Win32/Vobfus is a family of worms that spreads via removable drives and downloads other malware, and a family that is causing people a lot of pain lately. Vobfus was initially discovered in September 2009 and became prevalent with its use of the MS10-046 .LNK vulnerability . The .LNK vulnerability has also been used by Chymine , Sality , and Zbot , though it is no longer used by Vobfus. The name Vobfus comes from the characteristics that these worms are V isual Basic and obfus cated. Vobfus is...

Another new year is almost upon us. Or at least that's what the distributors of Rogue:Win32/Winwebsec would have us believe - releasing a new branding System Doctor 2014 just prior to the middle of 2013. Figure 1: System Doctor 2014 user interface For some time, Winwebsec has had only one branding active at a time. While there have been a number of name changes, the interface and behavior have otherwise remained mostly unchanged. System Doctor 2014 represents a departure from this, with...

While investigating some new malware samples this week, we came across a few interesting files that use a new trick with an undocumented instruction. We had to do a bit of digging around the Intel instructions list to solve this little mystery. While it turned out that the trick itself isn't effective in complicating debugging and disassembly, we think it's worth sharing anyway, as we're now seeing three different malware variants using it. One of the samples flagged by our systems (SHA1:3d85cc93115c1ebfdeba17b54d6570e06c1bb2f5...

Are advertisements showing up in your browser (no matter whether you use Internet Explorer, Firefox or Chrome) on sites that you've never seen ads on before; or, do the ads seem different from what you've seen before? Your system might be affected by adware that injects advertisements into sites as you browse, such as Adware:Win32/InfoAtoms and Adware:Win32/Addlyrics . One of the biggest questions we get about these programs (besides how to get rid of them), is how did it get installed in the...

Malware authors and distributors follow the money. When you consider the growing popularity of social networking websites, it should come as no surprise that malware continues to maintain its presence in this area. Every year we are spending a growing proportion of our time online using social media like Facebook, Twitter and YouTube. What does this mean for the malware ecosystem? Malware authors and distributors know that social networks don’t just connect people, they also instill a...

The Microsoft Malware Protection Center (MMPC) is committed to protecting our customers from malicious software and disrupting the malware ecosystem. To achieve these goals, we forge partnerships with internal and external teams. One such team, Microsoft Digital Crimes Unit (DCU), has expanded their partnerships to include the National Institute of Communication Technologies (INTECO) of Spain. This organization is one of the first to utilize live botnet data feeds from the new Azure-based Cyber...

Bundling malware and legitimate software on unofficial download websites is an effective way of tricking users into running malicious files. We often see keygens, hacktools and game trainers bundled with trojans and posted on forums or as comments under videos. I recently analyzed a file that claimed to be a game tool used for customizing Dota2, a multiplayer online battle arena video game developed by Valve Corporation. The tool was made by a third party and offered for free download online....

Sirefef , also known as ZeroAccess, is a malware platform for receiving and running malware modules. Two prominent modules generate revenue for the cyber criminals, by mining for bitcoins and perpetrating click-fraud. Click-fraud is the deliberate misappropriation of ad revenue by generating online clicks that don’t originate from a potential customer or the rightful publisher. Click-fraud is lucrative and a relatively easy way for cyber criminals to monetize their malware and/or launder...

The past year has been one of expansion for ransomware. Throughout 2012 an increasing number of blogs, tutorials and discussion forums were written to help people gain access to ransomware-locked computers without paying the ransom. The authors of Reveton ransomware are aware that the persistence of their malware on a system is not only narrowed by an antivirus product, but also the computer user who tries to remove the threat. Not every infection is going to result in a paid ransom, so the Reveton...

We added three new families to this month’s Malicious Software Removal Tool (MSRT): Win32/FakeDef , Win32/Vicenor , and Win32/Kexqoud. In this blog, we will talk about the rogue antivirus family Win32/FakeDef. It’s not a big player in rogues’ world, but it holds its own unique characteristics. We found this family in the wild in December 2012. Initially it was pushed to a victim's machine by Win32/Fareit variants. This means machines where Win32/FakeDef is found may also be infected...