Friday, January 30, 2009

IEDef family

IEDef family Codec has been update, it installs a file with semi-random filename composed from a dictionary:
ju, lo, n, m, as, ix, t, z

Possible filenames:
junast.dll, junasz.dll, junixt.dll, junixz.dll, jumast.dll, jumasz.dll, jumixt.dll, jumixz.dll, lonast.dll, lonasz.dll, lonixt.dll, lonixz.dll, lomast.dll, lomasz.dll, lomixt.dll, lomixz.dll

It displays alert messages with popups that download WinDefender 2009 or IE-Security:


and alerts messages that redirect to fake online scanner.


It also modifies Google result, and drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, MP3 Download.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.
Libellés : ,

Tuesday, January 27, 2009

XP Police Antivirus

XP Police Antivirus is a new rogue.
As always: fake malware detection, lots of alert messages to sell a fake security software.



See MAD blog for more informations.
Libellés : , ,

Monday, January 26, 2009

IE-Security

New Rogue released: IE-Security. It is using the same GUI as WinDefender 2009 and Total Secure 2009.

This Rogue is dropped by IEDef Codec familly

Libellés : , , ,

Sunday, January 25, 2009

IEDef family

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
h, j, b, h, s, x, a, f

Possible filenames:
hbsa.dll, hbsf.dll, hbxa.dll, hbxf.dll, hhsa.dll, hhsf.dll, hhxa.dll, hhxf.dll, jbsa.dll, jbsf.dll, jbxa.dll, jbxf.dll, jhsa.dll, jhsf.dll, jhxa.dll, jhxf.dll

It displays alert messages with popups that download WinDefender 2009:


and alerts messages that redirect to fake online scanner.


It also modifies Google result, and drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, MP3 Download.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.
Libellés : ,

Friday, January 16, 2009

IEDef family

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
kia, ke, w, g, o, o, 32a, 32

Possible filenames:
kiawo32a.dll, kiawo32.dll, kiawo32a.dll, kiawo32.dll, kiago32a.dll, kiago32.dll, kiago32a.dll, kiago32.dll, kewo32a.dll, kewo32.dll, kewo32a.dll, kewo32.dll, kego32a.dll, kego32.dll, kego32a.dll, kego32.dll

It displays alert messages with popups that download WinDefender 2009:


and alerts messages that redirect to fake online scanner.


It also modifies Google result, and drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, MP3 Download.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.
Libellés : ,

Friday, January 9, 2009

Zlob

A message found in a Zlob binary:

For Windows Defender's Team:
I saw your post in the blog (10-Oct-2008) about my previous message.
Just want to say 'Hello' from Russia.
You are really good guys.
It was a surprise for me that Microsoft can respond on threats so fast.
I can't sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows ;)
Happy New Year, guys, and good luck!

P.S. BTW, we are closing soon. Not because of your work. :-))
So, you will not see some of my great ;) ideas in that family of software.
Try to search in exploits/shellcodes and rootkits.
Also, it is funny (probably for you), but Microsoft offered me a job to help
improve some of Vista's protection. It's not interesting for me, just a life's irony.

This is a response to Microsoft Windows Defender's Team, which found a first message in a previous binary and post a topic on their blog.
Post in French on MAD's Blog
Libellés : ,

Monday, January 5, 2009

IEDef family

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
int, syst, a, e, 1, 5, b, a

Possible filenames:
inta1b.dll, inta1a.dll, inta5b.dll, inta5a.dll, inte1b.dll, inte1a.dll, inte5b.dll, inte5a.dll, systa1b.dll, systa1a.dll, systa5b.dll, systa5a.dll, syste1b.dll, syste1a.dll, syste5b.dll, syste5a.dll

It displays alert messages with popups that download WinDefender 2009:


and alerts messages that redirect to fake online scanner.


It also modifies Google result, and drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, MP3 Download.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.
Libellés : ,

Friday, January 2, 2009

IEDef family

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
k, t, g, d, z, b, 32, 32a

Possible filenames:
kgz32.dll, kgz32a.dll, kgb32.dll, kgb32a.dll, kdz32.dll, kdz32a.dll, kdb32.dll, kdb32a.dll, tgz32.dll, tgz32a.dll, tgb32.dll, tgb32a.dll, tdz32.dll, tdz32a.dll, tdb32.dll, tdb32a.dll

It displays alert messages with popups that download WinDefender 2009:


and alerts messages that redirect to fake online scanner.


It also modifies Google result, and drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, MP3 Download.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.
French version on MAD
Libellés : ,
Subscribe to: Posts (Atom)