On 20 March, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp Trojan. This is very good news, but unfortunately does not mark the end of the Carberp story. Evidently, those arres…
Mediyes – the dropper with a valid signature
Post was updated 19.03.2012 (see below) In the last few days a malicious program has been discovered with a valid signature. The malware is a 32- or 64-bit dropper that is detected by Kaspersky Lab as Trojan-Dropper.Win32.Mediyes or Trojan-Dropper.Wi…
New Exploit Targeting Java Vulnerability Found in BlackHole Arsenal
On 3 December, we noted a rapid growth in the number of detections for exploits targeting the vulnerability CVE-2011-3544 in Java virtual machine. The vulnerability was published on 18 October, but malicious users have only recently begun to make activ…
Fake AV business alive and kicking
Since June 2011 we have seen a substantial decrease in the number of fake antivirus programs. Right now we are observing 10 000 daily attempts to infect users with Trojan-FakeAV; back in June the figures were 50-60,000. The daily number of attempted i…
Cybercriminals switch from MBR to NTFS
Modification of the hard drive areas responsible for the initial loading of the system has become increasing popular with cybercriminals. Moreover, cybercriminals have now moved on from just modifying the MBR (master boot record) to infecting the code …
An unlikely couple: 64-bit rootkit and rogue AV for MacOS
The Virus Lab recently came across a very interesting sample – a downloader containing two drivers and which downloads fake antivirus programs developed for both PC and Mac platforms. The malicious program is downloaded and installed using the BlackHol…
The Chinese bootkit
We recently discovered a new bootkit, i.e. a malicious program which infects the hard drive’s boot sector. Kaspersky Lab detects it as Rookit.Win32.Fisp.a. The bootkit is distributed by Trojan-Downloader.NSIS.Agent.jd. The Trojan infects the comp…
A keygen with a twist
Programs for cracking commercial software are, sadly, not unpopular. They have also caught the attention of malware writers, who prepared a couple of surprises for those who don’t mind a free ride every now and then.
A short time ago, we detected a Trojan dropper which passes itself off as a key generator for Kaspersky Lab products. The file’s name is kaspersky.exe.
Once launched, the file displays a key generator window prompting the user to select a product. After one of the options is selected, the program proceeds to generate a key.
Keygen window
While the freebie lover is waiting for the result, two pieces of malware that were stealthily installed and launched by the dropper make themselves at home on the PC.
One of these is detected by Kaspersky Lab as Trojan.MSIL.Agent.aor. It steals registration data for other programs, as well as passwords, mostly for online games. It rather considerately stores all the stolen data in one file. A fragment of the file is shown on the screenshot below.
