Disorderly conduct: localized malware impersonates the police

We have recently seen the emergence of several samples of a ransomware family localized into different languages. Malware that relies on localized social engineering tactics has been around for a few years, as we discussed in our two-part series on Program:Win32/Pameseg, and as evident in the surge of password stealers targeting Brazilian online banking websites….


FTC to refund rogue security software victims

The United States Federal Trade Commission announced that it will begin issuing refunds to 300,000 consumers that were victims of several rogue security software scams such as “Winfixer“, “Drive Cleaner” and “XP Antivirus“. The following is a list of Microsoft antimalware product detection names that are linked to the Winfixer family: Program:Win32/AdvancedCleaner Program:Win32/Antivirus2008 Program:Win32/Antivirus2009 Program:Win32/SpywareIsolatorProgram:Win32/WinFixer…


MSRT December: Win32/Helompy

The December 2011 edition of the MSRT includes detection and clean-up for the Win32/Helompy Family. Helompy is a worm that propagates by copying itself to the root of removable drives, and its main payload is to record account credentials and login information and send them to a remote server, where the attacker could retrieve them…


Backdoor:Win32/Fynloski.A: a short history of abuse

In the quest to compromise users’ systems, malware has always employed different and resourceful techniques to achieve its goals. From using social engineering methods, to abusing legitimate software and its features, to using a design familiar to the user, malware has used every dirty trick in the book to achieve its malicious purpose. As a…


Friendly spam carries Zbot

​This morning I spotted a few messages from my mobile carrier in my email inbox. This was not surprising as, only a few hours prior, I had logged into the carrier’s website to pay the monthly bill. The standard mode of operation for my provider is to receive a bill via email, and a confirmation…


MSRT November: Dofoil

As previously noted, one of the three families added to the November release of the Microsoft Malicious Software Removal Tool is Win32/Dofoil. TrojanDownloader:Win32/Dofoil is a configurable downloader. Dofoil will attempt to receive control instructions from a remote server. The response contains encrypted configuration data containing download URLs and execution options, as visible in a partially…


Easy Money: Program:Win32/Pameseg (part 2)

In the previous post, we gave an introduction to how file partnership programs work and how they make money off unsuspecting users by charging them for installing software that is actually free. In this post, we’ll walk you through a sample of these “paid archives”. The following “paid archive” simulates the appearance of the Adobe…


Microsoft Security Essentials beta registration opens

Today we announce that the Beta for the next version of Microsoft Security Essentials is open for registration.   Do you want to try out our latest innovations in protection and performance? Are you interested in helping to improve Security Essentials?   The number of users than can participate in the Beta is limited, so…


Keep your Facebook friends close and your antivirus closer

Facebook malware attacks are not new. Scams spreading via status updates have been around for a long time, but in recent weeks one threat has been getting creative in terms of social engineering. Backdoor:Win32/Caphaw.A can intercept URL requests in both Firefox and Internet Explorer and it has been observed to post very personable updates on…


Easy Money: Program:Win32/Pameseg (part one)

Nowadays many people believe in the opportunity to achieve great wealth without much effort, not leaving the house, not interrupting their favorite computer games, forums, social networking and so on. This type of opportunity is widely marketed by companies providing paid digital content services. You may have seen online advertising banners such as: “Make a…