Tuesday, December 23, 2008

IEDef family

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
dh, f, eg, of, oz, az, r, a

Possible filenames:
dhegozr.dll, dhegoza.dll, dhegazr.dll, dhegaza.dll, dhofozr.dll, dhofoza.dll, dhofazr.dll, dhofaza.dll, fegozr.dll, fegoza.dll, fegazr.dll, fegaza.dll, fofozr.dll, fofoza.dll, fofazr.dll, fofaza.dll

It displays alert messages with popups that download WinDefender 2009:

It also drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.