blog we strongly recommended installing the security update as quickly as possible. Later, a few trojans that exploit this vulnerability...
  • Blog Post: Update on the Zbot spot!

    Hello Internet! I'm back to update you on our changes to Zbot in the Malicious Software Removal Tool (MSRT). We reviewed the data coming back from MSRT in September and incorporated the findings into October's MSRT (and beyond), which means we are now in a position to provide additional information....
  • Blog Post: MSRT August Top Detection Reports

    This month the MMPC added a new threat family, Win32/FakeRean , to the MSRT. You can refer to Hamish’s blog post, “ Win32/FakeRean and MSRT ” for more details on this fake, or rogue, security software. As of August 24, the MSRT had cleaned FakeRean from 162,328 infected machines. The following table...
  • Blog Post: Stratfor customers targeted by cybercriminals

    Cybercriminals are continuing to use a social engineering trick to lure users for their malware campaigns. This time, they targeted customers of Stratfor - a subscription-based provider of geopolitical analysis. Attacks against Stratfor clients began after a reported breach of their customer database...
  • Blog Post: MSRT October '11: EyeStye

    This month, the Malicious Software Removal Tool (MSRT) targets two families: Win32/EyeStye and Win32/Poison . EyeStye (aka 'SpyEye') is a family of trojans that steals information, targeting authentication data used for online banking such as passwords and digital certificates. The method it employs...
  • Blog Post: Operation b79 (Kelihos) and Additional MSRT September Release

    For the month of September, Microsoft is adding the Win32/Kelihos family to a second release of the Malicious Software Removal Tool . This additional release is to support the most recent action in Project MARS- Operation b79 which targets the Kelihos botnet. Operation b79 builds on the successes of...
  • Blog Post: Taterf – all your drives are belong to me!!!1!one!

    Greet1ngs, As you all probably know by now, this month in MSRT was a very significant release for Gamers everywhere with the addition of a variety of password stealers directly targeting Online games. The main targets are mostly based in Eastern Asia (Lineage Online, Legend Of Mir, ZT Online just...
  • Blog Post: MSRT December: If it quacks like a bot, it's probably Qakbot.

    This month, the MSRT team has added the Win32/Qakbot family of backdoors to its detections.  Qakbot is composed of several components, including a keylogger, a password stealer and a user-mode rootkit.  Qakbot is commonly distributed as the payload of what appear to be attacks, mainly targeted...
  • Blog Post: New: Microsoft Security Intelligence Report Volume 11- Now Available

    Hi, again everyone! Today we released the 11th volume of the Microsoft Security Intelligence Report , also known as SIRv11.   I have to say once again we’ve outdone ourselves and launched the largest and most comprehensive version of this report to date. This time it’s over 800 pages of threat...
  • Blog Post: The Newest Member of our Rogues Gallery

    The family added to the July MSRT release is Win32/FakeSpypro . As is often the case with rogues, they employ the use of multiple "names" over time. The current branding used by Win32/FakeSpypro is "Antivirus System PRO" with the previous incarnation being "Spyware Protect 2009". The " user interface...
  • Blog Post: MSRT March: Three Hioles in one

    ​In a previous post , we discussed Win32/Dorkbot , one of the major threat families included in the March 2012 release of MSRT. In this post, we discuss the other inclusions, Win32/Hioles , Win32/Pluzoks and Win32/Yeltminky . Win32/Hioles Similar to last month's focus on Win32/Pramro , Win32/Hioles...
  • Blog Post: FakeXPA... Journey of a Rogue

    Rogue security products have been around for some years, and now they seem to be everywhere. In my previous blog about Trojan:Win32/Antivirusxp I talked about the relationships between rogue products and various other threats. One common behavior of rogue products is their ever-changing domain names...
  • Blog Post: Anti-Social Networking

    The family added to the March MSRT release is Win32/Koobface . This family is not just a worm, but a collection of different components that can each perform a different task. These include downloading, web hosting, password stealing, displaying popups and sending messages to contacts on various social...
  • Blog Post: Uprooting Win32/Rustock

    This month we added a family of rootkit-enabled trojans to MSRT - Win32/Rustock Win32/Rustock is a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of 'spam' e-mail. First discovered sometime in early 2006, Rustock has evolved to...