My Anti Spyware

Panda Software publishes a free tool to eliminate the Nabload.U and Banker.BSX Trojans

The explosive propagation of the Nabload.U and Banker.BSX Trojans has left thousands of computers around the world infected. Panda Software has therefore made its PQRemove utility available to all users to detect and remove these Trojans from any infected computer. This utility can be downloaded from http://www.pandasoftware.com/download/utilities/. Currently, Banker.BSX and Nabload.U hold first and second place in the list of viruses most frequently detected by the Panda ActiveScan online antivirus solution.

Nabload.U and Banker.BSX launch a combined attack in order to install themselves on computers. The infection process is as follows: users receive, through MSN Messenger, a message with the text “ve esa vaina” (look at this), and displaying an Internet address. In order to trick users, the message appears to have come from one of the users’ contacts stored in the application.

If the user visits the link that they have received, the Nabload.U Trojan is downloaded onto their system. At the same time, this downloads the Banker.BSX Trojan.

Banker.BSX is designed to steal access details to various online banking services in Spanish-speaking countries. It does this by monitoring the addresses visited and waiting for the user to access one of these services. When this happens, the Trojan captures the information and sends it to an email address where the creator of the malicious code can collect the data which could then be used fraudulently. Finally, Banker.BSX sends new malicious messages to all MSN Messenger contacts.

Top tips to keep that new computer spyware free

Suzi Turner posted good tips, i also have added some…
New machine is booted up the first time and ready to go. It’s on the net. In this order, here’s what to do.
1. Update Windows immediately. In the Windows Security Center in the Control Panel turn on automatic download and installation for updates. Unless the computer came with a third party security suite or firewall, turn on the Windows XP firewall.
2. Update the pre-installed antivirus definitions and other security apps. Set them to auto update.
3. Download and install an alternative browser like Firefox or Opera.
4. Lockdown Internet Explorer. Yes, do it even if you use a different browser.
5. Install at least two anti-spyware apps. My top two recommended free apps are Ad-Aware and Microsoft AntiSpyware. Update definitions for both and turn on active protection in Microsoft AntiSpyware.
6. Install some free protective programs like SpywareBlaster and SpywareGuard from Javacool Software.
7. Install IE-SPYAD, which puts nearly 20,000 known dangerous domains in IE’s restricted site zone.
8. Install a HOSTS file from here or here.
9. Watch what you download!
10. Use EULAlyzer to check an “end user license agreement” (EULA) before you install software to check for amazing provisions like it’s ok to spy on you.
11. Surf safe and practice safe hex.

Trojan targets Spanish-speaking bank customers

Utilising a new fusion of spyware and phishing techniques, a recently discovered Trojan is threatening Spanish-speaking bank customers. Nabload.U, which distributes using MSN Messenger, has made a target of online bank users in traditionally Spanish-speaking countries. Both technical and social engineering techniques have been used to get PC users to download the Trojan.
Once it infects a computer, Nabload.U downloads another trojan, Banker.bsx, which captures a user’s password and emails the information back to its author.
PandaLabs said the trojan is unusual because it captures passwords without the use of a traditional keylogger, thus leaving the user unaware of the breach. Banks that use virtual keyboards have not been immune from the virus.

More info about WMF Exploit

The exploit is currently being used to distribute the following threats:
Trojan-Downloader.Win32.Agent.abs
Trojan-Dropper.Win32.Small.zp
Trojan.Win32.Small.ga
Trojan.Win32.Small.ev.

Some of these install rogue anti-malware programs.

You might want to block these sites while waiting for a Microsoft patch:
Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz

Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.kb.cert.org/vuls/id/181038

Microsoft’s bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003.

How to block WMF exploit

For this WMF exploit: Until Microsoft patches this thing or your AV provider has updated defs, here are some tips

1. Unregister SHIMGVW.DLL.

This is your best workaround for the time being (realizing that nothing is perfect).
From the command prompt, type REGSVR32 /U SHIMGVW.DLL. A reboot is recommended. (It works post reboot as well. It is a permanent workaround).
You can also do this by going to Start, Run and then pasting in the above command.
This effectively disables your ability to view images using the Windows picture and fax viewer via IE.
However, it is not the most elegant fix. You’re probably going to have all kinds of problems viewing images.
But, no biggie: Once the exploit is patched, you can simply type “REGSVR32 SHIMGVW.DLL” to bring back the functionality.
And, it is a preventative measure. If you are already infected, it will not help.
Works for IE, should work fine for Firefox users as well.

2. Change file associations for WMF files.

Note that if a WMF file was spoofed to look like it was a different type of file (like GIF), this fix wouldn’t do anything. So it’s a pretty weak workaround. At any rate, here it is:
a) Go to My documents, Tools, Folder Options, File Types.
b) Change WMF Image to notepad and select Always Open with this.
Your WMF files will open in Notepad. Ugly and not as effective as unregistering SHIMGVW.DLL.

3. Run IESPYAD.

IESpyad is a free tool that puts block lists into IE’s restricted sites zone. It’s managed by Eric Howes, who works as a consultant for Sunbelt. Sunbelt regularly update him with the latest URLs. Click here for read more.

thanks to sunbeltblog

New exploit blows by fully patched Windows XP systems

SecurityFocus just posted a bulletin on it.

Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability.
The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file.
The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine.
Microsoft Windows XP is considered to be vulnerable at the moment. It is likely that other Windows operating systems are affected as well.

Any application that automatically displays a WMF image will cause the users machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

This is a really bad exploit.

Fake MS Messenger 8 beta

F-Secure is warning about ads for a “leaked version” of Windows Messenger 8 beta. There is no public beta of this and it is a virus.
If you download and run BETA8WEBINSTALL.EXE, you won’t get a new chat client. Instead, your existing MSN Messenger will start to send download links to everyone in your contact list. It also connects your machine to a botnet server.

The download link always contains the recipients’ email address. For example, if you’d have a friend with email address huuhaa@foobar.com, he would get a download link like msgrbeta8.com/im.php?msn=huuhaa@foobar.com.

EULAlyzer – Analyze license agreements for interesting words and phrases.

Do not buy or download any anti-spyware software without checking this list first. Rogue/Suspect Anti-Spyware Products & Web Sites — About 241 programs are listed as of December 2005. At best, these rogue programs are useless; at worst, they install spyware instead of removing it! Use EULAlyzer to check an “end user license agreement” (EULA) before you install software to check for amazing provisions like it’s ok to spy on you.

EULAlyzer can analyze license agreements in seconds, and provide a detailed listing of potentially interesting words and phrases. Discover if the software you’re about to install displays pop-up ads, transmits personally identifiable information, uses unique identifiers to track you, or much much more.

* Discover potentially hidden behavior about the software you’re going to install
* Pick up on things you missed when reading license agreements
* Keep a saved database of the license agreements you view
* Instant results – super-fast analysis in just a second

And with additional features like the EULA Research Center, which optionally allows users to anonymously submit license agreements they scan to help us to further improve the program, everyone can be a part of the effort to make something that used to be so tedious, so easy.

When installing software, never just click past the license agreement. Pop it into EULAlyzer, and EULAlyze it!
Download now.

How to remove Winhound

Winhound is a anti-spyware/antivirus program that is know to issue fake alerts on your computer in order to manipulate you into buying its full commercial version. If you are infected with this program you may receive virus alerts in your task bar that appear to be from Microsoft Security Center stating that you are infected with spyware and to run its special anti-spyware tool. This tool turns out to be the commercial version of Winhound. These alerts are fake and are a goad to have you buy the commercial version of this software. It will also hijack your desktop to show the following fake message: Warning Spyware Detected on Your System: Install an antivirus or spyware software to clean your computer.

1. print out these instructions before starting, because you will not be able to connect to the internet during most of this fix.
2. Download smitRem.exe and save to your desktop. Double- click it to extract it to it’s own folder on the desktop.
3. Download and Install Ad-aware SE. If you have a previous version of Ad-Aware installed during, the installation of the new version, you will be prompted to uninstall the older version – be sure to uninstall the previous version.
Run Ad-Aware. Click on the world icon at the top right of the Ad-Aware window and let AdAware update the reference list for the adware and malware. Close Ad-Aware.
4. Download and Install Ewido Security Suite. When installing, under “Additional Options” uncheck :
- “Install background guard”
- “Install scan via context menu”
Launch Ewido, there should be an icon on your desktop double-click it. You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.

It`s all programs.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again — this is normal.
Wait for the tool to complete and Disk Cleanup to finish — this may take a while; please be patient.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido: Click on scanner. Click on Complete System Scan and the scan will begin. NOTE: During some scans with ewido it is finding cases of false positives.
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select “Perform action on all infections”
- If you are unsure of any entry found select none for now.
- When the scan is finished, click the Save report button at the bottom of the screen.

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck “Security Info” if present.

Restart your computer in normal mode.

Run the Panda online virus scan.

- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Finally, restart your computer.

The Adblock project

Adblock is a content filtering plug-in for the Mozilla and Firebird browsers. It is both more robust and more precise than the built-in image blocker.
Adblock allows the user to specify filters, which remove unwanted content based on the source-address. If this sounds complicated, don’t worry: it’s not.
Just add a few filters. Every time a webpage loads, Adblock will intercept and disable the elements matching your filters. See?- nothing to it.
Great! …but how do I add filters?
After you install / restart, an Adblock-item will be present in the tools-menu. This will launch Adblock’s prefs.
A selected filter can be edited by double-clicking or pressing ‘enter’. To remove it, press ‘delete’. New filters can also be added here or directly in the web-page: just right-click an ad and choose the Adblock option. For plugins, an Adblock-tab will appear atop or below the media: just click the “Adblock” text.
[Note: if you encounter a plugin, but don't see the Adblock-tab, don't worry -- the plugin is just cropped. Adblock has this covered. Choose "Overlay Flash" from the tools-menu, or type its shortcut. Now, you can directly click the overlay.]
Adblock supports two types of filters: simple, and Regular Expression.
A simple-filter is just a string of text with one or more wildcards (*). Regular expressions are much more complex, allowing precise control over filtering. In Adblock, as in all javascript, regular expressions must begin and end with the forward-slash: ‘/’.

More info about AdBlock here.