Normal Service is Resumed…

As you may have noticed, we’ve been a little busy in the past few weeks, with major conferences and workshops in Estonia, Florida, and the Virus Bulletin conference in Ottawa. Unfortunately, we can’t tell you much about most of these: while some very important work on the mitigation of malware is done in and around these sessions, it can’t always be made public. Virus Bulletin is another matter: we were very strongly represented there, presentation-wise, and some papers will be going up on the white papers page very shortly.  In fact, there’s been something of a queue of white papers building up while other issues were resolved, but I’ve been sneaking in a little editing time so that we can get some of them going through the publication process.

[Talking of Virus Bulletin, Graham Cluley and Carole Theriault of Sophos put together a video for the conference that might have amused you, but Sophos have removed the video (though not the blog). Of course, my real agenda here was to draw your attention to all those people from other companies on camera with the ESET logo on their conference ID. I wonder if there’s a connection? ;) – DH, 2017]

Meanwhile, out in the great wide world, malware continues to flourish.

We are seeing a spike in detections of the WMA/TrojanDownloader.GetCodec.Gen malware family.  The GetCodec malware family modifies media files to include information on a fake codec that needs to be downloaded and installed if a user wants to view or listen to the infected media file.  If files are shared with other users, they run the risk of being infected.

Fake antivirus software is also on the rise.  This type of malware sends false information to users, reporting that their computer is infected with various threats.  The fake antivirus then prompts for payment before “cleaning” the false infection.

In our Threat Trends report for September [dead link removed – DH 2017], we also noted that the rise in detections of gaming password stealers continues to escalate dramatically, and that malware that attempts to exploit the Autorun facility continues to feature strongly in the “top ten”. In his presentation on “Defense in Depth”, Ken Bechtel, my long-time friend and colleague in Team Antivirus and AVIEN, remarked that there are actually no less than seven registry keys that need to be fixed before Autorun is fully disabled in Windows. :( I think we may revisit that issue on this page shortly.

David Harley & Pierre-Marc Bureau
Malware Intelligence Team

Author David Harley, ESET

  • Johnson

    Goldun and Autorun from spams are very popular .Now I find Pachat which fakes pdf is also very popular,it seems that they’re autogenerated.

    David,have you met Andrew Lee at Virus Bulletin conference?

  • Interesting: thanks. Malware that exploits Autorun is still number 2 in our “top ten”, though there’s been a significant increase in gaming password stealers that put them well ahead of the pack.

    Yes, I saw Andrew: we wrote a paper together for the conference.

  • Glad you guys at ESET enjoyed the video as much as we enjoyed making it! And yes, good idea of yours to sponsor the delegate badges as it made it look as though everyone worked for you!

    Graham, Sophos

  • > BTW, it’s Carole rather than Caroline Theriault.

    Oops. Sorry, Carole. Corrected in main text. You didn’t really think I was going to let you slip a link to the Sophos press office into our blog, did, you Graham? ;-) (Graham’s blog is highly recommended, though!)

  • bong

    hi just want to ask if you can solve my problem with MYMP3.VBS
    can’t remove it

  • > hi just want to ask if you can solve my problem with
    > MYMP3.VBS can’t remove it


    It’s not usually practical to answer support queries through the blog pages, I’m afraid: we’re not part of the support team. There are a number of ways you can get help listed at If you’re not an ESET customer, you could try the free online scanner at

    Hope this helps.

Follow us

Copyright © 2017 ESET, All Rights Reserved.