Friday, January 2, 2009

IEDef family

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
k, t, g, d, z, b, 32, 32a

Possible filenames:
kgz32.dll, kgz32a.dll, kgb32.dll, kgb32a.dll, kdz32.dll, kdz32a.dll, kdb32.dll, kdb32a.dll, tgz32.dll, tgz32a.dll, tgb32.dll, tgb32a.dll, tdz32.dll, tdz32a.dll, tdb32.dll, tdb32a.dll

It displays alert messages with popups that download WinDefender 2009:

and alerts messages that redirect to fake online scanner.

It also modifies Google result, and drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, MP3 Download.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.
French version on MAD