It has been another month and we have found some more families that need some special attention that the Malicious Software Removal Tool (MSRT) is ideal to give. This month we are focused on cleaning up the Win32/Babonock , Win32/Redyms , and Win32/Vesenlosow families due to their recent increase in prevalence. Lately I have been working with the Vesenlosow family. These are worms written in Visual Basic that were first seen at the end of 2010, yet are still managing to trouble people today...

We recently came across the file 1ac150ddb964722b6b7c96808763b3e4d0472daf during the course of regular research. We detect this file as Trojan:Win32/Preflayer.A. The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish: Obviously, it’s disguised as an Adobe Flash Player 11 installer. The text section of the agreement doesn’t have a scroll bar – which makes it kind of tricky to see...

Ramnit is one of the most prevalent threat families still active in the wild today. Two years ago, we talked about the infection method it uses in the Microsoft Malware Protection Center (MMPC) blog Little red Ramnit: My what big eyes you have, Grandma! by Scott Molenkamp. We are still keeping an eye on this threat and we have found a major change in Ramnit in the latter half of 2012. What we have found is that the newer version of Ramnit has stripped off all of its infection function routine but...

Wecykler is a family of worms, that shares some similarities with the Worm:Win32/Autorun family, in that it takes advantage of removable drives attached to an infected system in order to propagate to other machines. They target users' familiarity with the content of drives (files and directories) disguising as directories with existing and catchy names while hiding the original, for example: Figure 1 . Image of files detected as Wecykler disguised as existing directories Below are filenames...

The other day I was hard at work trying to find and stop actual computer viruses and other malware when my home phone rang. A pleasant man, who gave his name as "David" with what sounded like an Indian accent, said that he had a report about my computer being infected with a virus at their website. I was immediately very interested, because I work in the Microsoft Malware Protection Center (MMPC), and I've heard of these calls. What luck that I would happen to get one myself? David was very...

We have seen variants of Worm:Win32/Gamarue spread via removable drives in the past, but recent variants have adopted a more convoluted method of spreading involving several components. Let's take a look at one. For this variant of Worm:Win32/Gamarue, we start with an infected removable drive, for example a USB flash drive. Our infected example drive contains the following files: ~$wb.usbdrv , detected as Worm:Win32/Gamarue.N desktop.ini , detected as Worm:Win32/Gamarue.O thumbs.db...

The family added to the February release of the Malicious Software Removal Tool is Win32/Sirefef . Win32/Sirefef is a highly prevalent complex multi-component family which continues to evolve. The payload for current variants may include such actions as modifying browser search engine results, generating pay-per-click revenue and performing Bitcoin mining on an affected computer. The first detection for Sirefef was added in July 2009. Whilst the form of some malware families remains relatively...

When I first started working in the antivirus industry, I found that learning how Java exploits work, even at a very high level, was difficult. Even now with a few seasons under my belt, understanding the process and consequences of the exploitation of a Java vulnerability still proves challenging. Based on the feedback we see from some of you, I’m not alone. There are a lot of technical papers and blogs to be found that tell you how a Java vulnerability is exploited. In this blog, I’d...

Today Microsoft released a special edition of its Security Intelligence Report ( SIR ) titled " Linking Cybersecurity Policy and Performance ." The report examines the relationship between quantitative indicators about a country or region -- such as computers per capita, broadband penetration and whether the country or region had adopted certain public policies to advance cybersecurity -- and the rate of malware infections as measured by computers cleaned per mile ( CCM ) by the Malicious Software...

Recently, a 0-day vulnerability ( CVE-2013-0422 ) was disclosed. Oracle promptly reacted on this 0-day vulnerability, and last weekend a new patch was made available. Here's the advisory from Oracle. You can download latest JRE here . As the vulnerability is specific to Java 7, if you're using JRE 7, you should apply the patch. From our analysis, we've seen that it is a package access check issue which allows the untrusted Java applet to access the restricted class in trusted code. Using a vulnerable...