We’re hearing more reports of AV killing bots being spammed in Europe again. Back in September, we posted an analysis of a driver that modifies the file system stack. In human terms, that means the driver disables most real-time anti-virus scanner functionality (it’s the anti-virus software magic that can scan a file when you copy it to your drive, and immediately identify the file as malicious). Luckily, this time around, eighteen of the thirty-two scanners maintained on Virustotal detect the portion of this critter. It is the downloader that is emailed to users (when we first saw the file, detection rates were almost non-existent):
The email message containing the AVKill/rootkit attachment is getting through spam filters this time around. The best advice, if you receive an email with an enticing subject line like “Free Hot Game” or “Free Sports Tracker” and the text of the message is nonsense, is to delete it immediately.