This post is part two of two. In our previous post , we came across a couple of files that used some popular games as part of its social engineering technique. One of the files, which was named "diablo3-crack.exe" (after Diablo the video game series) is currently detected as Backdoor:Win32/Fynloski.A . It piqued our interest because we're avid gamers, and much to our surprise when we took a closer look we found out that the obfuscation technique it uses was also interesting. An initial look...

This post is part one of two. Popular games are often used by malware writers as social engineering bait as documented in previous blogs (" Dota Players Own3d " and " Keeping Kerrigan From Infection "). So, with a watchful eye for anything related to games used as an infection vector, we came across a couple of interesting files: "dota 2 Betakeys.txt.exe" (detected as Backdoor:MSIL/Pontoeb.J ) "diablo3-crack.exe" (detected as Backdoor:Win32/Fynloski.A ) These files noted as...

We have recently seen the emergence of several samples of a ransomware family localized into different languages. Malware that relies on localized social engineering tactics has been around for a few years, as we discussed in our two-part series on Program:Win32/Pameseg, and as evident in the surge of password stealers targeting Brazilian online banking websites. Ransomware, which renders a computer unusable and then demands payment, supposedly to make it usable again, has existed for quite some...

The United States Federal Trade Commission announced that it will begin issuing refunds to 300,000 consumers that were victims of several rogue security software scams such as " Winfixer ", " Drive Cleaner " and " XP Antivirus ". The following is a list of Microsoft antimalware product detection names that are linked to the Winfixer family: Program:Win32/AdvancedCleaner Program:Win32/Antivirus2008 Program:Win32/Antivirus2009 Program:Win32/SpywareIsolator Program:Win32/WinFixer Program:Win32/WinSpywareProtect...

The December 2011 edition of the MSRT includes detection and clean-up for the Win32/Helompy Family. Helompy is a worm that propagates by copying itself to the root of removable drives, and its main payload is to record account credentials and login information and send them to a remote server, where the attacker could retrieve them for use. At its roots, Helompy is a compiled AutoIt script which we first encountered in the wild in 2009. Like most malware scripted with AutoIt, it presents itself...

In the quest to compromise users' systems, malware has always employed different and resourceful techniques to achieve its goals. From using social engineering methods, to abusing legitimate software and its features, to using a design familiar to the user, malware has used every dirty trick in the book to achieve its malicious purpose. As a case study for such behavior we'll take a look at Backdoor:Win32/Fynloski.A and how this malware uses any means necessary to gain access to the compromised system...

This morning I spotted a few messages from my mobile carrier in my email inbox. This was not surprising as, only a few hours prior, I had logged into the carrier's website to pay the monthly bill. The standard mode of operation for my provider is to receive a bill via email, and a confirmation message after paying the bill, also through email. Today, however, one message stood out in several ways. First, the subject line was quite varied from what I was expecting to see: Important Account Information...

As previously noted , one of the three families added to the November release of the Microsoft Malicious Software Removal Tool is Win32/Dofoil . TrojanDownloader:Win32/Dofoil is a configurable downloader. Dofoil will attempt to receive control instructions from a remote server. The response contains encrypted configuration data containing download URLs and execution options, as visible in a partially decrypted Dofoil configuration shown below: Figure 1. Partially decrypted Dofoil configuration...

In the previous post , we gave an introduction to how file partnership programs work and how they make money off unsuspecting users by charging them for installing software that is actually free. In this post, we'll walk you through a sample of these "paid archives". The following "paid archive" simulates the appearance of the Adobe Flash Player 10 installer. Let's look deeper into this sample and try to figure out what the typical scenario is. We detect this sample as Program:MSIL/Pameseg.G (with...

Today we announce that the Beta for the next version of Microsoft Security Essentials is open for registration. Do you want to try out our latest innovations in protection and performance? Are you interested in helping to improve Security Essentials? The number of users than can participate in the Beta is limited, so sign up today and we will notify you once the Beta is available for download. We anticipate the Microsoft Security Essentials beta to be available to the general public...