Wednesday, October 22, 2008

IE Defender, Files Secure, Malware Bell, IE Antivirus, Total Secure 2009

A new IEDef dropper has been released. It is using the same dictionary and same alert messages as previously.

Something new: it replace the original %SYSTEM%\userinit.exe by an infected file. Do not delete it, the system will not reboot ! A similar filename is used by Windows.

Each time Windows runs userinit.exe, the infected one is called and executes a backup of the Microsoft original file. If the infection is deleted/removed, the chain is broken and Windows will not boot.

This infection have been seen with another fake codec. It is new for IEDef.

You can use SmitfraudFix to remove the infection and restore the original Microsoft file.