My Anti Spyware

New version Comodo Free Firewall

Comodo Firewall is one of the smartest firewalls you can ever see. While providing answers to firewall questions, users usually do not understand the complex questions which involve complicated connection details like IP addresses, Ports, Application paths etc.

Continue reading New version Comodo Free Firewall…

Found new vulnerability in the Internet Explorer / how to protect

Found new vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the Windows Shell and is exposed via the “setSlice()” method in the WebViewFolderIcon ActiveX control (webvw.dll). This can e.g. be exploited via Internet Explorer by a malicious website to corrupt memory by passing specially crafted arguments to the “setSlice()” method.

Successful exploitation allows execution of arbitrary code.

For protect your PC you can make next:

You can disable attempts to instantiate this ActiveX control in Internet Explorer by setting the kill bit for the control in the registry.

To set the kill bit for a CLSID with a value of {e5df9d10-3b52-11d1-83e8-00a0c90dc849}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
“Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
“Compatibility Flags”=dword:00000400

You can apply this .reg file to individual systems by double-clicking it.

You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High. To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Read more: Vulnerability in Windows Shell Could Allow Remote Code Execution, WebViewFolderIcon setSlice, Microsoft Windows Shell Code Execution Vulnerability

MSN Worm Used to install Backdoor | How to remove

F Secure have received reports from customers of suspicious pop-ups that were being spammed through MSN Messenger. Below is a sample message:

lol check http://peopleonline.pe.funpic.de/[REMOVED].pif

When the link in the message is clicked, it automatically downloads a file named photo942.PIF. This file is the backdoor component of Licat.C This is used to connect to go.cheap[Removed].info and go.links4[Removed].biz

These websites contains a malicious IP address. Access to this address will again download other malware and adware from www.uglyphotos.net/[Removed] and execute it on the infected machine.

One of the downloaded files is responsible for the pop-up messages that are being spammed via MSN Messenger. It arrives on the system with the filename sprT.exe. This file is also detected as IM-Worm.Win32.Licat.c.

Licat.C, a variant of Licat, is a Trojan. Licat.C can send instant messages or contact certain websites to inform malware authors about certain events and allows downloading files on the infected computer. Licat.C tries to connect to certain websites on Internet.

Licat.C also attempts to replace the original MSN Messenger application client, msnmsgr.exe, with its own copy. The original Messenger file is renamed and is started by the copy. Deleting the Licat.C copy and renaming the original file, msgs.exe, may repair the installation of Messenger.

The other downloaded files are adware related. One is a trojan that drops a variant of PurityScan adware onto the system – detected as Trojan-Dropper.Win32.PurityScan.ag. The other is a Softomate adware installer – detected as Softomate toolbar.
Continue reading MSN Worm Used to install Backdoor | How to remove…

More fake codec sites

Sunbeltblog reported (1, 2) about two fresh fake codes sites.

Strcodec

MP Video Codec

Add both sites in to your blocklist. Use follow info:

69.50.160.58 Mpcodec.com
85.255.118.194 strcodec.com

Related articles: How to remove malicious codecs.

How to block VML exploit

Some days ago has been found new Zero day exploit. The exploit uses a bug in VML in Internet Explorer to overflow a buffer and inject shellcode. It is currently on and off again at a number of sites.

Secunia reported:

The vulnerability is caused due to a boundary error in the Microsoft Vector Graphics Rendering(VML) library (vgx.dll) when processing certain content in Vector Markup Language (VML) documents. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a malicious VML document containing an overly long “fill” method inside a “rect” tag with the Internet Explorer browser.

Successful exploitation allows execution of arbitrary code with the privileges of the application using the vulnerable functionality in the library.

For block the VML Exploit, try next:

1. Click Start, click Run, type “regsvr32 -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll ” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered. To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with “regsvr32 “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll” (without the quotation marks).

Thanks to SunbeltBlog.

Found new Internet Explorer Vulnerability

Found Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability.

When Internet Explorer handle DirectAnimation.PathControl COM
object(daxctle.ocx) Spline method, Set the first parameter to 0xffffffff will triggers an
invalid memory write, That an attacker may DoS and possibly could execute arbitrary code.

Affected windows version:
Windows 2000
Windows XP
Windows 2003

Windows users.. check out Firefox, Opera, and whatever other nice browsers you can throw out there.

Worm uses MS04-007, MS05-017, MS05-039, MS06-040 bugs

For the past several days, ISC have received all kinds of emails about the recent increase in scanning on port 139. One of loyal readers out there on the ‘Information SuperHighway’, Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it). It appears, in typical antivirus fashion to be named several things: McAfee is calling it “W32/SDbot.worm!MS06-040“, Sophos is calling it, “W32/Vanebot-A“, and Symantec is calling it, “W32.Randex.GEL“. (Yes, it’s been out for a couple days)

Let’s take a look at this bad boy shall we? How does it spread.. well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.

This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it’s about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to “forum.ednet.es” over port 4915. (Until the next variant changes it, and we know it will). It has the ability to do a bunch of things including spreading to network shares..

For protect your PC block 139 and 445 at the router/firewall. Netbios traffic shouldn’t be allowed to exit or enter your network from egress points anyway.

Update your antivirus. At least daily. Patch your Windows.

Thanks ISC

How to remove DriveCleaner (Uninstall instructions)

Drive Cleaner is rogue privacy/security program that gives exaggerated reports of security and privacy risks on a computer. The program then prompts the user to purchase a registered version of the software in order to remove the reported risks.

During installation, DriveCleaner configures itself to run automatically every time, when you start your computer. Once running, it will scan your computer and reports of security and privacy risks on the computer that cannot be removed unless you first purchase the software. Also the DriveCleaner may drastically slow the performance of your computer. Use the instructions below to remove Drive Cleaner and any associated malware from your computer for free.
Continue reading How to remove DriveCleaner (Uninstall instructions)…

Java extremely important update

Sun has released a fresh update for Java Runtime Environment. This is an extremely important update. JRE has long been used to install malware as it contains numerous vulnerabilities which allow remote code execution. Another important factor is that JRE works with all web browsers. This means that a vulnerability in JRE will affect all browsers.

The most serious issue in JRE has finally been fixed. The problem with previous JRE releases was that they didn’t prevent a Java applet from calling earlier JRE versions. As previous JRE versions aren’t uninstalled automatically this creates a very dangerous situation. If machines have the latest version of JRE, but older versions haven’t been manually uninstalled the machines are still vulnerable.

So install the latest update ASAP. Read the article How to update Java.

There have been reports in the past that the updater in the Java Control Panel will say that the latest version is present, even though it’s not. So double check that you have the latest version!

P.S. If you uninstall all the older versions you’ll probably free up quite a lot of space on your hard disk.

Don’t be a victim or how to make better choices

There are some current tools out there which may help users make better choices (or block their bad choices). I’m just going to talk about browser toolbars.

Continue reading Don’t be a victim or how to make better choices…

Sophos Anti-Rootkit Eliminates hidden applications and processes

Free Sophos Anti-Rootkit, finds and removes any rootkit that is hidden on your computer. Removing rootkits without compromising system integrity is particularly challenging and needs to be done with care.

Continue reading Sophos Anti-Rootkit Eliminates hidden applications and processes…

Netcraft Toolbar

Netcraft has a really nice toolbar which can provide visual clues as well as speed bumps to doing something unsafe. It can actually block access to a site pending user verification (ok so we all know most users click OK on anything that pops up to get it out of the way).

Continue reading Netcraft Toolbar…

SpoofStick

A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places – hoping that some percentage of users won’t notice the incorrect URL and give away important information. This practice is sometimes known as “phishing”. SpoofStick makes it easier to spot a spoofed website by prominently displaying only the most relevant domain information.

Download SpoofStick

NoScript very nice toolbar for FireFox

Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site.
This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality…
Experts do agree: Firefox is really safer with NoScript

Download NoScript now.

HostsMan 3.0 beta for Windows was released

HostsMan is a freeware application that lets you manage your Hosts file with ease.

You can use a HOSTS file to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the Server that supplies these little gems.

Continue reading HostsMan 3.0 beta for Windows was released…

SmartBrowser have smart EULA

Spywareguide reported about site enticing an end-user to install something they think they need, only to pull the rug out from under them and reveal that (in actual fact), is was this program over here that they needed all along! The site is a typical free movies / webcam website. This site displays numerous videos for you to watch, with the words “live now” next to a play button. Pressing the button does not launch a video (as one would reasonably assume!), but actually opens up a download prompt.

The name of the executable continues the baiting strategy – “open for instant access“. At this stage, the end-user still reasonably believes running this software is essential to viewing the videos on the frontpage. However, when you install it, IE opens automatically and you see a page of Zango videos, where you have to install various pieces of Adware from Zango in order to acquire the License to watch the video. However, these are not the “videos” mentioned on the frontpage – in fact, they don’t seem to exist. And as far as “watching the videos on the frontpage” goes, installing Smart Browser serves no purpose whatsoever.

The SmartBrowser is controlled by smart-browser.com. In our studies it changes the default home page. It opens pop-up pornographic advertising. Examples included extremelybabes.com and extremelyamateurs.com, and redirects attempted access of other pornographic sites to these sites instead. (Caution: these sites may attempt to load premium-rate dialers.)

EULA Analysis demonstrates some notable and alarming security risks:

“YOU AGREE THAT UPON ENTERING ANY SITES UNDER THE CATEGORY THAT FEETS OUR PUBLISHERS CATEGORIES ,AN ADVERISEMENT MATCHING THAT CATEGORY WOULD POP UP, AND”

- “YOU AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO OUR SERVER FOR ANY UPDATES OR ADDINS. AND”

- “YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO SEND EMAILS (PUBLISHMENT & FILES) TO YOUR FRIENDS (USING YOUR LOCAL USER DATABASE) AND TO OUR LISTS .AND YOU ASSURE US THAT YOU WON’T CONSIDER THAT A VIOLATIONS OF YOUR PRIVACY OR ANY OTHER RIGHT. AND”

- “YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO CHATS IRC, YAHOO ,MSN ,ETC IN ORDER TO PUBLISH OUR PRODUCTS.”

What we have here is a clear example of Bait and Switch – luring you in with one offer, only to be denied the desired item, but presented with a “substitute” at the last moment. The difference here, is that the webmaster also gets to install Smart Browser onto the PC in the process – I suppose you could call it a two for the price of one deal or a “bonus”. Even if the end-user doesn’t choose to download any Zango videos, they’ll still be receiving pop-ups (and possibly premium rate dialers) via Smart Browser.

Exploits for new microsoft vulnerabilities available

Internet Storm Center reported about available exploit code for MS06-034, MS06-035, and MS06-036.
If you haven’t already patched for these vulnerabilities you should take immediate action.

MS06-034 – unchecked IIS buffer vulnerability in ASP files processing

This patch fixes what seems to be a buffer overflow in IIS. This buffer overflow can be exploited when IIS is processing ASP files.

In other words, in order to exploit this vulnerability, an attacker has to somehow be able to upload ASP files on the target server, which is running IIS (versions 5.0, 5.1 and 6.0 are affected). Normally, you would require a user to authenticate before they can upload files to the server, so the vulnerability is rated moderate/important.

In case that you do allow people to upload ASP files on your IIS server, it would be wise to apply the patch as soon as possible, although we don’t know about any public exploits yet.

MS06-035 (CVE-2006-1314)

The vulnerability can be exploited remotely against the “Server” service.
So this would definitely be something that could be used for
widespread compromise with no user interaction, or a worm.

Looks like Windows 2000 SP4 is vulnerable by default. Windows XP SP2
and Server 2003 don’t appear to be vulnerable with a default
installation unless services are listening on Mailslots. At this
point, it is unclear exactly what software would enable Mailslots to
create a vulnerable condition.

MS06-036 – unchecked buffer Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)

MS has said systems “Primarily” at risk are Microsoft Windows 2000, Windows XP and Windows Server 2003.

“How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by answering a client’s DHCP request on the local subnet with malformed packets.”

“Could the vulnerability be exploited over the Internet?
An attacker could try to exploit this vulnerability over the Internet.”

“Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, however the vulnerability is not critical.”

How to protect from PowerPoint 0-day vulnerability ?

Some days ago has been found 0-day vulnerability in the Microsoft PowerPoint.

Unspecified vulnerability in mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows remote user-complicit attackers to execute arbitrary commands via a crafted PPT file, which causes a “memory corruption error,” and exploited by Trojan.PPDropper.B

For protect your PC follow next instructions:

• Don`t use administrator rights account for browse internet and check mail. Or use DropRights : How to drop rights for safe surf for make it.
• Don`t Open, Save, Cancel unknown attachments.
• Don`t visit unknown sites.
• Use PowerPoint Viewer 2003 to open and view files. PowerPoint Viewer 2003 does not contain the vulnerable code and is not susceptible to this attack. You can download PowerPoint Viewer 2003 for free.
• If you can, apply strict filtering of PPT files (maybe at least quarantine them, so they can be scanned and reviewed later). Users should be extra careful when opening PowerPoint files until Microsoft releases a patch (or some workaround is available)
• Good idea to turn on memory-based security mechanisms (Data Execution Prevention).

Wanna free anti spyware ? Get Adware.

Adware comes in all forms, and this time, it’s under the false pretense of being Webroot’s Spysweeper 5. To be specific, there is a torrent for SpySweeper 5 that comes with a “keygen” to bypass registration, but when executed it is actually adware —a 180solutions installer. It immediately connects to the net and then installs the Aquarium screensaver.

The link is here: www(dot)torrentspy(dot)com/torrent/793200/Spy_Sweeper_5_Final

As result, check twice before download antything from torent, donkey …

Thanks Sanbeltblog.

Browsezilla – next internet generation – Web browser that contains malware

PandaLabs has discovered that Browsezilla, a free web browser available on several web pages, infects computers with the adware PicsPlace, without users’ knowledge. This adware, which activates whenever a user starts up the infected PC, opens a series of adult web pages, although they are not visible to the user. This tactic is aimed at artificially increasing visits to these pages.

Browsezilla is an application similar in appearance to the widely-used Mozilla browser, and also uses a dinosaur as a logo, no doubt to encourage users to trust the application. Ironically, the creators claim that Browsezilla offers safer Internet use than other browsers, as it supposedly does not store the history of pages visited or favorites lists. To encourage users to install it, the official page offers an Internet search service. However, the search always results in a page advising that it is necessary to download the browser in order to obtain the requested information.

Browsezilla is detected as adware due to the following reasons:

• It is automatically downloaded to the computer when carrying out a search using it, without asking for user permission.
• It installs itself without user’s explicit permission and knowledge.
• It does not display an EULA (End User License Agreement) during its installation.
• One of its components downloads and runs automatically a file without asking for user permission.
• It offers links to adult content without clearly asking for user consent.

Browsezilla can be voluntarily downloaded when visiting certain websites for adults, and from the website belonging to the company that has developed it.

Note: although a former version of Browsezilla downloaded a copy of the adware PicsPlace to the affected computer, a newer version has been released, which does not carry out this action.