2011年2月28日星期一

Valentine?s spam on the increase

It’s February, and that means Valentine’s Day-related spam. Lots of it! There are already loads of adverts offering expensive alcohol and chocolates, jewellery and leather goods, romantic trips for two etc.

Other goods that are traditionally advertised in spam, such as fake designer watches and Viagra, have also exploited the Valentine’s Day theme to grab the attention of email recipients. The spammers appear convinced that there’s no better time than 14th February to increase your libido or buy cheap replicas of designer watches:

So far, this year’s Valentine’s Day spam has been mostly harmless, but we would like to warn our readers once again that the first half of February usually sees a surge in malicious links appearing in emails that appear to be for virtual greeting cards. So, be careful if you receive an e-card - make sure it has come from a genuine source before clicking any links.

Kaspersky Lab will be following developments closely in the run-up to Valentine’s Day.

malware remover free spyware malware malware scanner

Believe it or not? (Fake AV and Fake IME)

It's irony when malware that drops and installs Chinese IME into victim`s system pretends to be a regular AV component. It was first discovered on common Chinese website infected by "Aurora" exploit. This exploit execution causes that malware file qi.exe...

antispyware malware free download malware search

The Streets of San Francisco

February 14 is right around the corner and that can mean only one thing- it's time for the RSA conference in San Francisco.  This year, Scott Charney, Corporate Vice President of Trustworthy Computing, will present a keynote Tuesday morning at 9am on Collective Defense: Collaborating to Create a Safer Internet. Scott's talk will highlight a number of computing trends and the evolution of online threats while sharing Microsoft's vision of how we can work together to improve the safety for everyone on the Internet.

Also, our General Manager, Vinny Gullotto will be presenting on Monday for those new to RSA and security in a terrific full day session featuring industry luminaries from RSA, Cigital, AT&T Labs Research, Qualys and People Security.

A number of us will also be around throughout the week so don't be shy about reaching out if there's something you want to discuss.

-Jeff Williams
Principal Group Program Manager

free antivirus malware removal freeware spyware download

Re: Norton DNS 1.5 beta now has web filtering

Is it possible to use the new features just by setting the dns adress in my router :)?

funwebproducts spyware new malware scan for malware

"Worst trip ever" email scam

find and fix errors how to fix error fixing runtime errors

Definition file update for Ad-Aware.


149.611 is now available, new definition file for Ad-Aware 8.2.

150.296 is now available, new definition file for Ad-Aware 9.x, 8.3.

New definitions:
====================
Win32.FraudTool.SafePrivate
Win32.Trojan.Sisn


Updated definitions:
====================
BAT.Trojan.Agent
BAT.TrojanSpy.Banker
BAT.Trojandownloader.Agent
JS.Trojan.IEStart
JS.Trojan.StartPage
MSIL.Backdoor.Agent
MSIL.Backdoor.Vkont
MSIL.Trojan.Agent
MSIL.Trojan.Inject
MSIL.TrojanDownloader.Agent
MSIL.TrojanDownloader.Small
MSIL.TrojanDropper.Agent
MSIL.TrojanDropper.StubRC
MSIL.TrojanPWS.Agent
MSIL.TrojanPWS.Dybalom
MSIL.TrojanSpy.Agent
MSIL.TrojanSpy.KeyLogger
MSIL.TrojanSpy.Zbot
NSIS.Trojan.Agent
NSIS.Trojan.StartPage
NSIS.TrojanDownloader.Agent
NSIS.TrojanDownloader.Fraudload
NSIS.TrojanDropper.Agent
VBS.Trojan.Agent
VBS.Trojan.StartPage
VBS.TrojanDownloader.Small
Win32.Adware.AdRotator
Win32.Adware.Admoke
Win32.Adware.Adnur
Win32.Adware.BHO
Win32.Adware.Cinmus
Win32.Adware.EroPics
Win32.Adware.Eztracks
Win32.Adware.EzuLa
Win32.Adware.FLVTube
Win32.Adware.Gaba
Win32.Adware.Gamevance
Win32.Adware.Gator
Win32.Adware.MySearch
Win32.Adware.PopAd
Win32.Adware.Stud
Win32.Adware.SuperJuan
Win32.Adware.Zwangi
Win32.Backdoor.Agent
Win32.Backdoor.Banito
Win32.Backdoor.Bifrose
Win32.Backdoor.BlackHole
Win32.Backdoor.Bredolab
Win32.Backdoor.Cetorp
Win32.Backdoor.Clampi
Win32.Backdoor.Delf
Win32.Backdoor.DsBot
Win32.Backdoor.Firstinj
Win32.Backdoor.Flyagent
Win32.Backdoor.Gbot
Win32.Backdoor.Gootkit
Win32.Backdoor.HttpBot
Win32.Backdoor.Hupigon
Win32.Backdoor.IRCBot
Win32.Backdoor.Iroffer
Win32.Backdoor.Koutodoor
Win32.Backdoor.Medbot
Win32.Backdoor.Mesub
Win32.Backdoor.Nbdd
Win32.Backdoor.Papras
Win32.Backdoor.Poison
Win32.Backdoor.Prorat
Win32.Backdoor.Prosti
Win32.Backdoor.Protector
Win32.Backdoor.RBot
Win32.Backdoor.RShot
Win32.Backdoor.Ripinip
Win32.Backdoor.SDBot
Win32.Backdoor.Shiz
Win32.Backdoor.Sinowal
Win32.Backdoor.Spammy
Win32.Backdoor.TDSS
Win32.Backdoor.Torr
Win32.Backdoor.Turkojan
Win32.Backdoor.Ulrbot
Win32.Backdoor.VB
Win32.Backdoor.VanBot
Win32.Backdoor.Visel
Win32.Backdoor.WinUoj
Win32.Backdoor.Yobdam
Win32.FraudTool.WindowsExpressSettings
Win32.Hoax.ArchSMS
Win32.Hoax.Badjoke
Win32.IMWorm.Zeroll
Win32.Monitor.ActualSpy
Win32.Monitor.Ardamax
Win32.Monitor.Hooker
Win32.Monitor.MiniKeyLog
Win32.Monitor.NeoSpy
Win32.Monitor.PowerSpy
Win32.Monitor.SpectorPro
Win32.Monitor.SuperSpy
Win32.P2PWorm.Bacteraloh
Win32.P2PWorm.Palevo
Win32.P2PWorm.Polip
Win32.Rootkit.Agent
Win32.Rootkit.Blakken
Win32.Rootkit.Bubnix
Win32.Rootkit.TDSS
Win32.Trojan.Agent
Win32.Trojan.Agent2
Win32.Trojan.Antavmu
Win32.Trojan.AutoIT
Win32.Trojan.BHO
Win32.Trojan.Bepiv
Win32.Trojan.Buzus
Win32.Trojan.Cosmu
Win32.Trojan.Cossta
Win32.Trojan.DelFiles
Win32.Trojan.Delf
Win32.Trojan.Diple
Win32.Trojan.Exedot
Win32.Trojan.FakeAV
Win32.Trojan.FraudST
Win32.Trojan.Fraudpack
Win32.Trojan.Gabba
Win32.Trojan.Genome
Win32.Trojan.Gibi
Win32.Trojan.Inject
Win32.Trojan.Jorik
Win32.Trojan.KillAV
Win32.Trojan.KillFiles
Win32.Trojan.Lexip
Win32.Trojan.Llac
Win32.Trojan.Loader
Win32.Trojan.Mahato
Win32.Trojan.Menti
Win32.Trojan.Mepaow
Win32.Trojan.Microfake
Win32.Trojan.Midgare
Win32.Trojan.Migotrup
Win32.Trojan.Monder
Win32.Trojan.Oficla
Win32.Trojan.Pakes
Win32.Trojan.Pakun
Win32.Trojan.Pasta
Win32.Trojan.Pincav
Win32.Trojan.Pirminay
Win32.Trojan.Plapon
Win32.Trojan.Powp
Win32.Trojan.Qhost
Win32.Trojan.Redosdru
Win32.Trojan.Refroso
Win32.Trojan.Regrun
Win32.Trojan.Sadenav
Win32.Trojan.Sasfis
Win32.Trojan.Scar
Win32.Trojan.Searches
Win32.Trojan.Sefnit
Win32.Trojan.Siscos
Win32.Trojan.Skillis
Win32.Trojan.Small
Win32.Trojan.StartPage
Win32.Trojan.Starter
Win32.Trojan.Swisyn
Win32.Trojan.Tdss
Win32.Trojan.Tirnod
Win32.Trojan.VB
Win32.Trojan.Vapsup
Win32.Trojan.Vbkrypt
Win32.Trojan.Vilsel
Win32.Trojan.Vkhost
Win32.Trojan.Webprefix
Win32.Trojan.Zapchast
Win32.TrojanClicker.Agent
Win32.TrojanClicker.Delf
Win32.TrojanDownloader.Adload
Win32.TrojanDownloader.Agent
Win32.TrojanDownloader.Autoit
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.CodecPack
Win32.TrojanDownloader.Dakedam
Win32.TrojanDownloader.Delf
Win32.TrojanDownloader.Fosniw
Win32.TrojanDownloader.Fraudload
Win32.TrojanDownloader.Gamup
Win32.TrojanDownloader.Genome
Win32.TrojanDownloader.Geral
Win32.TrojanDownloader.Homa
Win32.TrojanDownloader.Imgdrop
Win32.TrojanDownloader.Kido
Win32.TrojanDownloader.Lipler
Win32.TrojanDownloader.Mufanom
Win32.TrojanDownloader.Murlo
Win32.TrojanDownloader.Myxa
Win32.TrojanDownloader.NSIS
Win32.TrojanDownloader.Nekill
Win32.TrojanDownloader.Onestage
Win32.TrojanDownloader.Pher
Win32.TrojanDownloader.Piker
Win32.TrojanDownloader.Small
Win32.TrojanDownloader.VB
Win32.TrojanDownloader.Zlob
Win32.TrojanDropper.Agent
Win32.TrojanDropper.Cadro
Win32.TrojanDropper.Clons
Win32.TrojanDropper.Delf
Win32.TrojanDropper.Drooptroop
Win32.TrojanDropper.Fraudrop
Win32.TrojanDropper.Kamboda
Win32.TrojanDropper.Microjoin
Win32.TrojanDropper.MuDrop
Win32.TrojanDropper.NSIS
Win32.TrojanDropper.Pakes
Win32.TrojanDropper.ParaDrop
Win32.TrojanDropper.Pendr
Win32.TrojanDropper.Startpage
Win32.TrojanDropper.TDSS
Win32.TrojanDropper.VB
Win32.TrojanDropper.Vedio
Win32.TrojanDropper.Wormdrop
Win32.TrojanPWS.Agent
Win32.TrojanPWS.Bjlog
Win32.TrojanPWS.Dybalom
Win32.TrojanPWS.Frethoq
Win32.TrojanPWS.Kates
Win32.TrojanPWS.Kykymber
Win32.TrojanPWS.LdPinch
Win32.TrojanPWS.Lmir
Win32.TrojanPWS.Magania
Win32.TrojanPWS.OnlineGames
Win32.TrojanPWS.QQPass
Win32.TrojanPWS.Qbot
Win32.TrojanPWS.Ruftar
Win32.TrojanPWS.Taworm
Win32.TrojanPWS.Tibia
Win32.TrojanPWS.Vkont
Win32.TrojanProxy.Glukelira
Win32.TrojanRansom.Adochi
Win32.TrojanRansom.Fakeinstaller
Win32.TrojanRansom.Gimemo
Win32.TrojanRansom.HmBlocker
Win32.TrojanRansom.Krotten
Win32.TrojanRansom.PornoBlocker
Win32.TrojanRansom.PornoCodec
Win32.TrojanRansom.Vkonte
Win32.TrojanSpy.Agent
Win32.TrojanSpy.BZub
Win32.TrojanSpy.Banbra
Win32.TrojanSpy.Bancos
Win32.TrojanSpy.Banker
Win32.TrojanSpy.Banker2
Win32.TrojanSpy.Brospa
Win32.TrojanSpy.Burda
Win32.TrojanSpy.Delf
Win32.TrojanSpy.Dibik
Win32.TrojanSpy.Goldun
Win32.TrojanSpy.Keylogger
Win32.TrojanSpy.MultiBanker
Win32.TrojanSpy.Polyatroj
Win32.TrojanSpy.SpyEyes
Win32.TrojanSpy.Webmoner
Win32.TrojanSpy.Zbot
Win32.TrojanSpy.carberp
Win32.Worm.Agent
Win32.Worm.Allaple
Win32.Worm.Antinny
Win32.Worm.AutoIt
Win32.Worm.AutoTsifiri
Win32.Worm.Autorun
Win32.Worm.Bybz
Win32.Worm.Fujack
Win32.Worm.Joleee
Win32.Worm.Kido
Win32.Worm.Kolab
Win32.Worm.Mabezat
Win32.Worm.Mydoom
Win32.Worm.Mytob
Win32.Worm.Padobot
Win32.Worm.Pinit
Win32.Worm.Socks
Win32.Worm.Sohanad
Win32.Worm.Trafaret
Win32.Worm.VB
Win32.Worm.Vbna
Win32.Worm.Viking
Win32.Worm.Yahos
Win32.Worm.Zeroll
Win32.Worm.Zhelatin
Win32.Worm.Zombaque


MD5 checksum for Ad-Aware core.aawdef is 2cba28f9255bd56c21c23df22f6afac1

malware blocker free malware scan spyware adware malware remover

Another day, another PS3 security story

free fixing errors pc fixes spyware and malware

FakeSysdef: We can defragment that for you wholesale! / Diary of a scamware

Initially it was "System Defragmenter", then "Scan Disk" and now it's called "Check Disk". While the name will most certainly change again, the main goal of Trojan:Win32/FakeSysdef will surely remain the same: to trick you into buying a piece of software that does nothing except scare you with fake warnings, critical "errors" and other "problems".

As the name suggests, this malware imitates a hard disk defragmenter. It will pretend to scan your computer for problems such as: it "checks" if your hard disk is working correctly, "defragments" it, and even checks the health status of your RAM and GPU (Graphic Processor Unit). Of course, once you start checking for problems using this 'program' it is going to ?find? a bucketful of them:

  • Bad sectors
  • RAM fragmentation
  • Registry errors
  • Very high CPU/GPU temperature
  • RAM failures

"System Defragmenter"

Image 1 ? ?System Defragmenter? iteration of FakeSysdef

 

Apparently all those problems can be resolved by just running the "defragmentation" function on your hard drive; unfortunately that component is not "enabled" and to enable it you need to buy the full version of the product. You kind of expected that right?

If you choose not to buy the product, it will just stay in your status bar and will remind you every few minutes that your computer has problems that should be fixed.

Even though this malware is relatively new (only appeared 2 months ago) it has already passed through various iterations.

We encountered the first sample on the 6th of October 2010; it came disguised as a fake Windows update which required the user to enter his user name and password in order to apply the security patches. The author even went to the point of translating the fake update messages in French, German, Spanish, and Italian in an attempt to appear as authentic as possible when running on a computer not running an English version of Windows. Once given the information, it installed the fake defragmenter program and errors started pouring in.

At this point the installer malware came in an unprotected form: no actions were taken in order to evade antivirus detections, no code obfuscation applied to make analysis more difficult. This makes us think it was a trial run, made just to test the waters to see how it handled once in the wild.

"Windows Update" installer for FakeSysdef

Image 2 - "Windows Update" installer for FakeSysdef

 

We spotted a new variant on the 10th of October 2010; it had the same icon as Windows Update but no Windows Update message was shown. The malicious code was installed silently and ran in the background until the user tried launching an application at which point a "system error" occurred. The approach evolved at this point:

"System Error!"

Image 3 - "System Error!" message displayed by FakeSysdef

 

  1. Authors decided to be less obvious: since an advanced user would get suspicious if a new application started scanning for problems all of a sudden, now the malware changed so that it waits for user interaction.
  2. The Defragmenter is hidden under multiple layers generated by 2 executable protectors/packers ("Stealth PE" and a custom packer encountered in other malware) to make detection and analysis more difficult. Fortunately we easily bypass this technique in our products.
  3. The malware now deletes its original binary showing the intent of the authors to hide their tracks.

On the 27th of October we saw another version. It was distributed standalone and used stolen file information and the icon from the file utilman.exe, which is present in Windows XP. This seems to be a major update where they tried to improve the resistance to analysis tools and AV products:

  1. The file won't run in a virtualised environment; and
  2. The file is protected with a custom-made packer only which employs anti-emulation code to stop AV products from analysing the file.

On the 15th November a minor update was released. The software used the name "Scan Disk" probably due to the attention it slowly started getting. Again they invested heavily in code to fight AV detection. They reverted to the original defragmenter icon and to the original behaviour of showing the interface scanning for errors.

"Scan Disk"

Image 4 - "Scan Disk" iteration of FakeSysdef

 

On 21 November a new version was released. The current move was to switch the name to "Check Disk", which has a familiar sound to the pronunciation of a legitimate Windows tool named ?chkdsk.exe? (?chkdsk.exe? is used to legitimately identify and correct various problems of the hard drives). This was a move clearly directed at fooling inexperienced users. The code was also updated to evade antivirus detection. Fortunately our products, such as Microsoft Security Essentials, can detect all these versions.

"Check Disk"

Image 5 - "Check Disk" iteration of FakeSysdef

 

We are sure we'll be seeing more changes from Trojan:Win32/Fakesysdef in the future, changes that we will closely monitor and detect to protect our users.

 

Below are example SHA1 hashes for the malware discussed in this blog:

cadacb248411c287822b2b09d6fff301a0f294a8
5a69f5fa043d2f5141226d10cb67d6d2a2d59f4a
d7195878d15c0e294101c5385b402b75885216f8

While writing this blog, a new version of the malware was encountered, ?Win HDD? with the following SHA1:

1905DE84FBA23A9152317A7F7C0BE7D1B3F07D70

 

Daniel Radu & Marian Radu
MMPC Dublin

how to remove spyware malware blocker free malware scan

Definition file update for Ad-Aware.


149.610 is now available, new definition file for Ad-Aware 8.2.

150.295 is now available, new definition file for Ad-Aware 9.x, 8.3.

New definitions:
====================


Updated definitions:
====================
BAT.Trojan.Agent
BAT.TrojanSpy.Banker
BAT.Trojandownloader.Agent
BAT.Trojandownloader.Small
JS.Trojan.StartPage
MSIL.Backdoor.Agent
MSIL.Backdoor.Vkont
MSIL.Monitor.Steeler
MSIL.Trojan.Agent
MSIL.Trojan.Inject
MSIL.Trojan.VkHost
MSIL.TrojanClicker.Agent
MSIL.TrojanDownloader.Agent
MSIL.TrojanDownloader.Murlo
MSIL.TrojanDropper.Agent
MSIL.TrojanDropper.Late
MSIL.TrojanDropper.StubRC
MSIL.TrojanPWS.Agent
MSIL.TrojanPWS.Dybalom
MSIL.TrojanSpy.Agent
MSIL.TrojanSpy.KeyLogger
MSIL.TrojanSpy.Zbot
MSIL.Worm.Autorun
NSIS.Trojan.Agent
NSIS.Trojan.StartPage
NSIS.TrojanDownloader.Agent
RAR.Trojan.Qhost
VBS.TrojanDownloader.Agent
Win32.Adware.AdRotator
Win32.Adware.Admoke
Win32.Adware.Adnur
Win32.Adware.Agent
Win32.Adware.BHO
Win32.Adware.Cinmus
Win32.Adware.CommonName
Win32.Adware.Craagle
Win32.Adware.Cydoor
Win32.Adware.DM
Win32.Adware.EzuLa
Win32.Adware.FLVTube
Win32.Adware.FearAds
Win32.Adware.Gaba
Win32.Adware.Gamevance
Win32.Adware.IEKeyWord
Win32.Adware.MyCashBag
Win32.Adware.OneStep
Win32.Adware.RON
Win32.Adware.Rabio
Win32.Adware.Stud
Win32.Adware.SuperJuan
Win32.Adware.Ubar
Win32.Adware.WebHancer
Win32.Adware.Zwangi
Win32.Backdoor.Agent
Win32.Backdoor.Bancodor
Win32.Backdoor.Banito
Win32.Backdoor.BeastDoor
Win32.Backdoor.Bifrose
Win32.Backdoor.BlackHole
Win32.Backdoor.Bredavi
Win32.Backdoor.Bredolab
Win32.Backdoor.Cakl
Win32.Backdoor.Cetorp
Win32.Backdoor.Chyopic
Win32.Backdoor.Curioso
Win32.Backdoor.Death
Win32.Backdoor.Delf
Win32.Backdoor.DsBot
Win32.Backdoor.Firstinj
Win32.Backdoor.Flyagent
Win32.Backdoor.Gbot
Win32.Backdoor.Gobot
Win32.Backdoor.Goolbot
Win32.Backdoor.Gootkit
Win32.Backdoor.HttpBot
Win32.Backdoor.Hupigon
Win32.Backdoor.IEBooot
Win32.Backdoor.IRCBot
Win32.Backdoor.Inject
Win32.Backdoor.Irc
Win32.Backdoor.Iroffer
Win32.Backdoor.Koutodoor
Win32.Backdoor.Lavandos
Win32.Backdoor.Lolbot
Win32.Backdoor.Mesub
Win32.Backdoor.Nbdd
Win32.Backdoor.Papras
Win32.Backdoor.Poison
Win32.Backdoor.Prorat
Win32.Backdoor.Prosti
Win32.Backdoor.Protector
Win32.Backdoor.RBot
Win32.Backdoor.RShot
Win32.Backdoor.Ripinip
Win32.Backdoor.SDBot
Win32.Backdoor.Shark
Win32.Backdoor.Sheldor
Win32.Backdoor.Shiz
Win32.Backdoor.Sinowal
Win32.Backdoor.Skill
Win32.Backdoor.Spammy
Win32.Backdoor.TDSS
Win32.Backdoor.Torr
Win32.Backdoor.Turkojan
Win32.Backdoor.Udr
Win32.Backdoor.VB
Win32.Backdoor.VBbot
Win32.Backdoor.Visel
Win32.Backdoor.WinUoj
Win32.Backdoor.Wuca
Win32.Backdoor.Yobdam
Win32.Backdoor.Yoddos
Win32.Backdoor.Zepfod
Win32.Backdoor.Zzslash
Win32.Flooder.Delf
Win32.FraudTool.AdwareRemover
Win32.FraudTool.PrivacyCenter
Win32.FraudTool.WindowsExpressSettings
Win32.Hoax.ArchSMS
Win32.Hoax.Badjoke
Win32.IMFlooder.Agent
Win32.IMWorm.Yahos
Win32.IRCWorm.Small
Win32.Monitor.ActivityLogger
Win32.Monitor.Agent
Win32.Monitor.Ardamax
Win32.Monitor.EliteKeylogger
Win32.Monitor.HomeKeylogger
Win32.Monitor.Hooker
Win32.Monitor.KeyLogger
Win32.Monitor.MiniKeyLog
Win32.Monitor.NeoSpy
Win32.Monitor.Perflogger
Win32.Monitor.PowerSpy
Win32.Monitor.SCKeyLog
Win32.Monitor.SpectorPro
Win32.Monitor.Spytector
Win32.Monitor.SuperSpy
Win32.Monitor.SupremeSpy
Win32.Monitor.WinSpy
Win32.P2PWorm.Bacteraloh
Win32.P2PWorm.Palevo
Win32.P2PWorm.Polip
Win32.P2PWorm.SpyBot
Win32.Rootkit.Agent
Win32.Rootkit.Bubnix
Win32.Rootkit.Goodkit
Win32.Rootkit.Qhost
Win32.Rootkit.TDSS
Win32.Toolbar.Agent
Win32.Toolbar.MegaSearch
Win32.Toolbar.Sioril
Win32.Trojan.Agent
Win32.Trojan.Agent2
Win32.Trojan.Antavmu
Win32.Trojan.AntiAV
Win32.Trojan.AutoIT
Win32.Trojan.BHO
Win32.Trojan.Buzus
Win32.Trojan.Chifrax
Win32.Trojan.Cosmu
Win32.Trojan.Cospet
Win32.Trojan.Cossta
Win32.Trojan.Ddox
Win32.Trojan.Delf
Win32.Trojan.Dialer
Win32.Trojan.Diple
Win32.Trojan.Exedot
Win32.Trojan.FakeAV
Win32.Trojan.FakeGina
Win32.Trojan.Fakedefrag
Win32.Trojan.FormatC
Win32.Trojan.FraudST
Win32.Trojan.Fraudpack
Win32.Trojan.Gabba
Win32.Trojan.Genome
Win32.Trojan.Gofy
Win32.Trojan.Hider
Win32.Trojan.Hrup
Win32.Trojan.Inject
Win32.Trojan.Jkfg
Win32.Trojan.Jorik
Win32.Trojan.KillAV
Win32.Trojan.KillFiles
Win32.Trojan.Lexip
Win32.Trojan.Llac
Win32.Trojan.MMM
Win32.Trojan.Mahato
Win32.Trojan.Menti
Win32.Trojan.Mepaow
Win32.Trojan.Microfake
Win32.Trojan.Midgare
Win32.Trojan.Migotrup
Win32.Trojan.Migr
Win32.Trojan.Miser
Win32.Trojan.Monder
Win32.Trojan.Monderd
Win32.Trojan.Oficla
Win32.Trojan.Pakes
Win32.Trojan.Pakun
Win32.Trojan.Pasta
Win32.Trojan.Phak
Win32.Trojan.Pincav
Win32.Trojan.Pirminay
Win32.Trojan.Plapon
Win32.Trojan.Powp
Win32.Trojan.Qhost
Win32.Trojan.Refroso
Win32.Trojan.Regrun
Win32.Trojan.Sadenav
Win32.Trojan.Sasfis
Win32.Trojan.Scar
Win32.Trojan.Searches
Win32.Trojan.Sefnit
Win32.Trojan.Shutdowner
Win32.Trojan.Siscos
Win32.Trojan.Skillis
Win32.Trojan.Smardf
Win32.Trojan.StartPage
Win32.Trojan.Starter
Win32.Trojan.Swisyn
Win32.Trojan.Sysler
Win32.Trojan.Tdss
Win32.Trojan.VB
Win32.Trojan.Vaklik
Win32.Trojan.Vapsup
Win32.Trojan.Vbkrypt
Win32.Trojan.Vilsel
Win32.Trojan.Vkhost
Win32.Trojan.Vrdapi
Win32.Trojan.Webprefix
Win32.Trojan.Zapchast
Win32.TrojanClicker.Agent
Win32.TrojanClicker.Delf
Win32.TrojanClicker.Huma
Win32.TrojanClicker.Libie
Win32.TrojanClicker.VB
Win32.TrojanClicker.VBiframe
Win32.TrojanClicker.Vesloruki
Win32.TrojanDownloader.Adload
Win32.TrojanDownloader.Agent
Win32.TrojanDownloader.Autoit
Win32.TrojanDownloader.Bagle
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.Bulilit
Win32.TrojanDownloader.Calper
Win32.TrojanDownloader.Cntr
Win32.TrojanDownloader.CodecPack
Win32.TrojanDownloader.Cyrel
Win32.TrojanDownloader.Dakedam
Win32.TrojanDownloader.Delf
Win32.TrojanDownloader.Doldow
Win32.TrojanDownloader.Feiyo
Win32.TrojanDownloader.Fosniw
Win32.TrojanDownloader.Fraudload
Win32.TrojanDownloader.Gamup
Win32.TrojanDownloader.Genome
Win32.TrojanDownloader.Geral
Win32.TrojanDownloader.Homa
Win32.TrojanDownloader.Imgdrop
Win32.TrojanDownloader.Injecter
Win32.TrojanDownloader.Kido
Win32.TrojanDownloader.Lipler
Win32.TrojanDownloader.Mabu
Win32.TrojanDownloader.Metfok
Win32.TrojanDownloader.Mufanom
Win32.TrojanDownloader.Murlo
Win32.TrojanDownloader.Myxa
Win32.TrojanDownloader.NSIS
Win32.TrojanDownloader.Pher
Win32.TrojanDownloader.Piker
Win32.TrojanDownloader.Refroso
Win32.TrojanDownloader.Small
Win32.TrojanDownloader.VB
Win32.TrojanDownloader.Zlob
Win32.TrojanDropper.Agent
Win32.TrojanDropper.Binder
Win32.TrojanDropper.Cadro
Win32.TrojanDropper.Chek
Win32.TrojanDropper.Clons
Win32.TrojanDropper.Delf
Win32.TrojanDropper.Drooptroop
Win32.TrojanDropper.ExeBinder
Win32.TrojanDropper.Fraudrop
Win32.TrojanDropper.Javdrop
Win32.TrojanDropper.KGen
Win32.TrojanDropper.Kamboda
Win32.TrojanDropper.Microjoin
Win32.TrojanDropper.MuDrop
Win32.TrojanDropper.NSIS
Win32.TrojanDropper.Renum
Win32.TrojanDropper.Scheduler
Win32.TrojanDropper.Small
Win32.TrojanDropper.Startpage
Win32.TrojanDropper.TDSS
Win32.TrojanDropper.VB
Win32.TrojanDropper.Vedio
Win32.TrojanDropper.Vidro
Win32.TrojanDropper.Wormdrop
Win32.TrojanPWS.Agent
Win32.TrojanPWS.Bjlog
Win32.TrojanPWS.Delf
Win32.TrojanPWS.Dybalom
Win32.TrojanPWS.Hukle
Win32.TrojanPWS.Kates
Win32.TrojanPWS.Kykymber
Win32.TrojanPWS.LdPinch
Win32.TrojanPWS.Lmir
Win32.TrojanPWS.Magania
Win32.TrojanPWS.Nilage
Win32.TrojanPWS.OnlineGames
Win32.TrojanPWS.Papras
Win32.TrojanPWS.PdPinch
Win32.TrojanPWS.QQGame
Win32.TrojanPWS.QQPass
Win32.TrojanPWS.Qbot
Win32.TrojanPWS.Qipi
Win32.TrojanPWS.Staem
Win32.TrojanPWS.Taworm
Win32.TrojanPWS.Tibia
Win32.TrojanPWS.Trah
Win32.TrojanPWS.VB
Win32.TrojanPWS.Vkont
Win32.TrojanProxy.Agent
Win32.TrojanProxy.Glukelira
Win32.TrojanRansom.Agent
Win32.TrojanRansom.Fakeinstaller
Win32.TrojanRansom.FullScreen
Win32.TrojanRansom.Gimemo
Win32.TrojanRansom.Hexzone
Win32.TrojanRansom.HmBlocker
Win32.TrojanRansom.Losya
Win32.TrojanRansom.PornoBlocker
Win32.TrojanRansom.PornoCodec
Win32.TrojanRansom.Rector
Win32.TrojanRansom.Xorist
Win32.TrojanSpy.Agent
Win32.TrojanSpy.BHO
Win32.TrojanSpy.BZub
Win32.TrojanSpy.Banbra
Win32.TrojanSpy.Bancos
Win32.TrojanSpy.Banker
Win32.TrojanSpy.Banker2
Win32.TrojanSpy.Banz
Win32.TrojanSpy.Brospa
Win32.TrojanSpy.Delf
Win32.TrojanSpy.Goldun
Win32.TrojanSpy.IESpy
Win32.TrojanSpy.Keylogger
Win32.TrojanSpy.Lpxenur
Win32.TrojanSpy.MultiBanker
Win32.TrojanSpy.Small
Win32.TrojanSpy.SpyEyes
Win32.TrojanSpy.Webmoner
Win32.TrojanSpy.Wemon
Win32.TrojanSpy.Zbot
Win32.TrojanSpy.carberp
Win32.Worm.Agent
Win32.Worm.Allaple
Win32.Worm.AutoIt
Win32.Worm.Autorun
Win32.Worm.Brontok
Win32.Worm.Bropia
Win32.Worm.Bybz
Win32.Worm.Fujack
Win32.Worm.Iksmas
Win32.Worm.Joleee
Win32.Worm.Kido
Win32.Worm.Kolab
Win32.Worm.Mabezat
Win32.Worm.Mydoom
Win32.Worm.NanSpy
Win32.Worm.Netsky
Win32.Worm.Padobot
Win32.Worm.Qvod
Win32.Worm.Sohanad
Win32.Worm.Trafaret
Win32.Worm.VB
Win32.Worm.Vbna
Win32.Worm.Viking
Win32.Worm.Yahos
Win32.Worm.Zeroll
Win32.Worm.Zombaque
Win64.Trojan.KillProc


MD5 checksum for Ad-Aware core.aawdef is 12e7e4be51962884c9e3477c0846a6f6

free malware malware spyware malware spyware removal

We Come in Peace, Too - Impressions from CCC's 27C3 / Berlin

Since Monday, my colleagues and I have been attending the annual Chaos Communication Congress 27C3 in Berlin. For the past 27 years, the Chaos Computer Club has organised this four day conference for hackers from all over the world.

The sold-out event at Berlin's bcc covers a wide range of topics, separated into six different tracks: Community, Culture, Hacking, Making, Science and Society. Take a look at what's known as the Fahrplan or schedule.

All the talks are streamed and recorded. Check out the conference wiki.

Yesterday also marked the start of a new, CCC independent side event called BerlinSides, which focuses on infosec and is organised by Aluc.TV and SecurityBsides.com. This free event takes place at one of the oldest hackerspaces in the world, Berlin's famous c-base.

malware virus spyware remover malware antibytes

A ShmooCon Preview

It’s always tough to get a ticket for Washington D.C.’s ShmooCon hacker conference.�Just over 1,200 tickets were available in three rounds of ticket sales for the January 28-30 event.�It’s a sign of the conference’s popularity that each round sold out in under 10 seconds.�At about a third of the size of a larger conference like Read more...

malware spyware malware spyware removal free malware removal

Re: Norton DNS 1.5 beta now has web filtering

Moved to Norton 360 Board for better exposure.

free computer fix fix error message pc repair tools

2011年2月27日星期日

FakeXPA raises a few brows

When rogue security software uses multiple different names for itself, it's not especially noteworthy. In the past we have seen rogues that changed their names almost every day, and even a single rogue executable that could use one of 33 different names for itself.
After several months of calling themselves "Antivirus 8", recent variants of Rogue:Win32/FakeXPA have begun going by the name of "AVG Antivirus 2011." 

 

 
This is not to be confused with the legitimate antivirus product from AVG – we’ve reached out to AVG, and they are aware the rogue is using their brand. FakeXPA's developers are hoping you will confuse it with the real AVG though, as they've even gone to the extent of borrowing AVG's logo for their own user interface.
The change of name and user interface caused us to examine this variant’s behavior in more detail, and update the description in our malware encyclopedia accordingly. While this behavior was common to most FakeXPA variants over quite a long time, it did come up with a method of interfering with the user's web browsing that I hadn't seen before. I'll talk about this more later.


As usual, the rogue bombards the user with a bewildering assortment of dialogs, popups, and balloons, such as those shown below. You can see more examples in the AVG Antivirus 2011 description.

 

 

 


 
 
Of course the desired outcome of all this is to intimidate, socially engineer, or just wear down, the user into paying money to make all these problems go away.

 


 
Rogues often attempt to hijack users' web browsing experience. This has the dual effect of both helping convince users that their systems are infected, and preventing them from accessing resources that might help them clean up their rogue problem. SmartScreen, available for IE8 and IE9, can often block the initial infection vector by blocking the compromised site. In the past, other rogues, including earlier variants of FakeXPA, have generally used DLLs, such as Browser Helper Objects or Netscape plugins, to interact with users' browsers. These new FakeXPA variants attempt to bypass the user's choice of browser altogether.


When it is first installed, FakeXPA places a copy of itself named iesafemode.exe into the system directory.


It then creates a registry entry to set iesafemode.exe as the debugger for a number of common web browsers, including Internet Explorer, Firefox, Opera, Chrome, and Safari. This registry entry is normally used by software debuggers. Its effect is that when a user attempts to run the program in question, a copy of the debugger will be launched instead, with the name of the program to be run passed to the debugger as a command line parameter. This allows the debugger to launch the program in question and begin debugging it.


However, in this case the registry entry does not point to a software debugger, but instead to the copy of the malware. So when a user attempts to launch any of these browsers, a copy of the malware will be run instead. Renaming the browser’s executable and running this instead allows it to be launched without interference from the malware.


When the malware is launched in this manner, it does not attempt to run the browser executable in question. Instead it displays its own version of a web browser. However, in this case the registry entry does not point to a software debugger, but instead to the copy of the malware. So when a user attempts to run iexplore.exe, a copy of the malware will be run instead.


When the malware is launched in this manner, it does not attempt to run the browser executable in question. Instead it displays its own version of a web browser.
It displays the following interface when it is first launched, where it pretends to be in "Emergency Mode" (note, there is no such thing as ‘Internet Explorer Emergency Mode’):

 

 
When the user visits a web page using this interface, it may be downloaded and rendered using the Internet Explorer libraries. But if the user attempts to visit a site that has been blacklisted by FakeXPA, such as a security-related site, it will display the following instead:

 


Notice how it changes the content of the address bar in an attempt to mislead the user into believing that the site had been blacklisted by Microsoft.


If you're in doubt about whether your antivirus solution is legitimate software or a fake, you can find links to the websites of many reputable antivirus vendors at http://www.microsoft.com/windows/antivirus-partners/. Microsoft Security Essentials detects and removes this threat – you can get it from http://www.microsoft.com/security_essentials. It offers comprehensive malware protection, it's free for genuine Windows users, and it won't bug you all the time.


SHA1: d20d50d2eff0d6d30e204aefd2309433408a92fe


--David Wood, MMPC

free spyware download malware programs spyware removers

Researcher at RSA: 80 percent of browsers need a patch

spyware malware reviews best malware removal spyware removal

Definition file update for Ad-Aware.


149.613 is now available, new definition file for Ad-Aware 8.2.

150.298 is now available, new definition file for Ad-Aware 9.x, 8.3.

New definitions:
====================
Win32.Backdoor.Vortexdoor


Updated definitions:
====================
ASP.Backdoor.Ace
BAT.Hoax.NoKlav
BAT.Trojan.Agent
BAT.Trojan.Startpage
BAT.Trojan.VKHost
BAT.TrojanSpy.Banker
BAT.Trojandownloader.Agent
BAT.Trojandownloader.Small
JS.Trojan.IEStart
JS.Trojan.StartPage
MSIL.Backdoor.Agent
MSIL.Backdoor.Vkont
MSIL.Trojan.Agent
MSIL.Trojan.Inject
MSIL.Trojan.VkHost
MSIL.TrojanClicker.Agent
MSIL.TrojanDownloader.Agent
MSIL.TrojanDropper.Agent
MSIL.TrojanDropper.Late
MSIL.TrojanDropper.StubRC
MSIL.TrojanPWS.Agent
MSIL.TrojanPWS.NetPass
MSIL.TrojanPWS.Staem
MSIL.TrojanSpy.Agent
MSIL.TrojanSpy.KeyLogger
MSIL.TrojanSpy.Zbot
MSIL.Worm.Autorun
NSIS.Trojan.Agent
NSIS.Trojan.StartPage
NSIS.TrojanDownloader.Adload
NSIS.TrojanDownloader.Agent
NSIS.TrojanDropper.Agent
VBS.Trojan.Agent
VBS.TrojanClicker.Agent
VBS.TrojanDownloader.Agent
Win32.Adware.AdBar
Win32.Adware.AdRotator
Win32.Adware.AdSubscribe
Win32.Adware.Admoke
Win32.Adware.Adnur
Win32.Adware.Agent
Win32.Adware.BHO
Win32.Adware.Barogo
Win32.Adware.CashOn
Win32.Adware.Cinmus
Win32.Adware.Cydoor
Win32.Adware.DM
Win32.Adware.Delf
Win32.Adware.EzuLa
Win32.Adware.F1Organizer
Win32.Adware.FLVTube
Win32.Adware.FearAds
Win32.Adware.Gaba
Win32.Adware.Gamevance
Win32.Adware.IEHlpr
Win32.Adware.IEKeyWord
Win32.Adware.Ksg
Win32.Adware.Look2Me
Win32.Adware.MyCashBag
Win32.Adware.NavExcel
Win32.Adware.PurityScan
Win32.Adware.RON
Win32.Adware.Stud
Win32.Adware.SuperJuan
Win32.Adware.TMAagent
Win32.Adware.Ubar
Win32.Adware.Virtumonde
Win32.Adware.Zwangi
Win32.Backdoor.Agent
Win32.Backdoor.Amitis
Win32.Backdoor.Bandok
Win32.Backdoor.Banito
Win32.Backdoor.Bifrose
Win32.Backdoor.BlackHole
Win32.Backdoor.Blakken
Win32.Backdoor.Bredolab
Win32.Backdoor.Buterat
Win32.Backdoor.Cetorp
Win32.Backdoor.Chyopic
Win32.Backdoor.Cindyc
Win32.Backdoor.Cinkel
Win32.Backdoor.Curioso
Win32.Backdoor.Delf
Win32.Backdoor.DsBot
Win32.Backdoor.Dusta
Win32.Backdoor.EggDrop
Win32.Backdoor.Eklips
Win32.Backdoor.Elfrit
Win32.Backdoor.Firstinj
Win32.Backdoor.Gbot
Win32.Backdoor.Goolbot
Win32.Backdoor.Gootkit
Win32.Backdoor.Hupigon
Win32.Backdoor.IEBooot
Win32.Backdoor.IRCBot
Win32.Backdoor.Inject
Win32.Backdoor.Irc
Win32.Backdoor.Ircnite
Win32.Backdoor.Jewdo
Win32.Backdoor.Kbot
Win32.Backdoor.Koutodoor
Win32.Backdoor.Krafcot
Win32.Backdoor.Lavandos
Win32.Backdoor.Lolbot
Win32.Backdoor.Mesub
Win32.Backdoor.MoSucker
Win32.Backdoor.Nbdd
Win32.Backdoor.Nihem
Win32.Backdoor.Nuclear
Win32.Backdoor.Padodor
Win32.Backdoor.Papras
Win32.Backdoor.Poison
Win32.Backdoor.Prorat
Win32.Backdoor.Prosti
Win32.Backdoor.RBot
Win32.Backdoor.RShot
Win32.Backdoor.Reload
Win32.Backdoor.Ripinip
Win32.Backdoor.Rukap
Win32.Backdoor.Runagry
Win32.Backdoor.SDBot
Win32.Backdoor.Sheldor
Win32.Backdoor.Shiz
Win32.Backdoor.Sinowal
Win32.Backdoor.Small
Win32.Backdoor.Spammy
Win32.Backdoor.SubSeven
Win32.Backdoor.Surila
Win32.Backdoor.TDSS
Win32.Backdoor.Teambot
Win32.Backdoor.Tofsee
Win32.Backdoor.Torr
Win32.Backdoor.Turkojan
Win32.Backdoor.Udr
Win32.Backdoor.Ulrbot
Win32.Backdoor.UltimateDefender
Win32.Backdoor.VB
Win32.Backdoor.VBbot
Win32.Backdoor.VanBot
Win32.Backdoor.Whimoo
Win32.Backdoor.WinUoj
Win32.Backdoor.Wuca
Win32.Backdoor.Xyligan
Win32.Backdoor.Yobdam
Win32.Backdoor.Yoddos
Win32.Backdoor.Zzslash
Win32.BadJoke.BadJoke
Win32.Dialer.Small
Win32.Dialer.Trojan
Win32.EmailFlooder.Agent
Win32.FraudTool.AdwareRemover
Win32.FraudTool.AntiMalwarePRO
Win32.FraudTool.ErrorDoctor
Win32.Hoax.Agent
Win32.Hoax.ArchSMS
Win32.Hoax.Badjoke
Win32.Hoax.Getpin
Win32.Hoax.Kornelia
Win32.IMWorm.Sramota
Win32.Monitor.ActiveKeyLogger
Win32.Monitor.Agent
Win32.Monitor.Ardamax
Win32.Monitor.Hooker
Win32.Monitor.KeyLogger
Win32.Monitor.LanAgent
Win32.Monitor.MiniKeyLog
Win32.Monitor.NeoSpy
Win32.Monitor.Orvell
Win32.Monitor.Perflogger
Win32.Monitor.PowerSpy
Win32.Monitor.RealSpy
Win32.Monitor.RemoteDesktopSpy
Win32.Monitor.SCKeyLog
Win32.Monitor.SpectorPro
Win32.Monitor.WinSpy
Win32.P2PWorm.BlackControl
Win32.P2PWorm.Palevo
Win32.P2PWorm.Polip
Win32.P2PWorm.Silly
Win32.P2PWorm.VB
Win32.Rootkit.Agent
Win32.Rootkit.AntiAV
Win32.Rootkit.Bubnix
Win32.Rootkit.Small
Win32.Rootkit.TDSS
Win32.Rootkit.Tent
Win32.Trojan.Agent
Win32.Trojan.Agent2
Win32.Trojan.Antavmu
Win32.Trojan.AntiAV
Win32.Trojan.AutoIT
Win32.Trojan.BHO
Win32.Trojan.Buzus
Win32.Trojan.C4dlmedia
Win32.Trojan.Cariez
Win32.Trojan.Chifrax
Win32.Trojan.Chydo
Win32.Trojan.Clicker
Win32.Trojan.Cosmu
Win32.Trojan.Cosne
Win32.Trojan.Cospet
Win32.Trojan.Cossta
Win32.Trojan.DelFiles
Win32.Trojan.Delf
Win32.Trojan.Delfinject
Win32.Trojan.Dialer
Win32.Trojan.DieMast
Win32.Trojan.Diple
Win32.Trojan.Direr
Win32.Trojan.Ertfor
Win32.Trojan.Exedot
Win32.Trojan.FakeAV
Win32.Trojan.Fakedefrag
Win32.Trojan.Fakems
Win32.Trojan.FlyStudio
Win32.Trojan.FormatC
Win32.Trojan.FraudSC
Win32.Trojan.FraudST
Win32.Trojan.Fraudpack
Win32.Trojan.Gabba
Win32.Trojan.Genome
Win32.Trojan.Gibi
Win32.Trojan.Gofy
Win32.Trojan.Hider
Win32.Trojan.Hrup
Win32.Trojan.Inject
Win32.Trojan.Jeloge
Win32.Trojan.Jkfg
Win32.Trojan.Jorik
Win32.Trojan.KillAV
Win32.Trojan.KillFiles
Win32.Trojan.Kreeper
Win32.Trojan.Lexip
Win32.Trojan.Llac
Win32.Trojan.Loader
Win32.Trojan.MMM
Win32.Trojan.Mahato
Win32.Trojan.Menti
Win32.Trojan.Mepaow
Win32.Trojan.Microfake
Win32.Trojan.Midgare
Win32.Trojan.Migotrup
Win32.Trojan.Miser
Win32.Trojan.Monder
Win32.Trojan.Oficla
Win32.Trojan.Oner
Win32.Trojan.Pakes
Win32.Trojan.Pakun
Win32.Trojan.Pasta
Win32.Trojan.Phak
Win32.Trojan.Pincav
Win32.Trojan.Pirminay
Win32.Trojan.Possador
Win32.Trojan.Powp
Win32.Trojan.Qhost
Win32.Trojan.Redosdru
Win32.Trojan.Refroso
Win32.Trojan.Regrun
Win32.Trojan.Rettesser
Win32.Trojan.Sadenav
Win32.Trojan.Sasfis
Win32.Trojan.Scar
Win32.Trojan.Searches
Win32.Trojan.Sefnit
Win32.Trojan.ShipUp
Win32.Trojan.Shutdowner
Win32.Trojan.Siscos
Win32.Trojan.Skillis
Win32.Trojan.Slefdel
Win32.Trojan.Small
Win32.Trojan.Smardf
Win32.Trojan.Srizbi
Win32.Trojan.Starfield
Win32.Trojan.StartPage
Win32.Trojan.Starter
Win32.Trojan.Stuh
Win32.Trojan.SubSys
Win32.Trojan.Swisyn
Win32.Trojan.Tdss
Win32.Trojan.VB
Win32.Trojan.Vaklik
Win32.Trojan.Vapsup
Win32.Trojan.Vbkrypt
Win32.Trojan.Vilsel
Win32.Trojan.Vkhost
Win32.Trojan.Webprefix
Win32.Trojan.Zapchast
Win32.Trojan.Zmunik
Win32.TrojanClicker.Adclicer
Win32.TrojanClicker.Agent
Win32.TrojanClicker.AutoIT
Win32.TrojanClicker.Delf
Win32.TrojanClicker.VB
Win32.TrojanDDoS.Agent
Win32.TrojanDownloader.Adload
Win32.TrojanDownloader.Agent
Win32.TrojanDownloader.Autoit
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.BaoFa
Win32.TrojanDownloader.Boltolog
Win32.TrojanDownloader.Bulilit
Win32.TrojanDownloader.Calac
Win32.TrojanDownloader.Calper
Win32.TrojanDownloader.CodecPack
Win32.TrojanDownloader.DNSKrab
Win32.TrojanDownloader.Dadobra
Win32.TrojanDownloader.Delf
Win32.TrojanDownloader.Doldow
Win32.TrojanDownloader.Duder
Win32.TrojanDownloader.Fosniw
Win32.TrojanDownloader.Fraudload
Win32.TrojanDownloader.Gamup
Win32.TrojanDownloader.Genome
Win32.TrojanDownloader.Geral
Win32.TrojanDownloader.Homa
Win32.TrojanDownloader.ISTBar
Win32.TrojanDownloader.Imgdrop
Win32.TrojanDownloader.Injecter
Win32.TrojanDownloader.Knigsfot
Win32.TrojanDownloader.Lipler
Win32.TrojanDownloader.Mabu
Win32.TrojanDownloader.Mufanom
Win32.TrojanDownloader.Murlo
Win32.TrojanDownloader.Myxa
Win32.TrojanDownloader.NSIS
Win32.TrojanDownloader.Nekill
Win32.TrojanDownloader.Netmen
Win32.TrojanDownloader.Onestage
Win32.TrojanDownloader.Ovosh
Win32.TrojanDownloader.PepperPaper
Win32.TrojanDownloader.Pher
Win32.TrojanDownloader.Piker
Win32.TrojanDownloader.Qhost
Win32.TrojanDownloader.Refroso
Win32.TrojanDownloader.SMW
Win32.TrojanDownloader.Small
Win32.TrojanDownloader.Suurch
Win32.TrojanDownloader.Tiny
Win32.TrojanDownloader.VB
Win32.TrojanDownloader.Zlob
Win32.TrojanDropper.Agent
Win32.TrojanDropper.BHO
Win32.TrojanDropper.Binder
Win32.TrojanDropper.Cadro
Win32.TrojanDropper.Chek
Win32.TrojanDropper.Clons
Win32.TrojanDropper.Decay
Win32.TrojanDropper.Delf
Win32.TrojanDropper.Drooptroop
Win32.TrojanDropper.Drostuh
Win32.TrojanDropper.EESbinder
Win32.TrojanDropper.ExeBinder
Win32.TrojanDropper.Fraudrop
Win32.TrojanDropper.Haul
Win32.TrojanDropper.Hexzone
Win32.TrojanDropper.Javdrop
Win32.TrojanDropper.Joiner
Win32.TrojanDropper.KGen
Win32.TrojanDropper.Microjoin
Win32.TrojanDropper.Monya
Win32.TrojanDropper.MuDrop
Win32.TrojanDropper.NSIS
Win32.TrojanDropper.Pendr
Win32.TrojanDropper.Pincher
Win32.TrojanDropper.Popupkiller
Win32.TrojanDropper.Renum
Win32.TrojanDropper.Scheduler
Win32.TrojanDropper.Small
Win32.TrojanDropper.Stabs
Win32.TrojanDropper.Startpage
Win32.TrojanDropper.Steps
Win32.TrojanDropper.TDSS
Win32.TrojanDropper.Typic
Win32.TrojanDropper.VB
Win32.TrojanDropper.Vedio
Win32.TrojanDropper.Vidro
Win32.TrojanDropper.Wormdrop
Win32.TrojanDropper.taob
Win32.TrojanMailfinder.Blen
Win32.TrojanPWS.Agent
Win32.TrojanPWS.Alipay
Win32.TrojanPWS.Autoit
Win32.TrojanPWS.Batist
Win32.TrojanPWS.Bjlog
Win32.TrojanPWS.Delf
Win32.TrojanPWS.Delf2
Win32.TrojanPWS.Dybalom
Win32.TrojanPWS.Dytka
Win32.TrojanPWS.Firethief
Win32.TrojanPWS.Frethoq
Win32.TrojanPWS.Gamec
Win32.TrojanPWS.ICQ
Win32.TrojanPWS.Kates
Win32.TrojanPWS.Kykymber
Win32.TrojanPWS.LdPinch
Win32.TrojanPWS.Lmir
Win32.TrojanPWS.Magania
Win32.TrojanPWS.MailRu
Win32.TrojanPWS.Nilage
Win32.TrojanPWS.OnlineGames
Win32.TrojanPWS.Papras
Win32.TrojanPWS.PdPinch
Win32.TrojanPWS.QQPass
Win32.TrojanPWS.QQSender
Win32.TrojanPWS.Qbot
Win32.TrojanPWS.Ruftar
Win32.TrojanPWS.Stealer
Win32.TrojanPWS.Tibia
Win32.TrojanPWS.VB
Win32.TrojanPWS.Vkont
Win32.TrojanPWS.WOW
Win32.TrojanPWS.YahooPass
Win32.TrojanProxy.Agent
Win32.TrojanProxy.Coco
Win32.TrojanProxy.Glukelira
Win32.TrojanProxy.Slaper
Win32.TrojanRansom.BrowHost
Win32.TrojanRansom.Fakeinstaller
Win32.TrojanRansom.FullScreen
Win32.TrojanRansom.Gimemo
Win32.TrojanRansom.Hexzone
Win32.TrojanRansom.HmBlocker
Win32.TrojanRansom.Kerlofost
Win32.TrojanRansom.Losya
Win32.TrojanRansom.Notter
Win32.TrojanRansom.PornoBlocker
Win32.TrojanRansom.Rector
Win32.TrojanRansom.Seftad
Win32.TrojanRansom.Xorist
Win32.TrojanSpy.Agent
Win32.TrojanSpy.AutoIt
Win32.TrojanSpy.BHO
Win32.TrojanSpy.BZub
Win32.TrojanSpy.Banbra
Win32.TrojanSpy.Bancos
Win32.TrojanSpy.Banker
Win32.TrojanSpy.Banker2
Win32.TrojanSpy.Banz
Win32.TrojanSpy.Brospa
Win32.TrojanSpy.Burda
Win32.TrojanSpy.Delf
Win32.TrojanSpy.Dibik
Win32.TrojanSpy.Flystudio
Win32.TrojanSpy.Goldun
Win32.TrojanSpy.Keylogger
Win32.TrojanSpy.Lpxenur
Win32.TrojanSpy.Lydra
Win32.TrojanSpy.MultiBanker
Win32.TrojanSpy.Polyatroj
Win32.TrojanSpy.Pophot
Win32.TrojanSpy.Sincom
Win32.TrojanSpy.Small
Win32.TrojanSpy.SpyEyes
Win32.TrojanSpy.VB
Win32.TrojanSpy.Wemon
Win32.TrojanSpy.Winspooll
Win32.TrojanSpy.Zbot
Win32.TrojanSpy.carberp
Win32.Worm.Agent
Win32.Worm.Allaple
Win32.Worm.AutoIt
Win32.Worm.AutoTsifiri
Win32.Worm.Autorun
Win32.Worm.Bagle
Win32.Worm.Brontok
Win32.Worm.Bybz
Win32.Worm.Carrier
Win32.Worm.FlyStudio
Win32.Worm.Iksmas
Win32.Worm.Joleee
Win32.Worm.Kelvir
Win32.Worm.Kido
Win32.Worm.Kolab
Win32.Worm.Kolabc
Win32.Worm.Koobface
Win32.Worm.Logus
Win32.Worm.Mabezat
Win32.Worm.Mydoom
Win32.Worm.Padobot
Win32.Worm.Pinit
Win32.Worm.Qimiral
Win32.Worm.Rokut
Win32.Worm.Runfer
Win32.Worm.Sohanad
Win32.Worm.VB
Win32.Worm.Vbna
Win32.Worm.Viking
Win32.Worm.Wangy
Win32.Worm.Windaus
Win32.Worm.Yahos
Win32.Worm.Zeroll


MD5 checksum for Ad-Aware core.aawdef is 245b6f35a6aa450d0e8652c851fb0177

free antivirus malware removal freeware spyware download

A keygen with a twist

Programs for cracking commercial software are, sadly, not unpopular. They have also caught the attention of malware writers, who prepared a couple of surprises for those who don’t mind a free ride every now and then.

A short time ago, we detected a Trojan dropper which passes itself off as a key generator for Kaspersky Lab products. The file’s name is kaspersky.exe.

Once launched, the file displays a key generator window prompting the user to select a product. After one of the options is selected, the program proceeds to generate a key.

Keygen window

While the freebie lover is waiting for the result, two pieces of malware that were stealthily installed and launched by the dropper make themselves at home on the PC.

One of these is detected by Kaspersky Lab as Trojan.MSIL.Agent.aor. It steals registration data for other programs, as well as passwords, mostly for online games. It rather considerately stores all the stolen data in one file. A fragment of the file is shown on the screenshot below.

adware spyware malware freeware free anti malware

?Checking? Deceptive Malware Behaviors

One common technique used by malware researchers is to analyze a sample using virtual machines. In recent years, malware developers have created “checks” against environments and common malware-analysis tools. If the malware detects a security application, the former will not execute or will execute a deceptive function. I recently came across some common checks for: Read more...

computer errors fix system 32 error fixing error

How to remove Windows Processes Organizer rogue anti-spyware

how to fix registry errors fixing errors find and fix errors

The dark side of the new Android Market

A new version of the Android Market has just been launched, making it possible for every device owner to look for applications, buy or even remotely install apps to an Android device directly from the browser on a desktop computer. Wait, remotely install? Have we misheard something?

No, it’s an official feature of the brand new market. If you use an Android device, it means that you have a GMail account associated with your device, and now you can remotely install any application from the Android store. You just need to:

  • log in to the market with your GMail account associated with your smartphone;

  • choose any application you would like to install;
  • click to the ‘Install’ link;
  • carefully read all the permissions required by the application;

best malware removal spyware removal malware removal tools

Explore the CVE-2010-3654 matryoshka

We recently discovered a sample that is trying to exploit the 0-day Adobe vulnerability tracked by CVE-2010-3654. This sample is being distributed as a PDF file, and it has a lot of complicated steps before the final payload is executed. Analyzing this sample is like working your way through a matryoshka doll.
 
The analysis of this malware can be broken down into four steps:
  1. The PDF
  2. The shellcode
  3. ?More shellcode, and
  4. The Portable Executable file

1. The PDF
The PDF file contains four malicious components:

  • A malformed SWF (Shockwave Flash) file to trigger the CVE-2010-3654 vulnerability
  • Shellcode
  • JavaScript which does the heap spray
  • An encrypted PE (Portable Executable) file

2.  The shellcode
The shellcode reads data from the PDF stream and decrypts it into a PE file to the disk and then executes it (as shown in Figure 1).

hexidecimal code view of the PDF stream 

Figure 1:  Decrypting the PE file

3. The shellcode, again
When the decrypted PE file is executed, it will run a shellcode contained in the resource section. Looking at the shellcode, it actually decrypts a DLL file to the disk and loads it. It runs a shellcode in the resource section. This time, the shell code is used to decrypt another PE image, and load the decrypted PE image to memory (this PE image will never be written to the disk, it is only in the memory).
 
4. The final PE
Dumping the decrypted PE image from the memory,  the ending to this attacker?s story becomes clear -- it is the installation of Win32/Hupigon (aka ?Grey Pigeon? and ?Graybird?), the notorious remote control backdoor - that is a prevalent threat in China.
 

Stay safe with protection for this exploit and the threats leveraging it, and don?t forget to apply the update released today by Adobe (APSB10-18 - http://www.adobe.com/support/security/bulletins/apsb10-28.html).

 
matryoshka
 
 
- Chun Feng, MMPC

fix registry error fix system errors fix errors free

New P2P Botnet Arising

A new year has broken - a new peer-to-peer botnet is on the rise. It shares some commonalities with the infamous Waledac bot that was taken down in a exemplary effort by Microsoft early last year. Although this new bot has a different code base, it uses the same spreading strategy and also seems to maintain a multi-relay (or peer-to-peer) infrastructure just like its predecessor. Our friends over at ShadowServer have posted an excellent blog entry about this new threat and how it relates to earlier bots.

We are currently analyzing the new family and can confirm peer-to-peer-like behavior. When started, the bot loads a list of 20 hard-coded peers. Each entry contains a unique ID, the peer's IP address and a TCP port it is listening on:

971e116b-1c78-4619-abb2-3467427b8861 69.96.23.0:80 d9d04244-2f07-464c-b5c9-ad78e6319546 69.204.140.0:80 89787e02-6de4-4385-ae5f-5eaca64a3fe0 112.204.169.0:80 ...

fix errors on pc fixing pc errors fix windows errors

A ShmooCon Preview

It’s always tough to get a ticket for Washington D.C.’s ShmooCon hacker conference.�Just over 1,200 tickets were available in three rounds of ticket sales for the January 28-30 event.�It’s a sign of the conference’s popularity that each round sold out in under 10 seconds.�At about a third of the size of a larger conference like Read more...

fixing windows errors fix pc pc doctor

Another day, another PS3 security story

fix system error fix errors xp fix registry errors free

2011年2月26日星期六

MSRT January ?11: Win32/Lethic

Win32/Lethic is a trojan that communicates with a remote server to distribute spam. Variants of Lethic install executable files with varied file names such as ?shelldm.exe? or ?xcllsx.exe?. The malware loads as a process when Windows starts.

The trojan establishes a connection to remote servers using varied TCP ports, such as 1430, 8900, 8090 and so on. It communicates with servers with names such as ?dqglobex.com?, ?verywellhere.cn?, ?iamnothere.cn? among others. Once connected, the trojan allows unauthorized use of the affected computer, including distributing spam.

Forefront Online Protection for Exchange (FOPE) consists of layered technologies to actively help protect businesses? inbound and outbound e-mail from spam, viruses, phishing scams, and e-mail policy violations.

Forefront Online Protection for Exchange diagram

Image 1 - Forefront Online Protection for Exchange diagram

According to FOPE spam statistics, Win32/Lethic produces a high volume of spam and thus has been selected for addition this month to the Microsoft Malware Removal Tool (MSRT). Win32/Lethic is not the biggest botnet in terms of IP addresses, however, it is known for sending many messages into a single envelope.

Below, you can see the difference in spam distribution models between two malware, Win32/Rustock and Win32/Lethic. Notice that in Rustock, the spam message is a 1:1 ratio where Lethic is 1:many.

 

Win32/Rustock spam distribution model

Image 2 ? Win32/Rustock spam distribution model

 

 

Win32/Lethic spam distribution model

Image 3 ? Win32/Lethic spam distribution model

 

You can do more to protect your Internet experience by running a full AV solution, such as Microsoft Security Essentials, for real-time protection. Download and install Microsoft Security Essentials from http://www.microsoft.com/security_essentials/.

 

Patrick Nolan, MMPC

spyware malware removal spyware malware

The Fake Defragmenter Invasion

Since the beginning of its popularity in the end of October 2010; a rogue defragmenter still continues to haunt the users, which in the end of 2010 has reached 20 variants, and may still continue to rise. The author has never stopped producing new variants. As is typical of the rogue application, this rogue defragmenter [...]

free fixing errors pc fixes spyware and malware

A malicious addition to a Facebook link

In the last few days we have discovered that spam messages with malicious links are being sent via instant messenger services. It turns out that the mailings were carried out by the Zeroll IM worm. A bot generated various messages depending on the language of the recipient. Here are a few of them:

“Wie findest du das Foto?” “seen this?? :D %s” “This is the funniest photo ever!” “bekijk deze foto :D” “uita-te la aceasta fotografie :D”

Like lots of other similar incidents, the cybercriminals have made use of social engineering, asking users to look at pictures with alluring names. At the end of the message there is a link such as http://www.facebook.com/l.php?u=********.org/Jenny.jpg. As well as the link to the Jenny.jpg file the messages included similar links to Sexy.jpg.

The page that the http://www.facebook.com/l.php?u= link leads to is not actually malicious - it contains a warning from Facebook telling the user they are leaving the site.

Facebook warning

If you add a link to any random site after ‘l.php?u=’, then a window opens with a warning from Facebook. However, after the user clicks the ‘Continue’ button the link will direct the user to the corresponding site. This mechanism was used by the cybercriminals to make the link to the malicious site look more legitimate.

When the browser redirects to the page ********.org/Jenny.jpg it leads to the file PIC1274214241-JPG-www.facebook.com.exe which is then launched by unsuspecting users. Hereafter, the terms jenny.jpg and sexy.jpg refer to this executable file.

After analyzing jenny.jpg and sexy.jpg it turned out that they were typical downloaders, protected by packers and written in Visual Basic.

Fragment of the downloader code after the jenny.jpg file is unpacked in full

The downloaders’ job is typical for these types of program - download another malicious program to the infected computer. In this case, it’s the file srce.exe. So that the user doesn’t suspect anything, the downloaders also open the picture that was promised in the original spam message. The picture is downloaded from the Internet (the link can be seen in the screenshot).

So what is srce.exe? It’s a dropper + downloader whose outer shell is also written in Visual Basic. It downloads IM-Worm.Win32.XorBot.a which uses Yahoo Messenger to send out messages to users.

So what we have here is a link to a page on Facebook being used in instant messaging spam instead of a direct link to a malicious object. You could say that Facebook is being used a service along the lines of bit.ly: it allows links to be modified so that they are directed via the Facebook domain.

Zeroll is still actively sending out spam. The messages contain links to different files, but with similar names such as Girls.jpg and Marisella.jpg. And even though people already know they shouldn’t just click any old links, even if it was sent by someone on their contact list, it’s worth reminding everyone again. If nothing else, cybercriminals are creative, and the Zeroll spam once again confirms this.

how to fix errors how to fix computer errors fix registry error

2011年2月25日星期五

Believe it or not? (Fake AV and Fake IME)

It's irony when malware that drops and installs Chinese IME into victim`s system pretends to be a regular AV component. It was first discovered on common Chinese website infected by "Aurora" exploit. This exploit execution causes that malware file qi.exe...

free anti spyware malware spyware adware

MSRT December: If it quacks like a bot, it's probably Qakbot.

This month, the MSRT team has added the Win32/Qakbot family of backdoors to its detections.  Qakbot is composed of several components, including a keylogger, a password stealer and a user-mode rootkit.  Qakbot is commonly distributed as the payload of what appear to be attacks, mainly targeted at enterprise installations.
 
Qakbot starts as a highly obfuscated JavaScript that downloads and runs an installer and user-mode rootkit.  At this point, Qakbot is hidden from the user while it downloads the rest of the Qakbot package.
 
Qakbot next gathers information and steals anything that it can find.  This includes login and password, banking information, user keystrokes and information about the local infection.  All of the gathered information is then encrypted into a custom log file, and uploaded to a remote server via FTP.
 
In addition to all of these capabilities, the Qakbot family also has the ability to update itself to make sure that it's running a recent version of the malware.
 
The Qakbot family has been getting a decent amount of press for its use in several high profile attacks.  We've been keeping close tabs on the malware, and we're happy to be adding it to MSRT this month.
 
You can do more to protect your Internet experience by running a full AV solution, such as Microsoft Security Essentials for real time protection. Download and install Microsoft Security Essentials from http://www.microsoft.com/security_essentials/.
 
Dan Kurc and Aaron Putnam

how to fix error fixing runtime errors free fix registry errors

When we should learn from history

Happy new year from Prevx Research Labs!

2010 is behind us and we already started this new exciting year strongly focused on Prevx4 development. However, today we're going to write again about the Microsoft Patch Day which has been scheduled on Tuesday 11 January.

We've ended up the last year with two public 0day exploits already freely available on the web, two exploits that have not been fixed by Microsoft on December patch day. In a previous blog post I already showed how these two exploits, if used together, could be potentially more dangerous than expected.

During first days of this month another 0day exploit has been published on the web - again on the metasploit framework. This time the flaw is located inside the shimgvw.dll library - a stack overflow when the library tries to parse malformed thumbnail bitmaps containing a negative "biClrUsed" value.

With this last exploit we have a total of three 0day exploits, already documented along with their relative source code publicly available on the net: two remote code execution exploits and an Elevation of Privilege exploit. The Internet Explorer's mshtml.dll exploit has CVE-2010-3971 id and Microsoft Security Advisor 2488013 id. The Microsoft Graphics Rendering Engine flaw has CVE-2010-3970 id and Microsoft Security Advisor 2490606 id. The win32k.sys Elevation of Privilege exploit has CVE-2010-4398 id and still no Microsoft Security Advisor - remember that we have reported the flaw on 24th November 2010.

We were expecting Microsoft to have patched them on the first patch day of the year, which was scheduled on yesterday. Unfortunately, Microsoft decided to not patch any of them.

In my opinion Microsoft's choice to not patch these open flaws is questionable. While I must say that some workarounds have been posted by Microsoft to mitigate these two remote code execution exploits, I think this is not a good way to handle the problem, by increasing the gap between the uncovered flaw and the released patch. Publishing workaround solutions is good as a temporary solution to mitigate the flaw. It shouldn't be any more acceptable if the flaw is already known and documented on the web for more than a month. Moreover, we're assuming that every user is able to apply the workaround patch by themselves and we're already quite optimistic when we say that the user is aware of a workaround to be applied. Most of users just run their Windows Update and automatically download the needed patches.

The Elevation of Privilege flaw we have talked about in November 2010 is publicly available on the internet for more than 40 days. And the flaw doesn't even have a security advisor from Microsoft yet. Someone could object that there isn't any reports that show us the vulnerability is being used in the wild. Well, we should have a closer look at what the history teaches us.

This situation should ring a bell: When Stuxnet has been discovered, we have found it was using four 0day exploit. Or maybe we should say it was using just three real 0day exploits?

Actually one of the 0day exploit was already known since April 2009, when the Security Magazine Hakin9 released details of the flaw that has been later identified in Stuxnet and tagged by Microsoft as MS10-061. The exploit has been fixed by Microsoft in September 2010, 17 months later.

Perhaps the flaw had not been used widely in the wild, but it turned out it has been used in the most sophisticated targeted attack ever seen. So, the question is: is it a good strategy to delay releasing some patches just because there isn't any evidence that the flaw is being used in the wild?

At the moment - even with the operating system fully patched - if a malicious code manages to get into your PC - e.g. through a removable device or some specific exploit - and it's able to run as a medium integrity level process, then it can easily get administrative privileges - no matter if you are running it in a limited account or in a Admin Approval Mode account.

If you want to be protected from the elevation of privilege exploit, you can install Prevx for free which will prevent the flaw to be exploited - and it will give you another layer of protection along with your existing security solution.

fix errors on pc for free fix computer errors for free fixing registry errors

This malware will block your Facebook. Beware!

Malware continues to attack Facebook users. This time, the malware is able to spread through Facebook chat messages by sending a message along with a malicious links to the user?s friends. The message looks like this: hahahh Foto :D hxxp://apps.facebook.com/glombotke/photo.php?=1012323960 The link will lead to the malicious Facebook application page. With the social engineering techniques, [...]

fixing runtime errors free fix registry errors free fix errors

Can Google weed out the content farms?

pc fix fix errors for free how to fix system errors

SMS Mobile Malware Feelin? the Love

Thinking of sending an MMS message to a loved one?  Think twice before downloading mobile applications that promise just that. With all the hoopla that this love month already has going on, obviously malware authors are joining in on the bandwagon. Instead of making someone’s day, you might have unknowingly been victimized by an SMS Trojan that poses as an MMS application.  

We came across a downloadable file named ‘love_mms.rar’ (c0974da6494118324b1eb2ba4ae47a96a8e3b6c1) that contains aa JAR installer named ‘jimm2010.jar’ (40175bc9057fb8a0ce4fa09b6daa491bfa6051db, that we detect as Trojan:Java/Jifake.A) and several pictures with Russian file names related to Valentine’s Day. This file is available for download from certain websites and may be targeting subscribers on Russin mobile network.  Examples of the image files included in the archive are:

Figure 1, 2, and 3: The teddy bear says “I miss you”, and the hedgehog says “My heart is yours”.

If the user clicked on the installer, then while the user is busy sending these images, the code in the installer sends SMS messages to a Russian premium SMS short code number, which can charge the user without his or her knowledge. Note that the JAR installer runs on any mobile platform that supports Java, such as Symbian and Windows CE operating systems

So before you send in those love greetings, be aware that malware authors are also doing their best to cash in on unsuspecting mobile users.  Just be sure that you get those pictures from reliable resources and not bundled with some shady application to enjoy a worry free Heart’s Day!

Marianne Mallen
MMPC Dublin Lab

 

how to fix computer errors fix registry error fix system errors

Another day, another PS3 security story

malware virus spyware remover malware antibytes

Surveys and free VPNs: an odd combination

remove spyware spyware search and destroy security tool virus removal

Here You Have. ? An analysis

In the security and malware research space, every now and then there comes something which suddenly becomes widespread and raises eyebrows all around. The latest ?Here You have? related worm is one such incident and we thought to share with end-users our findings and also make them aware of its capabilities and technicalities. Emsisoft Anti-Malware [...]

ewido malware virus removal spyware malware reviews

CCM - Our Threat Indices in the Security Intelligence Report

At the recent Virus Bulletin 2010 Conference in Vancouver, BC, I made a presentation highlighting infection data collected from the Malicious Software Removal Tool and data collected from Microsoft Security Essentials in its first year. The presentation (coincidentally on the Security Essentials one year anniversary), entitled "Observations and lessons learned from comparing point-in-time cleaning against real-time protection", showed the MSRT as a baseline removal tool to keep the ecosystem clean and called out the end users to run a full AV solution as a step further to proactively protect themselves from the malware attacks. One of the indices we use as we examine the results of our removal and protection tools is the CCM (Computers Cleaned per Mille [Thousand] MSRT Executions) Index.

In that presentation, I also showcased that the MSRT and other Microsoft security updates have a much lower install ratio in China than elsewhere worldwide. This is partially attributed to some prominent security software vendors in China who turn off automatic updating or attempt to disable Windows Update so they can offer their own update services. The update services provided through these security vendors may not consistently apply all security updates for Windows or other Microsoft software, and we have observed that most of the security vendors do not actively encourage users to install MSRT. It is either listed as a low priority update or not offered at all. We are working with these vendors to build a stronger security practice, and to build their security solutions on top of the protections offered by Microsoft, not attempt to replace it. It's worth mentioning that MSRT, like all Windows security updates, is available to all Windows systems regardless of license state - MSRT removes the prevalent threats to help improve the security of the Internet for all users. Because of the broad reach of the MSRT we are able to piggyback the detection data, in combination with other security datasets from Microsoft products and services, to provide the semi-year security intelligence reports.

Now, we’ve released our volume 9 of the Security Intelligence Report (SIR) which covers the threat landscape, observations and analysis in 1H10. In the SIR, a commonly used concept originating from the MSRT data sources is the CCM. The CCM index presents the infection rate of the ecosystem, and it can be broken down by geographic location, by operating system, or by threat family. Because the MSRT targets the subset of the most prevalent malware, this index shows how the different countries or platforms are impacted by these active threats, and allows end users, IT professionals and other readers to take action in building their security fence. For example, this figure shows Windows 7 is less botted (infected by bots or zombies and recruited by a botnet) than older platforms, and server platforms are less likely to be infected.

Computers cleaned

 

And this heatmap shows how different countries are likely to be infected by bots.

Heatmap per country 2Q10

 

In addition the CCM provided important data points to help track Waledac activity during the Waledac takedown event. The CCM concept is now widely adopted in the SIR and is used to interpret other datasets such as phishing and malicious site indices. We expect to expand CCM indices to describe other datasets in future SIR releases.

 

Heatmap - infection 2

Phishing heatmap

The full report is available at http://www.microsoft.com/sir.

--Scott Wu

malware virus removal spyware malware reviews best malware removal

How to remove Windows User Satellite rogue anti-spyware

malware programs spyware removers antivirus malware

MSRT January ?11: Win32/Lethic

Win32/Lethic is a trojan that communicates with a remote server to distribute spam. Variants of Lethic install executable files with varied file names such as ?shelldm.exe? or ?xcllsx.exe?. The malware loads as a process when Windows starts.

The trojan establishes a connection to remote servers using varied TCP ports, such as 1430, 8900, 8090 and so on. It communicates with servers with names such as ?dqglobex.com?, ?verywellhere.cn?, ?iamnothere.cn? among others. Once connected, the trojan allows unauthorized use of the affected computer, including distributing spam.

Forefront Online Protection for Exchange (FOPE) consists of layered technologies to actively help protect businesses? inbound and outbound e-mail from spam, viruses, phishing scams, and e-mail policy violations.

Forefront Online Protection for Exchange diagram

Image 1 - Forefront Online Protection for Exchange diagram

According to FOPE spam statistics, Win32/Lethic produces a high volume of spam and thus has been selected for addition this month to the Microsoft Malware Removal Tool (MSRT). Win32/Lethic is not the biggest botnet in terms of IP addresses, however, it is known for sending many messages into a single envelope.

Below, you can see the difference in spam distribution models between two malware, Win32/Rustock and Win32/Lethic. Notice that in Rustock, the spam message is a 1:1 ratio where Lethic is 1:many.

 

Win32/Rustock spam distribution model

Image 2 ? Win32/Rustock spam distribution model

 

 

Win32/Lethic spam distribution model

Image 3 ? Win32/Lethic spam distribution model

 

You can do more to protect your Internet experience by running a full AV solution, such as Microsoft Security Essentials, for real-time protection. Download and install Microsoft Security Essentials from http://www.microsoft.com/security_essentials/.

 

Patrick Nolan, MMPC

free spyware anti malware remove malware

2011年2月24日星期四

Here You Have. ? An analysis

In the security and malware research space, every now and then there comes something which suddenly becomes widespread and raises eyebrows all around. The latest ?Here You have? related worm is one such incident and we thought to share with end-users our findings and also make them aware of its capabilities and technicalities. Emsisoft Anti-Malware [...]

fix errors on computer fix all pc errors fix pc error for free

How to remove Windows Express Settings rogue anti-spyware

malware removal freeware spyware download removing spyware

Your personal data in the wrong hands

What happens when all of your personal data is readily available for use by a cybercriminal?

Last November we published a blog talking about Brazilian phishing attacks that displayed the victims’ CPF numbers - the Natural Persons Register, the equivalent of a Social Security Number used by the Brazilian government to identify each citizen. A CPF is the most important document a Brazilian citizen possesses. It’s a prerequisite for a series of tasks like opening bank accounts, getting or renewing a driver’s license, buying or selling real estate, receiving loans, applying for jobs (especially public ones), getting a passport or credit cards, etc.

But this incident was just the tip of the iceberg.

Due to our constant monitoring of malicious activities, we found some bad guys offering access to a complete database of all Brazilian citizens that have a CPF - all you need to do is contact a number and the system will bring you the complete personal data of a potential victim. The database is complete and contains data about every Brazilian, including myself.

The search results display your full name, date of birth, address, filiations, city, zip code, etc - all easily available to a cybercriminal.

We found 3 mirrors of this website offering this kind of ‘service’ to Brazilian bad guys - it’s a service that we call C2C (cybercriminals to cybercriminals).

Using such data it is possible for a cybercriminal to impersonate a victim and steal their identity in order to access resources or obtain credit and other benefits in that person's name. Another example of malicious use involves Internet banking access - if you are performing an online operation, your bank will probably ask for some personal information to confirm your identity. Having access to this information provides the cybercriminals with the first step towards a targeted attack using your data.

You are probably wondering how the cybercriminals obtained this kind of information. Basically, it occurred through incidents of data leakage - not only from governmental departments, but via e-commerce and other corporate entities that have had their databases attacked and their data stolen, too.

Nowadays, we see that the problem of protecting private information is not just confined to users, but applies equally to governments and corporations alike. Brazil isn’t the only country in the world facing such problems either. Over the course of time, governmental and corporate databases in many other nations have reported similar instances of sensitive information about citizens or employees being leaked.

The Brazilian authorities are currently investigating this incident.

error fix fix pc errors fix pc errors for free