SpamThru, a horribly ingenious new piece of malware, downloads and installs its own anti-virus software, which it then uses to detect and remove competing malicious software installed by other hackers on the same system:
At start-up, the Trojan requests and loads a DLL from the author's command-and-control server.
This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system.
It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said.
Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation.
"Any other malware found on the system is then set up to be deleted by Windows at the next reboot," he added.
(via Deep Links)
