My Anti Spyware

Putin’s death can kill your computer

Viruslist reported about new spam message.

Subject: ATTENTION !!! President of Russia has dead.Attention!!!
Vladimir Putin has dead. Visit immediately to http://news.bbc.co.uk/go/click/rss/1.0/-/8/hi/russia/********.stmBBC, BBC World and their respective logos are trade marks of the British Broadcasting Corporation, Logos © 1996

The link in this ‘sensational’ message appears to lead to the BBC site - an organization with a worldwide reputation. But if the user clicks on the link, s/he will be sent to a Russian site which has nothing at all to do with the BBC. This is made possible by the use of HTML in the message - although the user sees one link, there’s another, invisible link underneath, which leads to a totally different site.

And what’s the point? After all, the message isn’t selling anything. Well, according to our virus analysts, when you visit this site, Exploit.JS.ADODB.Stream.o is used to download a Trojan-Downloader (Trojan-Downloader.Win32.Agent.uj) onto your machine. And once a Trojan-Downloader is on your machine, it will probably start downloading other malicious programs…

In other words, curiosity can kill your computer. And put your personal data at risk.

More fake codec sites or story continue…

The story continue… some days ago Sunbeltblog reported about fresh fake codec sites.

Codec is actually a trojan download installer, It will change your home page to one of the current security scam site used like iupdate.com. It produces unwanted popup to sell rough security software or open to porn content type pages like adultfriendfinders[dot]com.

The codecs also install one of the Anti-spyware rogues currently spywarequake and virusburst. They give false positives along with alert bubbles to scare users into buying their software which they own the online billing sites used so you would be giving your credit card number to the same people who infected you.
These sites:

IP: 85.255.118.195
vccodec(dot)com

IP: 69.50.188.109
hqcodec(dot)com

IP: 69.50.188.109
powercodec(dot)com

IP: 69.50.188.109
medcodec(dot)com

IP: 216.255.183.202
ptproject.com (currently offline)

All of these sites, except for ptproject(dot)com, have installers confirmed on their sites, even if the main page is not loading.

October 26, 2006 on 7:59 am | In Adware | No Comments |
Submit to: Digg | SlashDot | Del.icio.us

SpamThru Trojan - malware who detects and removes another malware

Like many viruses and trojans, SpamThru attempts to prevent installed anti-virus software from downloading updates by adding entries into the %sysdir%\drivers\etc\hosts file pointing the AV update sites to the localhost address. In the past, we’ve also seen malware which tries to uproot other competing malware on an infected system by killing its processes, removing its registry keys, or setting up mutexes which fool the other malware into thinking it is already running and then exiting at start.

SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.

Read more about SpamThru Trojan : SpamThru Trojan Analysis

Found new rogue antispyware - PestCapture / how to remove

Sunbelt blog reported about new rogue antispyware PestCapture.

PestCapture uses dlls that are the same as that of another rogue antispyware - Spysheriff

For protect your PC, add these sites into your blocklist:

pesttrap(dot)com
pesttrap(dot)com
Innovagest2000(dot)com
1stantivirus(dot)com
Anti-virus-pro(dot)com
Spycontra(dot)com
Spydeface(dot)com
Virushammer(dot)com

For remove PestCapture from your computer, make follow steps:

Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: PestCapture

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended)

You will be prompted : “Registry cleaning - Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”
Reboot your PC.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Your computer should now be free of the PestCapture infection.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below: Spyware removal - Read Before Posting

New version Comodo Free Firewall

What’s New?

Application Component Authentication - validates all the components of an application before allowing it internet access.

Application Behavior Analysis - analyzes each application behavior and detects any suspicious activity before allowing internet access.

Defense against Trojan Protocols - advanced protocol driver level protection

Smart Alerts - Every alert includes a Security Consideration section with advice to users.

Comodo Firewall is one of the smartest firewalls you can ever see. While providing answers to firewall questions, users usually do not understand the complex questions which involve complicated connection details like IP addresses, Ports, Application paths etc.

Comodo Firewall helps you to understand what is going on by analyzing each alert and providing you an intuitive, easily understandable Security Considerations section with each question it asks.

With its built-in application database, Comodo Firewall classifies more than 10.000 applications according to their risk level such as SAFE, SPYWARE, ADWARE etc. It is the only firewall which has such a big application database and which uses such a database to analyze the security risks.

Comodo Firewall is a complete, easy to manage and effective barrier that keeps hackers out and personal information in.

Free download.

Found new vulnerability in the Internet Explorer / how to protect

Found new vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the Windows Shell and is exposed via the “setSlice()” method in the WebViewFolderIcon ActiveX control (webvw.dll). This can e.g. be exploited via Internet Explorer by a malicious website to corrupt memory by passing specially crafted arguments to the “setSlice()” method.

Successful exploitation allows execution of arbitrary code.

For protect your PC you can make next:

You can disable attempts to instantiate this ActiveX control in Internet Explorer by setting the kill bit for the control in the registry.

To set the kill bit for a CLSID with a value of {e5df9d10-3b52-11d1-83e8-00a0c90dc849}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
“Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
“Compatibility Flags”=dword:00000400

You can apply this .reg file to individual systems by double-clicking it.

You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High. To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Read more: Vulnerability in Windows Shell Could Allow Remote Code Execution, WebViewFolderIcon setSlice, Microsoft Windows Shell Code Execution Vulnerability

MSN Worm Used to install Backdoor

F Secure have received reports from customers of suspicious pop-ups that were being spammed through MSN Messenger. Below is a sample message:

lol check http://peopleonline.pe.funpic.de/[REMOVED].pif

When the link in the message is clicked, it automatically downloads a file named photo942.PIF. This file is the backdoor component of Licat.C This is used to connect to go.cheap[Removed].info and go.links4[Removed].biz

These websites contains a malicious IP address. Access to this address will again download other malware and adware from www.uglyphotos.net/[Removed] and execute it on the infected machine.

One of the downloaded files is responsible for the pop-up messages that are being spammed via MSN Messenger. It arrives on the system with the filename sprT.exe. This file is also detected as IM-Worm.Win32.Licat.c.

Licat.C, a variant of Licat, is a Trojan. Licat.C can send instant messages or contact certain websites to inform malware authors about certain events and allows downloading files on the infected computer. Licat.C tries to connect to certain websites on Internet.

Licat.C also attempts to replace the original MSN Messenger application client, msnmsgr.exe, with its own copy. The original Messenger file is renamed and is started by the copy. Deleting the Licat.C copy and renaming the original file, msgs.exe, may repair the installation of Messenger.

The other downloaded files are adware related. One is a trojan that drops a variant of PurityScan adware onto the system - detected as Trojan-Dropper.Win32.PurityScan.ag. The other is a Softomate adware installer - detected as Softomate toolbar.