Sunday, January 25, 2009

IEDef family

IE Defender/Files Secure/MalwareBell/IE Antivirus/Total Secure 2009 Codec has been update, it installs a file with semi-random filename composed from a dictionary:
h, j, b, h, s, x, a, f

Possible filenames:
hbsa.dll, hbsf.dll, hbxa.dll, hbxf.dll, hhsa.dll, hhsf.dll, hhxa.dll, hhxf.dll, jbsa.dll, jbsf.dll, jbxa.dll, jbxf.dll, jhsa.dll, jhsf.dll, jhxa.dll, jhxf.dll

It displays alert messages with popups that download WinDefender 2009:


and alerts messages that redirect to fake online scanner.


It also modifies Google result, and drops Internet Shortcut on the desktop, Favorites, Start Menu: Cheap Pharmacy Online.url, Cheap Software.url, MP3 Download.url, Search Online.url, SMS Trap.url and VIP Casino.url

Use SmitfraudFix to remove the infection.