The Media Guru

Jul 11, 2007

Tags:


The official Version 1 of the Microsoft Malware Protection Center Portal is now live!
You can check it out here: http://www.microsoft.com/security/portal/

Some of the features you asked for and we included are:
Access to our malware encyclopedia.
- When you need to do some research on a particular threat or family you can search or browse our encyclopedia and get the details we’ve written about on it.

Download our antivirus and/or our antispyware signatures.
- We recommend updating daily, the products will do it for you, BUT if want you can do it yourself for the Forefront client or Windows Defender products both the 32 bit and 64 bit systems.

Threat and Potentially Unwanted Software Telemetry.
- The portal provides information on the top threats and potentially unwanted software that we are observing and that’s being reported to us by YOU. Each top ten category provides links to read up on those listed.

Tools and Resources.
- We have a collection of links to tools and resources that we think can be useful and interesting to you including blogs and the Microsoft Security Intelligence Report.

Microsoft Security Intelligence Report.
- And of course no blog would be complete without me mentioning the SIR, we have a page dedicated to hosting the various reports we produce:
http://www.microsoft.com/security/portal/SIR.aspx

And last but not least we have the Sample Submission feature! You got a file that you think is infected and want to know for sure?? Upload it to us, we’ll take a look and let you know.

This is just the start – literally a v1 release. As always we want to hear what you think about the portal – the good, the bad, and the ugly (don’t be shy). Please send us feedback and let us know which features you want to see in future releases. mpcfb@microsoft.com

For those who don't know, Microsoft Forefront Client is a Microsoft's antivirus software for businesses!!

To find out if Microsoft's MPC is really effective, i decided to send them a file that I suspected was malware.
Here's how it is described by Windows Defender.
File Name: RYUD.EXE
Display Name: Microsoft Generic Host Process for Win32 Services
Description: Generic Host Process for Win32 Services
Publisher: Microsoft Corporation
Digitally Signed By: NOT SIGNED
File Type: Application
Startup Value: RYUD.EXE
File Path: C:\WINDOWS\system32\RYUD.EXE
File Size: 125952
File Version: 5.1.27001.67 (NT client.010817-1148)
Date Installed: 7/3/2007 6:05:20 PM
Startup Type: Registry: Local Machine
Location: Software\Microsoft\Windows\CurrentVersion\Run
Classification: Not yet classified
Ships with Operating System: No


This file first raised my suspicions when one day Windows Firewall told me that it was blocking Internet access to this file. Why would it do so if it was labelled "Microsoft Generic Host Process for Win32 Services?"

I didn't pay attention to it until the day my CPU usage jumped to 100%!! My PC was slowed to a crawl & everything came back to normal when I killed the ryud.exe process.
This happened twice more... so i decided to investigate this process...

I was also intrigued by the date installed & it's filesize (123 kb). I hadn't done any Update via Microsoft for the past 2 months... so how come i have a new "Microsoft" process.
That process was included twice on my startup & i had to enable "Show Hidden Files" & "Show Protected System Files" to see it.

I ran a scan of the file ryud.exe with Windows Defender & Kaspersky Internet Security 6 (with latest definitions). They didn't find anything wrong with it.

Was it a new malware? It did a Google search of ryud.exe & i found 0 results! (if you do a search now, u'll only find my blog)

So i submitted the file to MMPC yesterday:

Hello. Thank you for submitting suspicious files to the Microsoft Malware Protection Center (MMPC).

The MMPC will analyze the files that you submitted to determine if the files are malware or potentially unwanted software. If the files are identified as new malware, the MMPC will add detection signatures for the new malware and publish the signatures after they have been tested and certified.

Your submission has been assigned ID 11539663.

The MMPC has completed an initial scan of the files you submitted and the results are below. If the files are known malware or potentially unwanted software, the results will identify the threat for each file submitted.

The MMPC will send a second and final e-mail to this e-mail address once it makes a final determination concerning this specific submission.

Initial analysis summary:
=================

Total Files: 2
Clean: 0
Malware: 0
Malware Related: 0
Malware Container: 0
Potentially Unwanted Software: 0
Potentially Unwanted Software Container: 0
Postponed: 0
Not Yet Analyzed: 2
=================


Per-file summary:
=================

20070710_092249051_0_ryud.zip Not Yet Analyzed
ryud.exe Not Yet Analyzed
=================


Thank you for contacting the Microsoft Malware Protection Center.


They were really quick. I had submitted it at 8:26 PM yesterday & they replied me at 4:56 AM today.

Hello. The Microsoft Malware Protection Center (MMPC) has finished analyzing submission ID 11539663 and the results are listed below. If the files were determined to be malware or potentially unwanted software, the results will identify the threat for each file submitted.

This is the last e-mail the MMPC will send to this e-mail address concerning this submission ID.

Analyst comments:
=================

=================

Analysis summary:
=================

Total Files: 2
Clean: 0
Malware: 0
Malware Related: 1
Malware Container: 1
Potentially Unwanted Software: 0
Potentially Unwanted Software Container: 0
Postponed: 0
Not Yet Analyzed: 0
=================


Per-file summary:
=================

20070710_092249051_0_ryud.zip Malware Container
ryud.exe Threat Related
=================
Thank you for contacting the Microsoft Malware Protection Center.

So ryud.exe was indeed malware. So this means... I have discovered a new malware!! :-D

Kaspersky would have certainly detected it if i hadn't turned off the "ProActive Defense." In this mode, KIS constantly analyses the activity of processes & determines whether it's harmful. But i had to turn it off since it's a massive CPU & memory hog...

& they've already updated their definitions....

Blog Widget by LinkWithin
Comments 1 comments
Do you have any suggestions? Ideas? Add your comment.
Please don't spam & don't swear!
Subscribe to my feed
Yashvin said...

lol, a new malware was born :P

Post a Comment

Some html tags like <b>, <i>, <a> are allowed & emos can be used. ;)
Copy your comment before posting in case something fails.
Comments are moderated, may take a while to appear.

The Photoblog carrotmadman6.blogspot.com

Posts on Photoblog

Posts rss feed
Featured Posts

Recent Posts

Categories

Blog Archive