Friday, January 16, 2009

IEDef family

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
kia, ke, w, g, o, o, 32a, 32

Possible filenames:
kiawo32a.dll, kiawo32.dll, kiawo32a.dll, kiawo32.dll, kiago32a.dll, kiago32.dll, kiago32a.dll, kiago32.dll, kewo32a.dll, kewo32.dll, kewo32a.dll, kewo32.dll, kego32a.dll, kego32.dll, kego32a.dll, kego32.dll

It displays alert messages with popups that download WinDefender 2009:


and alerts messages that redirect to fake online scanner.


It also modifies Google result, and drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, MP3 Download.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.