My Anti Spyware

New Internet Explorer vulnerability

Secunia Research has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the processing of the “createTextRange()” method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected.

For block vulnerability disable Active Scripting support.

Top 10 spyware threats discovered for last 24 hours

Here are the top 10 spyware threats by Sunbelt Software:

01. DesktopScam
02. Hotbar - How to remove Hotbar
03. WhenU.SaveNow
04. Looking-For.Home Search Assistant
05. CmdService
06. BraveSentry - How to remove BraveSentry
07. 180search Assistant
08. iSearch.DesktopSearch
09. Vcodec - How to remove Vcodec
10. SpyFalcon - How to remove SpyFalcon

If you can`t uninstall or remove this spyware, tell us about your problem.

Coolwebsearch.info - new site from the Coolwebsearch family

Sunbelt reported about new CWS site - Coolwebsearch.info.
This site is an affiliate of Coolwebsearch.com that installs a toolbar which hijacks the home page without a EULA.

Run by our Best Friend Ever, Vadmim Praha
Whois Data:

Fedorov Vadim Praha CZ hali @ volny.cz
Fedorov Vadim Praha CZ sp @ prague-sex.com
Fedorov Vadim Prtaha 5 CZ sovsem @ nevest.net
Fedorov Vadim Praha CZ radmin @ radmin.kirov.ru

And he’s got lots more sites under the IP 194.187.96.195, which you are welcome to put into your blocklists.

Mirotino.com Domainname4you.com
Shopknights.com Fukingmachines.info
Adult-friends-finder.net Girls-porn-life.com
nevest.net Hogtied.info
Best-porn.biz Machinesboys.com
Analmaids.com Meninpain.biz
Boyknights.com Mirotino.com
Ultimatesurrender.biz pansion.cz
Mirotino.com Pereulok.net
coolsearcher.info Pornfree.info
Coolwebsearch.info Pornosaity.com
coolwebsearch.org Pornpic.org
Domainname4you.com Porn-sex-free.biz
Fukingmachines.info Prague-porn.biz
Girls-porn-life.com prague-sex.com
Hogtied.info rape-cool-video.com
Machinesboys.com Salabon.com
Meninpain.biz Sebastacz.com
Onlyfuck.com Sex-prague.com
pansion.cz Shopknights.com
Pavlovbooks.com Spviphost.com
Peniscontent.com Ultimatesurrender.biz
Pereulok.net Waterbondage.biz
Pornfree.info Zaseyan.com
Pornosaity.com Adultdvdlist.com
Pornpic.org Analmaids.com
Prague-porn.biz Boyknights.com
prague-sex.com nevest.net
rape-cool-video.com Onlyfuck.com
Sebastacz.com Zaseyan.com
Waterbondage.biz Adult-friends-finder.net
Zaseyan.com 100pantyhose.com
100pantyhose.com Pavlovbooks.com
Best-porn.biz jonnylinks.com
coolsearcher.info beesearch.info
Coolwebsearch.info Pantyhose-bangs.com
coolwebsearch.org planet-high-heels.com

If you don`t know how to block this sites, try next howto: How to use HOST file for block sites

Also if you can`t remove CWS hijacker or toolbar, try it: How to remove CWS Hijacker

New unpatched vulnerability in the Internet Explorer (mshtml.dll) found

There is a new and unpatched vulnerability with exploit code in the wild that affects the latest version of IE. The exploit works by including an abnormally large (a couple thousand) number of script actions inside a single HTML tag.

This vulnerability can be triggered by specifying more than a couple
thousand script action handlers (such as onLoad, onMouseMove, etc) for any
single HTML tag. Due to a programming error, MSIE will then attempt to
write memory array out of bounds, at an offset corresponding to the ID of
the script action handler multiplied by 4 (due to 32-bit address clipping,
the result is a small positive integer).

The list of IDs can be found on the Web, and is as follows (values in
parentheses = resulting offsets):

onhelp = 0×8001177d (+0×45df4)
onclick = 0×80011778 (+0×45de0)
ondblclick = 0×80011779 (+0×45de4)
onkeyup = 0×80011776 (+0×45dd8)
onkeydown = 0×80011775 (+0×45dd4)
onkeypress = 0×80011777 (+0×45ddc)
onmouseup = 0×80011773 (+0×45dcc)
onmousedown = 0×80011772 (+0×45dc8)
onmousemove = 0×80011774 (+0×45dd0)
onmouseout = 0×80011771 (+0×45dc4)
onmouseover = 0×80011770 (+0×45dc0)
onreadystatechange = 0×80011789 (+0×45e24)
onafterupdate = 0×80011786 (+0×45e18)
onrowexit = 0×80011782 (+0×45e08)
onrowenter = 0×80011783 (+0×45e0c)
ondragstart = 0×80011793 (+0×45e4c)
onselectstart = 0×80011795 (+0×45e54)

This will cause a memory array to write out of bounds and cause overflow in Microsoft Internet Explorer (mshtml.dll) and as result an immediate or eventual browser crash. Both McAfee and Symantec have released signatures to detect this exploit. While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.

Tested on MSIE 6.0.2900.2180.xpsp2.040806-1825 on Windows XP SP2. As far
as I can tell, other browser makes (Firefox, Opera) are not susceptible to
this attack.

Thanks to SecurityFocus

Multiple vulnerabilities have been identified in various Macromedia products

Multiple vulnerabilities have been identified in various Macromedia products, which could be exploited by remote attackers to execute arbitrary commands. These flaws are due to unspecified errors when processing specially crafted SWF files.

Affected Products

Flash Player versions 8.0.22.0 and prior
Breeze Meeting Add-In Version 5.1 and prior
Shockwave Player version 10.1.0.11 and prior
Flash Debug Player version 7.0.14.0 and prior

Update your Macromedia programs now

How to remove BraveSentry

BraveSentry is a rogue anti spyware program that is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Go to Start > Control Panel > Add or Remove Programs and remove the following program, if found: BraveSentry.

Download smitRem and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop

Next, Download, install, and update the free version of Ewido security suite:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

If you do not already have Ad-Aware SE installed, follow these download and setup instructions. Also check for updates.

Reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. (where your WINDOWS catalog)

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again — this is normal.
Wait for the tool to complete and Disk Cleanup to finish — this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Using Windows Explorer, locate and delete the following file(catalog):
C:\Program Files\Bravesentry

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck “Security Info” if present (maybe another name).

Finally, restart your computer.

Post to the Spyware Removal Forum, if any problems persist

Fake Windows Sites + WMF Explot + Keyloger = New Botnet

Adam Piggott of Proactive Computing received message from Microsoft. The email had a link to a supposed Windows update site, but, in fact, the link went to a site running the WMF exploit. On an unpatched Windows computer, the exploit hits immediately. Social engineering is also at work, urging users to click a link at the site to get Windows updates. Either way, unpatched, or patched and clicking the link, a user gets hit with a trojan downloader; in this case the trojan file name is wusetup.exe.

The trojan downloader pulls more malware that turns the infected machine into a proxy server and makes it part of a botnet hosted on Russian servers. The trojan also downloads a keylogger, winldra.exe, also known as W32/Dumaru and Srv.SSA-KeyLogger. This keylogger is writing information stolen from infected machines to a log on a remote server

For more details on this current exploit and botnet, see SunbeltBLOG’s blog, which includes screenshots of the fake Windows update site and live botnet on the Russian server. Note - the trojan downloader file wusetup.exe is currently detected by less than half the antivirus scanners at VirusTotal

Trojan Horse keylogger steal end-user information for popular online games.

Websense® Security Labs™ has received reports of a malicious website, which is hosting a Trojan Horse keylogger. This keylogger is designed to steal end-user information for popular online games. The malicious code’s filename is main_n80.scr and was discovered on a site, which appears to be a fraudulent version of the Nokia Taiwan website.
The site uses a cousin domain name and simply has an image screenshot of the real Nokia Taiwan website. It is hosted in Hong Kong and appears to have been registered with fraudulent information.

The main_80.scr file is an SFX self-extracting executable file that contains four files:
* download.exe
* winlogin.exe
* server.exe
* error.jpg
When the main_80.scr file is executed, it will use download.exe to copy the extracted files to the system32 dir and execute its version of run32dll.exe. The rundll32.exe file will show error.jpg. Once the user closes the .jpg file,rundll32.exe will execute the rest of the extracted .exe files.
These extracted .exe files modify the registry, as detailed below, to ensure that it starts on restart, and checks for the existence of the application Lineage.
* Modifies or creates files and stores in system32 directory
* Kerne0110.exe is a copy of winlogin.exe
* Rundll32.exe is a copy of download.exe
* gg.bat is created
* _2dll.dll is created
* microsoftie0110.dll is created
* msabc.dll is created
* pKerme123.dll is created
* RegistryInfo.dll is created

LdPinch again spammed via ICQ

Over the weekend, Kaspersky Lab intercepted Trojan-PSW.Win32.LdPinch.ahe - the latest variant of LdPinch.
This malicious program sends itself to everyone on the victim’s ICQ contact list. It sends a Russian message which says:

[translation] How to trick WebMoney!
To find out how, read the Help instructions!

The message includes a link to the malicious program file, which is called Help.chm.

BraveSentry - new rogue anti spyware

In the some last months we reported about SpyAxe, SpywareStrike, PestTrap, AlfaCleaner, SpyFalcon …
Now Sunbelt found new - BraveSentry.

Below is a screen shot of an infestation from Game4all(dot)biz that installed both BraveSentry and AlfaCleaner:

For more screenshots go here.

If your desktop hijacked with BraveSentry you`ll look message:

Your computer is danger!
Windows Security Center has detected spyware/adware infection!
It is strongly recomended to use special antispyware tools to prevent data loss

Whois info for your blocklist. (How to use host file for block rogue sites)

bravesentry.com
Ocean Industries Daniel Ocean
Amsterdam NL
Email: ceo @ bravesentry.com

Other site in the IP:

anosurfer.com
Pietro Miezani Privaweria Ltd
Gua EC
anosurfer @ anosurfer.com

Thanks to Sunbelt researchers Patrick Jordan and Adam Thomas.

If you can`t uninstall or remove, tell us about your problem.

Read some info about How to remove BraveSentry

Exchange rate conversion tool load Trojan.Downloader and Trojan.Muldrop

If you searching for a “currency” or “exchange rate” conversion tool with one of the more popular search engines, you can found a link or site like this one

This site is present the user with a lovely, extensive and complete list of currencies and exchange rates to convert from and to. All for free. The only catch being, the user gets the “result” of his calculation as … an EXE download

The download contains what some of the AV vendors refer to as Dropped:Trojan.Downloader and Trojan.Muldrop. If you are using any sort of URL filter, web-url.de and wechselkursrechner.de should maybe be part of your filter list if exe downloads make it past your perimeter otherwise.

Thanks to SansDiary.

Running as Limited User - The Easy Way to keep a system free from malware

Malware has grown to epidemic proportions in the last few years. Despite applying layered security principles, including running antivirus, antispyware, and a firewall, even a careful user can fall victim to malware. Malware-infected downloads, drive-by exploits of Internet Explorer (IE) vulnerabilities, and a careless click on an Outlook attachment sent by a friend can render a system unusable and lead to several hours with the Windows setup CD and application installers.

One of the most effective ways to keep a system free from malware and to avoid reinstalls even if malware happens to sneak by, is to run as a limited user (a member of the Windows Users group). The vast majority of Windows users run as members of the Administrators group simply because so many operations, such as installing software and printers, changing power settings, and changing the time zone require administrator rights. Further, many applications fail when run in a limited-user account because theyБ─≥re poorly written and expect to have write access to directories such as \Program Files and \Windows or registry keys under HKLM\Software.

An alternative to running as limited user is to instead run only specific Internet-facing applications as a limited user that are at greater risk of compromise, such as IE and Outlook. Microsoft promises this capability in Windows Vista with Protected-Mode IE and User Account Control (UAC), but you can achieve a form of this today on Windows 2000 and higher with the new limited user execution features of Process Explorer and PsExec.

Read more here.

Nyxem/Kama Sutra/Blackworm return again

Today is the third day of the month, and “this destructive virus will delete files from a number of popular programs on February 3rd, and on the 3rd day of the month thereafter”.

More info about Nyxem/Kama Sutra/Blackworm
How to remove Nyxem/Kama Sutra/Blackworm
How to recovery lost files (due to W32.Blackmal.E@mm - BlackWorm virus or other reasons)

Announcing the Launch of SiteAdvisor’s Public Trial Version

Today SiteAdvisor officially launched a Trial Version of their software .

SiteAdvisor is a browser addon for Firefox or Internet Explorer that tries to interpret the relative safety of clicking on Web search results. With SiteAdvisor installed, each listing is accompanied by a small color coded icon that indicates whether the software developers have received any reports of scammy, spammy or outright malicious activity emanating from the site.

They’ve come a long way since SiteAdvisor was established nearly one year ago. Their bots have analyzed Web sites representing 95% of Web traffic, downloaded and tested more than 475,000 pieces of software, and provided unique e-mail addresses on more than 1,300,000 registration forms. SiteAdvisor Web site, which also launched today, adds a new look and many new features, including a robust user review system and a new support section.

The crucial work carried out by our dedicated 7,000 Preview Version testers over the last 3 months was instrumental in helping us improve our software and our Web site. Their feedback, suggestions, and constant input helped us tweak features, clarify messages, and put a lot of new ideas in the development pipeline. Thanks to the enthusiasm of our early users, SiteAdvisor’s software was downloaded more than 150,000 times while in its preview phase.

Link here.

Ultimate Defender - Rogue/Suspect Anti-Spyware

Spyware Warrior reports about new rogue anti spyware -Ultimate Defender

Uses flawed, inadequate detections scheme.
Same app as 1stAntiVirus, KillSpy, SpyDeface, SpyContra, & XSRemover

Downloadable from udefender.com.

How to remove HotBar

Hotbar Web Tools is a collection of browser and system enhancements. The primary application is the Hotbar toolbar, a which is a “skinable” browser toolbar for Internet Explorer.

When a user installs the Hotbar toolbar, other utilities are also installed including AccuWeather, a local weather program; WOWPapers, a desktop wallpaper utility; Outlook Tools, a collection of enhancements for Microsoft Outlook and Outlook Express email programs and ShopperReports, an Internet Explorer advertising program that pops out a sidesearch bar with competitive offers.

The Hotbar Web Tools package installs software that displays at least three types of advertising: contextual pop-up advertising on the desktop based on the users web browsing, toolbar advertising and sidesearch bar advertising.

The Hotbar software may be installed at the vendor’s web site by a traditional download process or by an Active X process sometimes found in confusing circumstances such as banner ads and pop-ups at third party web sites including some kids sites.

Problems with Hotbar:

- reconfiguration of the user’s browser home page, search settings, or other user-selectable browser preferences.
- collection and transmission of data regarding user’s internet connection, viewing, and communication habits.
- difficulty in uninstllation due to badgering or tricking the user into not uninstalling the software.

Go to Start > Control Panel > Add or Remove Programs and remove the HotBar.
After removing the program through the Add/Remove section, you’ll want to run Regedit and remove the following keys in the registry.

HKey_Current_User\Software\Hotbar
HKey_Local_Machine\Software\Hotbar
HKey_Local_Machine\Software\Microsoft\Internet Explorer\Toolbar\B195B3B3-8A05-11D3-97A4-0004ACA6948E
HKey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\Hotbar 3.0

Also delete the ‘HotBar 3.0′ string from

HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Trojan Redbrowser.A steal money

Redbrowser.A is J2ME based Java Midlet that sends SMS messages to specific number.

The Redbrowser pretends to be a WAP browser that offers free WAP browsing using free SMS messages to send the WAP page contents. But what Redbrowser actually does is to send SMS messages to one specific number thus it may cause financial losses to the user.

The fact that Redbrowser claims to send free SMS messages as part of its normal operation, is to fool the user into allowing the application permission to use Java SMS capabilities in phones that require permission from the user before sending SMS messages. This claim of free service is a form of social engineering.

The social engineering texts used in Redbrowser.A are in Russian, which limits the trojan only to Russian speaking countries.

Crossover PC/Windows Mobile virus found

The Mobile Antivirus Researchers Association claims to have detected the first worm that can jump from a PC to a Windows Mobile-powered wireless device.
The ‘Crossover’ worm nests itself in a directory on a Windows PC where it will automatically activate once the user connects a Windows Mobile device using Microsoft ActiveSync.
The digital pest was sent to the association anonymously and is a proof-of-concept designed to show off its features but not cause any actual harm.
“This is proof-of-concept code for educational purposes only. This virus closes the gap between handhelds and desktops. Now it’s one big world open to all,” the worm creators said in a note attached to the virus.

Read more here.

SpyBot 2006-02-24 Update Available

Hijacker
+ CoolWWWSearch.Feat2Installer + CoolWWWSearch.Service + CoolWWWSearch.Feat2DLL + CoolWWWSearch + MaxSearch ++ Hyperlinker ++ SecureServicePack.BadBHO
Malware
++ ADWareBazooka ++ HitVirus + Command Service ++ Smitfraud-C. (2) + Mailbot ++ SpyFalcon + MagicControl.Agent ++ Win32.Agent.acf ++ Win32.Agent.acr
PUPS
++ SpyiBlock
Spyware
+ Targetsaver ++ NiceSpy
Trojan
+ PestTrap ++ Teslaplus.com

Read more and download Free Anti Spyware - SpyBot.

New worm with File encrypt function found

Yesterday Kaspersky Lab came across a worm with a German (speaking) background, Email-Worm.Win32.Skowor.b.
In contrary to programs like GPCode, Skowor is able to replicate; it tries to spread via a share that it creates.

When installed, the worm displays a message telling the user that s/he has 5 pc reboots in order to get a password which can be used to uninstall the worm. If the user doesn’t do this, the worm will encrypt a number of important files and change the Administrator and current user password.
The worm also changes the IE start page to the author’s website.

Link here.