{"id":75971,"date":"2016-04-12T12:24:15","date_gmt":"2016-04-12T19:24:15","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=75971"},"modified":"2023-05-15T23:06:46","modified_gmt":"2023-05-16T06:06:46","slug":"msrt-april-release-features-bedep-detection","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/","title":{"rendered":"MSRT April release features Bedep detection"},"content":{"rendered":"<p>As part of our ongoing effort to provide better malware protection, the <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/malicious-software-removal-tool-details.aspx\" target=\"_blank\" rel=\"noopener\">Microsoft Malicious Software Removal Tool <\/a>(MSRT) release this April will include detections for:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Bedep\" target=\"_blank\" rel=\"noopener\">Win32\/Bedep<\/a> \u2013 Trojan family<\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Upatre\" target=\"_blank\" rel=\"noopener\">Win32\/Upatre<\/a> \u2013 Trojan family<\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:MSIL\/Samas\" target=\"_blank\" rel=\"noopener\">Ransom:MSIL\/Samas<\/a> \u2013 Ransomware family<\/li>\n<\/ul>\n<p>In this blog, we\u2019ll focus on the <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\" rel=\"noopener\">Bedep<\/a> family of trojans.<\/p>\n<h2>The bothersome Bedep<\/h2>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Bedep\" target=\"_blank\" rel=\"noopener\">Win32\/Bedep<\/a> was first detected in November 25, 2014 as a malware family made up of DLLs which has been distributed by Angler Exploit Kit. Microsoft detects Angler as:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=JS\/Axpergle\" target=\"_blank\" rel=\"noopener\">JS\/Axpergle<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=HTML\/Axpergle\" target=\"_blank\" rel=\"noopener\">HTML\/Axpergle<\/a><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=JS\/Axpergle\" target=\"_blank\" rel=\"noopener\">JS\/Axpergle<\/a> and <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=HTML\/Axpergle\" target=\"_blank\" rel=\"noopener\">HTML\/Axpergle<\/a> have been known to carry and drop <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\" rel=\"noopener\">Bedep<\/a> around by redirecting unsuspecting users to compromised websites.<\/p>\n<p><a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\" rel=\"noopener\">Bedep<\/a> is bothersome not only because it is carried around by an exploit kit, but because it also connects to a remote server to do the nasty:<\/p>\n<ul>\n<li>Download other malware, such as:\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=MSIL\/Dofoil\" target=\"_blank\" rel=\"noopener\">Dofoil<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Ursnif\" target=\"_blank\" rel=\"noopener\">Ursnif<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Zemot\" target=\"_blank\" rel=\"noopener\">Zemot<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Fareit\" target=\"_blank\" rel=\"noopener\">Fareit<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">All of the above malware families have these in common: they steal your personal information and send them to the hacker, watch what you do online, drops other malware onto your PC, and update them too.<\/p>\n<ul>\n<li>Collect information about your PC to send it off to the malware perpetrator<\/li>\n<li>Update the downloaded malware<\/li>\n<\/ul>\n<p>The good thing is, <a href=\"https:\/\/technet.microsoft.com\/en-us\/itpro\/windows\/keep-secure\/windows-defender-in-windows-10\" target=\"_blank\" rel=\"noopener\">Windows Defender<\/a> detects and removes <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\" rel=\"noopener\">Bedep<\/a> and its variants.<\/p>\n<p>This threat has been prevalent in North America, and various parts of Latin America, Europe, and Southeast Asia.<\/p>\n<p>The exploit shellcode sometimes loads <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\" rel=\"noopener\">Bedep<\/a> directly in the memory from the Angler Exploit Kit, without being written to disk. However, it gets written to disk at other times.<\/p>\n<p>It can either be installed as 32bit DLL (<a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Backdoor:Win32\/Bedep.A\" target=\"_blank\" rel=\"noopener\">Backdoor:Win32\/Bedep.A<\/a>) or 64bit DLL (<a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Backdoor:Win64\/Bedep.A\" target=\"_blank\" rel=\"noopener\">Backdoor:Win64\/Bedep.A<\/a>), depending on the affected Windows OS version.<\/p>\n<p><a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\" rel=\"noopener\">This<\/a> threat is initially loaded by shellcode running in an exploited browser process (for example, <em>iexplore.exe<\/em>). Then, the threat downloads a copy of itself and injects that into <em>explorer.exe.<\/em><\/p>\n<p>We have observed that the first exploit is not enough. The attacker needs more exploits to bypass the OS or browser&#8217;s layered defenses. As a precaution, you should always be careful on clicking the User Account Control (UAC) prompts.<\/p>\n<p>We&#8217;ve also seen that <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\" rel=\"noopener\">Bedep<\/a> can drop itself as <a href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/variables.aspx#programdata\" target=\"_blank\" rel=\"noopener\"><em>%ProgramData%<\/em><\/a><em>\\&lt;{CLSID}&gt;\\&lt;filename&gt;.dll<\/em><\/p>\n<p>Example path and file names: <em>C:\\ProgramData\\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\\acledit.dll.<\/em><\/p>\n<p>It then creates the following registry entries:<\/p>\n<p style=\"padding-left: 30px;\">In subkey: <em>HKEY_CURRENT_USER\\CLSID\\%Random CLSID%\\InprocServer32<\/em><\/p>\n<p style=\"padding-left: 30px;\">Example: <em>HKEY_CURRENT_USER\\CLSID\\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\\InprocServer32<\/em><\/p>\n<p style=\"padding-left: 30px;\">Sets value: &#8220;<em>ThreadingModel<\/em>&#8220;<\/p>\n<p style=\"padding-left: 30px;\">With data: &#8220;<em>Apartment<\/em>&#8220;<\/p>\n<p style=\"padding-left: 30px;\">Sets value: &#8220;&#8221;<\/p>\n<p style=\"padding-left: 30px;\">With data: <em>%Bedep Filename%<\/em><\/p>\n<p style=\"padding-left: 30px;\">Example: &#8220;<em>C:\\ProgramData\\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\\acledit.dll<\/em>&#8220;<\/p>\n<p style=\"padding-left: 30px;\">In subkey: <em>HKEY_CURRENT_USER\\Drive\\ShellEx\\FolderExtensions\\%Random CLSID%<\/em><\/p>\n<p style=\"padding-left: 30px;\">Example: <em>HKEY_CURRENT_USER\\Drive\\ShellEx\\FolderExtensions\\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}<\/em><\/p>\n<p style=\"padding-left: 30px;\">Sets value: &#8220;<em>DriveMask<\/em>&#8220;<\/p>\n<p style=\"padding-left: 30px;\">With data: <em>dword:ffffffff<\/em><\/p>\n<p>For details about various Bedep variants, see the following malware encyclopedia entries:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Ursnif\" target=\"_blank\" rel=\"noopener\">Win32\/Bedep<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=MSIL\/Dofoil\" target=\"_blank\" rel=\"noopener\">Backdoor:Win32\/Bedep<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Zemot\" target=\"_blank\" rel=\"noopener\">Backdoor:Win32\/Bedep.A<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Backdoor:Win64\/Bedep.A\" target=\"_blank\" rel=\"noopener\">Backdoor:Win64\/Bedep.A<\/a><\/li>\n<\/ul>\n<h2>Mitigation and prevention<\/h2>\n<p>To help stay protected from Bedep and other threats, use an <a href=\"http:\/\/www.microsoft.com\/security\/portal\/mmpc\/help\/updatesoftware.aspx\" target=\"_blank\" rel=\"noopener\">up-to-date<\/a> <a href=\"https:\/\/technet.microsoft.com\/en-us\/itpro\/windows\/keep-secure\/windows-defender-in-windows-10\" target=\"_blank\" rel=\"noopener\">Windows Defender<\/a> for Windows 10 as your antimalware scanner, and <a href=\"http:\/\/windows.microsoft.com\/en-us\/windows-8\/join-maps-community\" target=\"_blank\" rel=\"noopener\">ensure that MAPS has been enabled<\/a>.<\/p>\n<p>Though trojans have been a permanent fixture in the malware ecosystem, there\u2019s still something that you or your administrators can proactively do:<\/p>\n<ul>\n<li>Block the IP addresses of the corresponding compromised websites soon as the administrator identifies the list of sites that <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Vonteera\" target=\"_blank\" rel=\"noopener\">Bedep<\/a> maliciously redirects into.<\/li>\n<li>Always be careful on clicking the User Account Control (UAC) prompts.<\/li>\n<li><a href=\"https:\/\/blogs.windows.com\/msedgedev\/2015\/12\/16\/smartscreen-drive-by-improvements\/\" target=\"_blank\" rel=\"noopener\">Use Microsoft Edge to get SmartScreen protection<\/a>. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/02\/24\/locky-malware-lucky-to-avoid-it\/\" target=\"_blank\" rel=\"noopener\">Disable the loading of macros in Office programs<\/a><\/li>\n<li><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/ee857085.aspx\" target=\"_blank\" rel=\"noopener\">Disable macro loading through the Group Policy settings<\/a>.<\/li>\n<li>Keep your software <a href=\"http:\/\/www.microsoft.com\/security\/portal\/definitions\/adl.aspx\" target=\"_blank\" rel=\"noopener\">up-to-date<\/a> to mitigate possible software exploits.<\/li>\n<li>Protect derived domain credentials with <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/mt483740%28v=vs.85%29.aspx\" target=\"_blank\" rel=\"noopener\">Credential Guard for Windows 10 Enterprise<\/a>.<\/li>\n<li>Secure your code integrity with <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/dn986865%28v=vs.85%29.aspx\" target=\"_blank\" rel=\"noopener\">Device Guard for Windows 10 Enterprise<\/a>.<\/li>\n<li><a href=\"http:\/\/download.microsoft.com\/download\/5\/1\/6\/516F59A7-91EE-4463-8612-C85FD3BEBDC7\/pop-securing-lateral-account-movement.pdf\" target=\"_blank\" rel=\"noopener\">Secure the lateral account movement in your enterprise<\/a>.<\/li>\n<li>Use two-factor authentication with <a href=\"https:\/\/blogs.windows.com\/buildingapps\/2016\/01\/26\/convenient-two-factor-authentication-with-microsoft-passport-and-windows-hello\/\" target=\"_blank\" rel=\"noopener\">Microsoft Passport and Windows Hello<\/a>.<\/li>\n<li>Ensure that a strong <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/cc770394%28v=ws.10%29.aspx\" target=\"_blank\" rel=\"noopener\">password policy<\/a> is implemented throughout the enterprise.<\/li>\n<\/ul>\n<p><em>Jonathan San Jose<\/em><\/p>\n<hr \/>\n<h4><strong>Talk to us<\/strong><\/h4>\n<p>Questions, concerns, or insights on this story? Join discussions at the <a href=\"https:\/\/answers.microsoft.com\/en-us\/protect\" target=\"_blank\" rel=\"noopener\">Microsoft community<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\" target=\"_blank\" rel=\"noopener\">Windows Defender Security Intelligence<\/a>.<\/p>\n<p>Follow us on Twitter <a href=\"https:\/\/twitter.com\/WDSecurity\" target=\"_blank\" rel=\"noopener\">@WDSecurity.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for: Win32\/Bedep \u2013 Trojan family Win32\/Upatre \u2013 Trojan family Ransom:MSIL\/Samas \u2013 Ransomware family In this blog, we\u2019ll focus on the Bedep family of trojans. The bothersome Bedep Win32\/Bedep was first detected [&hellip;]<\/p>\n","protected":false},"author":61,"featured_media":76595,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[],"threat-intelligence":[3735],"tags":[],"coauthors":[1968],"class_list":["post-75971","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","threat-intelligence-ransomware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>MSRT April release features Bedep detection | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MSRT April release features Bedep detection | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for: Win32\/Bedep \u2013 Trojan family Win32\/Upatre \u2013 Trojan family Ransom:MSIL\/Samas \u2013 Ransomware family In this blog, we\u2019ll focus on the Bedep family of trojans. The bothersome Bedep Win32\/Bedep was first detected [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2016-04-12T19:24:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-16T06:06:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/BedepGeoDist3-1024x556.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"556\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"MSRT April release features Bedep detection\",\"datePublished\":\"2016-04-12T19:24:15+00:00\",\"dateModified\":\"2023-05-16T06:06:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/\"},\"wordCount\":736,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/BedepGeoDist3-1024x556.png\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/\",\"name\":\"MSRT April release features Bedep detection | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/BedepGeoDist3-1024x556.png\",\"datePublished\":\"2016-04-12T19:24:15+00:00\",\"dateModified\":\"2023-05-16T06:06:46+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/BedepGeoDist3-1024x556.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/BedepGeoDist3-1024x556.png\",\"width\":1024,\"height\":556},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MSRT April release features Bedep detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MSRT April release features Bedep detection | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/","og_locale":"en_US","og_type":"article","og_title":"MSRT April release features Bedep detection | Microsoft Security Blog","og_description":"As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this April will include detections for: Win32\/Bedep \u2013 Trojan family Win32\/Upatre \u2013 Trojan family Ransom:MSIL\/Samas \u2013 Ransomware family In this blog, we\u2019ll focus on the Bedep family of trojans. The bothersome Bedep Win32\/Bedep was first detected [&hellip;]","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/","og_site_name":"Microsoft Security Blog","article_published_time":"2016-04-12T19:24:15+00:00","article_modified_time":"2023-05-16T06:06:46+00:00","og_image":[{"width":1024,"height":556,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/BedepGeoDist3-1024x556.png","type":"image\/png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"MSRT April release features Bedep detection","datePublished":"2016-04-12T19:24:15+00:00","dateModified":"2023-05-16T06:06:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/"},"wordCount":736,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/BedepGeoDist3-1024x556.png","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/","name":"MSRT April release features Bedep detection | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/BedepGeoDist3-1024x556.png","datePublished":"2016-04-12T19:24:15+00:00","dateModified":"2023-05-16T06:06:46+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/BedepGeoDist3-1024x556.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/BedepGeoDist3-1024x556.png","width":1024,"height":556},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2016\/04\/12\/msrt-april-release-features-bedep-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"MSRT April release features Bedep detection"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/75971","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=75971"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/75971\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/76595"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=75971"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=75971"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=75971"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=75971"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=75971"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=75971"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=75971"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}