Wiz's Computer and Website Security Blog

Mozilla.org has released a security and compatibility upgrade of the popular Firefox browser; version 2.0.0.4, on May 30, 2007.

While this edition features fixes for several critical security vulnerabilities it also contains compatibility fixes to make it work better under Windows Vista. Details are below.

Security Vulnerabilities Fixed in Firefox 2.0.0.4
MFSA 2007-17 XUL Popup Spoofing
MFSA 2007-16 XSS using addEventListener
MFSA 2007-14 Path Abuse in Cookies
MFSA 2007-13 Persistent Autocomplete Denial of Service
MFSA 2007-12 Crashes with evidence of memory corruption (rv:1.8.0.12/1.8.1.4)

* Clicking links in some applications (e.g. some instant messaging programs) might not open them in Firefox, even if you have set it as your default browser. To workaround this problem, go to Start -> Default Programs -> Set default programs for this computer, expand custom, select the radio button next to the app you want to set as the system wide default app (e.g. Firefox, etc.), and apply.
* A Windows Media Player (WMP) plugin is not provided with Windows Vista. As a workaround, in order to view Windows Media content, you can follow these instructions. Note that after installing you may have to get a security update and apply it before you can see the content in the browser.
* Vista Parental Controls are not completely honored. In particular, file downloads do not honor Vista's parental control settings. This will be addressed in an upcoming Firefox release.
* When migrating from Internet Explorer 7 to Firefox, cookies and saved form history are not imported.

Downloading Firefox 2
Mozilla provides Firefox 2 for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Firefox 2 here.

Installing Firefox 2
Please note that installing Firefox 2 will overwrite your existing installation of Firefox. You won't lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available.

Some firewall software may silently block Firefox from running. Other software firewalls, like ZoneAlarm, will pop-up a Program (changed) Alert that you must interact with (twice) to allow the updated Firefox browser to connect to the Internet. This often happens immediately after Firefox has been installed or updated from a previous version. There are configuration instructions available for most popular firewall programs to help you ensure that Firefox is allowed to connect to the Internet. In the case of ZoneAlarm you know you just updated Firefox so Allow it to connect the the Internet AND check the box to remember your decision. Firefox contains a component that automatically checks for updates while you are online and you may have to allow that (changed) component to connect after updating the browser.

The release notes and caveats about this version of Firefox are found here.

Removing Firefox 2
You can remove Firefox 2 through the Control Panel in the Start Menu on Windows, by removing the Firefox application on OS X, or by removing the firefox folder on Linux.

Removing Firefox 2 won't remove your bookmarks, web browsing history, extensions or other add-ons. This data is stored in your Firefox Profile folder.

Your personal bookmarks, history, extensions, preferences and cookies are stored in your Fifefox Profile, located in the following places for various operating systems:

Windows Vista: Users\\AppData\Roaming\Mozilla\Firefox
Windows 2000, XP: Documents and Settings\\Application Data\Mozilla\Firefox
Windows NT: WINNT\Profiles\\Application Data\Mozilla\Firefox
Windows 98, ME: Windows\Application Data\Mozilla\Firefox
Mac OS X: ~/Library/Application Support/Firefox
Linux and Unix systems: ~/.mozilla/firefox

Posted by Wiz at 2:43 PM | Permalink

back to top ^

World reknowned anti-spyware program - Spybot Search and Destroy - was updated with new spyware definition files. If you use this program be sure to run manual updates as soon as possible.

If you see a program listed in these detections by name you should assume that is is malware. All of the programs listed with a + sign are additions, or updated detections, and are dangerous to your computer, and/or personal security. Update your Spybot Search and Destroy definitions, then scan for and fix any malware that is detected.

After updating your Spybot S&D definitions, if they include new Immunization definitions you need to click on the Immunize button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-05-30

Keylogger
+ Ardamax
+ Perfect Keylogger
+ Tims-Keylogger
+ VisualShock.Keyloger

Malware
+ Flash.Auto.CN
+ Neospace-Internet-Security
+ SpyLocked
+ SpyLocked.FakeAlert
+ Spyware-Secure

Trojan
+ Adclicker
+ Crypt.PCMM
+ DLoader.CQTU
+ Fake.Gmer
+ IEReport
+ LdPinch.JVR
+ MExplorer
+ Nurech (4)
+ Smitfraud-C.Toolbar888
+ Torpig.gb
+ WarezP2P
+ Win32.Agent.amr
+ Win32.Agent.ady
+ Win32.Agent.qt
+ Win32.Iroffer.b
+ Win32.Ranky.gn
+ Zlob.DNSChanger
+ Zlob.VideoActiveXObject
+ Zlob.VideoAXObject

Total: 392640 fingerprints in 70184 rules for 2997 products.

Spybot Search & Destroy is now compatible with Windows Vista, but needs administrator rights to perform it's security functions.

See links to and more information about using Spybot Search and Destroy in my extended comments.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 1:19 AM | Permalink

back to top ^

Attention website owners!

If you have been thinking about registering a few new domain names, but were waiting until the price was "right," your moment has just arrived! Dotster Domain Registrars just announced a half price sale on new domain registrations, this coming Memorial Day Weekend, from May 26, through 28, 2007. Domains regularly priced at $14.95 will only cost you $7.48 per year, using my coupon code below.

Note that this only applies to brand new domain names, not renewals or transfers.

Dates - May 26th, 27th, 28th

Discounted Extensions - .com, .net, .org, .biz, .us

Coupon Code: MDAY50

Bonus coupon code offer

Dotster also provides all manner of web hosting packages, from low cost shared hosting to VPS semi-dedicated, at very reasonable prices.

5 Free Domains with Any Dotster Web Hosting Package! Enter Coupon Code "5FORFREE"

Posted by Wiz at 7:06 PM | Permalink

back to top ^

World reknowned anti-spyware program - Spybot Search and Destroy - was updated with new spyware definition files. If you use this program be sure to run manual updates as soon as possible.

If you see a program listed in these detections by name you should assume that is is malware. All of the programs listed with a + sign are additions, or updated detections, and are dangerous to your computer, and/or personal security. Update your Spybot Search and Destroy definitions, then scan for and fix any malware that is detected.

After updating your Spybot S&D definitions, if they include new Immunization definitions you need to click on the Immunize button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-05-23

2007-05-23
Adware
+ MaxFiles

Hijacker
+ Naupoint
+ ISearchTech.PowerScan

Keylogger
+ Ardamax
+ Perfect Keylogger

Malware
+ ExpertAntivirus
+ Free-Key-Logger
+ MalwareBOT
+ Smitfraud-C.
+ SpyVampire

Security
+ Microsoft.Windows.DisableCMD

Trojan
+ AdobeR.PassGenerator
+ Agobot.Backdoor
+ BioNet
+ BladeRunner
+ CWS.Svhost
+ FakeMSFirewallUpdate
+ IRC.Zapchast
+ LDPinch.csrss
+ LZIO.Small
+ Netsky.Z
+ Nurech.BG
+ PWS.LDPinchIE
+ Spy.Vb.Qg
+ TreloScript.HackTools
+ Wild Media
+ Win32.Agent.qt
+ Win32.KillAV
+ Win32.Renos.dk
+ Win32.Small.afk
+ WinIogon.Keylogger
+ Zlob.ImageActiveXObject
+ Zlob.ImageAXObject
+ Zlob.MovieBox

Total: 391117 fingerprints in 69825 rules for 2970 products.

Spybot Search & Destroy is now compatible with Windows Vista, but needs administrator rights to perform it's security functions.

See links to and more information about using Spybot Search and Destroy in my extended comments.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 10:33 PM | Permalink

back to top ^

Anti Spyware/Adware program Ad-Aware, by Lavasoft has had it's definition file updated. Users of the free version should check for and install the new definitions manually. The + sign (number) after a malware type indicates the number of new detections for that program, that have been added with the new definition file. This reflects the fact that many types of common malware are released with multiple variants to try to slip past your anti-spyware programs. No + sign indicates a single detection update.

Ad-Aware Personal provides advanced protection from known data-mining, aggressive advertising, Trojans, dialers, malware, browser hijackers, and tracking components. This software is downloadable free of charge, or is available for as a paid subscription, with automatic updates. By regularly checking for and applying updates you will have the best possible protection afforded by Ad-Aware, or any security program.

Current Definition File:
SE1R170 14.05.2007

New definitions:
====================
Adware.Baigoo 7
AntivirusPCSuite 10
SpywareSoftStop 4
SystemStable 3
Win32.Backdoor.Rizo
Win32.TrojanDownloader.Alphabet
Win32.Trojan-PSW.Delf 9
Win32.TrojanSpy.Peed

Updated definitions:
====================
Adintelligence.AproposToolbar 3
Adware.Agent 17
Adware.Baidu
Adware.BHO(generic) 5
Adware.CDN 22
Adware.DropSpam 4
Adware.FunWeb 2
Adware.LinkMaker
Adware.Maxifiles
Adware.MMSAssist 6
Adware.MyToolbar
Adware.NewWeb
Adware.WSearch 3
AntiSpyZone 2
AntiviralGolden 2
BroadCastPC
BrowserAid 2
CoolWebSearch
Dialer 6
FakeAlert
MalwareWipe 2
Marketscore(Netsetter)
MediaMotor
PerfectCleaner 3
PestCapture 2
PurityScan
Redirected hostfile entry 191
RedSwoosh
SideFind
SpyAway 2
SpyHeal 2
Surf 3
SurfSideKick 2
Tracking Cookie
Ultimate Defender 2
UltimateCleaner 2
WebHancer 2
Win32.Backdoor.Agent 12
Win32.Backdoor.Agobot 2
Win32.Backdoor.Bifrose 2
Win32.Backdoor.Hupigon 10
Win32.Backdoor.IRCZapchast
Win32.Backdoor.Poebot
Win32.Backdoor.Ranky 2
Win32.Backdoor.RBot 3
Win32.Backdoor.SDBot 5
Win32.Backdoor.VanBot
Win32.Backdoor.VB
Win32.Dialer.Trojan 20
Win32.Generic.PWS 4
Win32.Generic.Worm 2
Win32.SpamTool.Agent 7
Win32.Trojan.Agent 9
Win32.Trojan.Downloader 9
Win32.Trojan.Horst 2
Win32.Trojan.Keylogger
Win32.Trojan.Pakes 4
Win32.Trojan.Qhost 3
Win32.Trojan.Small 2
Win32.Trojan.Spambot 2
Win32.Trojan.Spy 9
Win32.TrojanClicker 12
Win32.TrojanDownloader.Adload 4
Win32.TrojanDownloader.Agent 19
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.ConHook
Win32.TrojanDownloader.Delf 4
Win32.TrojanDownloader.Nurech 2
Win32.TrojanDownloader.Obfuscated
Win32.TrojanDownloader.Small 13
Win32.TrojanDownloader.VB 3
Win32.Trojandownloader.Zlob 14
Win32.TrojanDropper 8
Win32.TrojanProxy.Dlena
Win32.TrojanProxy.Small
Win32.TrojanProxy.Xorpix 3
Win32.Trojan-PSW.Lineage 8
Win32.TrojanPWS.LdPinch
Win32.TrojanPWS.Lmir 2
Win32.TrojanPWS.Magania
Win32.TrojanPWS.OnlineGames 105
Win32.TrojanPWS.QQPass 18
Win32.TrojanPWS.WOW 3
Win32.TrojanSpy.Bancos
Win32.TrojanSpy.Banker 6
Win32.TrojanSpy.BZub 12
Win32.TrojanSpy.Goldun
Win32.TrojanSpy.Proagent
Win32.TrojanSpy.Small
Win32.Worm.MSNMaker
Win32.Worm.Warezov 7
Win32.Worm.Viking 5
Win32.Worm.Zhelatin
WinAD
WindUpdates
Virtumonde 10
Zango 2

MD5 checksum is ddd500b8c048d4e067fba8d4e107f588

You can use Webupdate to install the new reference file, or download
it manually from: http://download.lavasoft.com/public/defs.zip

Download the current version of Ad-Aware here: http://www.download.com/3405-8022-5153545.html

A new improved version of Ad-Aware, "2007," is now in the final phase of beta testing, and is scheduled for public release on, or about June 7, 2007.

See all security program update notices in this catagory

Posted by Wiz at 12:58 AM | Permalink

back to top ^

World reknowned anti-spyware program - Spybot Search and Destroy - was updated with new spyware definition files. If you use this program be sure to run manual updates as soon as possible.

If you see a program listed in these detections by name you should assume that is is malware. All of the programs listed with a + sign are additions, or updated detections, and are dangerous to your computer, and/or personal security. Update your Spybot Search and Destroy definitions, then scan for and fix any malware that is detected.

After updating your Spybot S&D definitions, if they include new Immunization definitions you need to click on the Immunize button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-05-16

Keylogger
+ Ardamax
++ KingHomeLogger
++ Keylogger-Pro
++ Realplay.Keylogger
++ SC KeyLog Pro

Malware
++ AntiSpyWare2007
+ NetTechnology.Inc
+ Smitfraud-C.Toolbar888
+ Smitfraud-C.
+ Smitfraud-C.FakeAlert (2)
++ Win32.Small.is
++ Win32.Delf.zw
++ Worldsecurityonline.FakeAlert

PUPS (Potentially Unwanted Programs)
+ AntiverminsPro

Security
+ Microsoft.WindowsSecurityCenter.FirewallDisabled
Trojan
++ 22ndStreetComputers.PS3_fraud
+ Banker.PorSMTP
++ Banload.Terra.Scr
+ Bifrose.LA
++ Bifrost
++ DeepScan.Zet
++ IRC-Bot.troyan
+ Nurech
++ QQ-Pass
++ WinREG.LowZones
+ Win32.ConHook.ah
++ Win32.Kardphisher
++ Win32.Small.cyn
++ Win32.Small.ege
+ Zlob.MovieBox
++ Zlob.VideoAXObject

Total: 388125 fingerprints in 69021 rules for 2929 products.

See links to and more information about using Spybot Search and Destroy in my extended comments.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 11:18 PM | Permalink

back to top ^

A newly discovered critical vulnerability has been reported by Symantec, the makers of Norton security software products. A design error in an ActiveX control used by Norton AntiVirus could potentially be exploited by a malicious web site. A successful exploit could lead to remote code execution!

Norton has already issued an out-of-cycle patch that can be installed by running Live Update manually. Norton product users who normally run manual LiveUpdate should already have this update. However, to ensure all available updates have been properly installed, run manual LiveUpdate as follows:

Open any installed Norton product from either your Start Menu > Programs, or from the Windows System Tray icon;
Click LiveUpdate;
Run LiveUpdate until all available product updates are downloaded and installed;
A system reboot may be required, depending on the existing patch level of the affected product

The affected products include:
Norton AntiVirus 2005 and 2006
Norton Internet Security 2005 and 2006
Norton System Works 2005 and 2006

Note: The Norton 2007 product line and Symantec enterprise products, including Symantec Client Security and Symantec AntiVirus Corporate Edition are not affected by this issue.

Details of the Vulnerability
Symantec was notified by iDefense that a design error in NAVOPTS.DLL, an ActiveX control used by Norton AntiVirus, could potentially allow an attacker to crash the control if the end user visits a malicious web site. A successful exploit of NAVOPTS.DLL could then allow the attacker to access other Symantec ActiveX controls, even if they are not marked safe for scripting, possibly leading to remote arbitrary code execution in the context of the user's browser.

Symantec's enterprise products do not use NAVOPTS.DLL, and therefore they are not affected by this vulnerability.

People who operate their PCs with reduced user privileges are less at risk, if at all, than those running with full administrator privileges. For more information about this see my articles about user account privileges:
Limited User Privileges Protect Against Malware Infections
Limited User Privileges Protect PCs From Adware, Rootkits, Spyware and Viruses
User Account Privileges Explained

Posted by Wiz at 12:25 PM | Permalink

back to top ^

World reknowned anti-spyware program - Spybot Search and Destroy - was updated with new spyware definition files. If you use this program be sure to run manual updates as soon as possible.

If you see a program listed in these detections by name you should assume that is is malware. All of the programs listed with a + sign are additions, or updated detections, and are dangerous to your computer, and/or personal security. Update your Spybot Search and Destroy definitions, then scan for and fix any malware that is detected.

After updating your Spybot S&D definitions, if they include new Immunization definitions you need to click on the Immunize button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-05-09

Adware
+ 2Search

Keylogger
+ Inside Keylogger
+ Invisible Keylogger Stealth
+ KeyloggerExpress
+ LocalKeyloggerPro

Malware
+ Krepper-G
+ Smitfraud-C.Toolbar888 (3)
+ Win32.Agent.avq
+ Win32.Banker.ceu
+ Win32.Delf.ww

PUPS (Potentially Unwanted Programs)
+ AdminSystem.AOSMTP
+ NetBus

Spyware
+ WebExplorer

Trojan
+ Banker.CN
+ Banker.PorSMTP (3)
+ Banload
+ Banload.ScrTaskList
+ Banload.Terra.Scr (3)
+ Banload.WLS
+ BAT.KillAV
+ BlackCore
+ FakeBill
+ Fraud.ProtectionBar
+ IRC.Zapchast
+ Nurech
+ Papinha (2)
+ Win32.Agent.ahk
+ Win32.Banker.abj
+ Win32.Banker.anv
+ Win32.Banload.bjh
+ Win32.Dadobra.ky
+ Win32.Delf.awi
+ Win32.Delf.nz
+ Win32.Obfuscated.gs
+ Win32.StartPage.ama
+ Zlob.MovieBox
+ Zlob.VideoActiveXObject
++ Zlob.VideoAXObject
Total: 383322 fingerprints in 67538 rules for 2901 products.

A lot of Trojan Horse programs were added today! See links to and more information about using Spybot Search and Destroy in my extended comments.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 12:22 AM | Permalink

back to top ^

Attention Microsoft Windows 2000, XP, Vista and Server 2003 users! Patch Tuesday is coming on May 8, 2007. Here are the details about the patches being released through Windows Update Services.

On Tuesday 8 May 2007 Microsoft is planning to release:

Security Updates

. Two Microsoft Security Bulletins affecting Microsoft Windows.
The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.

. Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.

. One Microsoft Security Bulletin affecting Microsoft Exchange. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.

. One Microsoft Security Bulletin affecting CAPICOM and BizTalk. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool.

Microsoft Windows Malicious Software Removal Tool

. Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS

. Microsoft will release 1 NON-SECURITY High-Priority Update for Windows on Windows Update (WU) and Software Update Services (SUS).

. Microsoft will release 6 NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

If you have set your computer to download and install updates automatically they will do so. Otherwise, be sure you check manually throughout the afternoon of May 8, 2007.

Note for Mac computer users:
Apple released major patches and updates last week for numerous Apple programs, including QuickTime Player. It is extremely important that you apply these updates if your computer is on the Internet. Use the built-in Software Update utility to obtain these fixes.

As sometimes happens there may be software incompatibility problems that arise after these updates are released and applied. If I learn of any significant issues I will post about them here.

Posted by Wiz at 12:50 PM | Permalink

back to top ^

With viruses, spyware, adware, keyloggers, browser/search hijackers, rootkits, and remote control spam relays infecting or taking over control of up to 75% (estimates) of the online Windows computers in the world, responsible, concerned people want to know how they can protect their computers from such rampant, recurring threats. Many folks I know have had spyware or viruses removed only to have them reappear some time later and they are confounded, because they don't realize how these threats get installed in the first place.

Running anti-virus, anti-spyware and firewall applications is a must for Windows users, but they may not stop something malicious that slips past your defenses that may be hidden inside a program or file you intensionally downloaded and installed. The innocent application or utility you downloaded may have installed a backdoor program on your computer and that program may take over control and allow more malware to be sent to your computer. Many of the multiple infections that occur so often are piggybacked onto downloaders that get installed first, without your knowledge. They lower your security settings and sometimes hide from known security programs until it is too late. Some of them even terminate anti-virus, anti-spyware and firewall programs, leaving you totally unprotected.

These hidden threats inside supposedly useful programs are called Trojan Horses, named after the legendary huge wooden gift horse that the Greek invaders gave to the army of Troy, after a lengthy siege. It was supposed to be a symbol of submission from a defeated enemy (the Greek army) to the winners (the Trojans). Somehow the Trojans were fooled into accepting the gift horse, thinking that the Greek army had evacuated the area and given up the siege. They brought it into their gates and celebrated their alleged victory and when they were good and drunk the Greek soldiers who were hidden inside the hollow places in the wooden horse emerged, opened the gates to let in the rest of their hidden army, then slaughtered the Trojan soldiers and men and sold the women and children into slavery. So the legend goes and so go the modern day software soldiers who hide encoded inside seemingly useful programs, only to invade your system and wreak havoc.

Any infected code that you acquire and activate, or is self activating, will be run with the same rights as the logged-on user, which in most cases is Administrator level rights (privileges).

All of the previously mentioned malware threats require computer administrator privileges to fully install themselves into the operating system, or overwrite system files, or to write to the Local_Machine branch of the Windows Registry, or to hide as rootkits. Windows 2000 and XP users running with reduced privileges, as a Limited User, are protected against virtually all malware threats that need to install into the system to function. Windows 2000 or XP Professional Power Users have reduced, but not complete vulnerability to these threats. I personally run as a Power User and have not acquired any drive-by, downloaded, or browser exploited malware infections at all. I also use several anti-spyware programs, and anti-virus program and both hardware and software firewalls. I browse with Firefox, not Internet Explorer and keep everything up to date with patches and security fixes, as soon as I learn about their availability. Then I post notices on my blog to alert you all.

Some of my readers have problems running as Limited Users and I help them as much as possible to understand how things need to be done to work within and around those limitations. If you run with reduced user privileges your choice of updates will be more limited than if you apply them from an administrator level account. You would do this by first applying the updates as a Limited or Power User, then Switch Users or log onto an Administrator account and re-apply the updates and immunizations. Many security programs will require you to switch to, or log into an administrator level account to perform program updates (if not definition updates), then reboot. Others are more friendly to Limited Users after being installed by an Administrator.

I have posted more information about running with reduced user privileges, here and here.

Always assign a strong password to any Computer Administrator level accounts. Always try to run as a Limited User, or at most a Power User, under Windows 2000 or XP Professional. The Power User group is not available in XP Home, so don't bother looking for it.

Windows Vista begins a new era in user protection (out of the box) by running all accounts as Limited Users, with Power User-like rights and rights elevation prompts when you try to do something that requires full administrative privileges. I will blog about Vista's User Account Controls, and it's rights elevation prompts, in a separate article, on a future date.

Posted by Wiz at 11:53 PM | Permalink

back to top ^

World reknowned anti-spyware program - Spybot Search and Destroy - was updated with new spyware definition files. If you use this program be sure to run manual updates as soon as possible.

If you see a program listed in these detections by name you should assume that is is malware. All of the programs listed with a + sign are additions, or updated detections, and are dangerous to your computer, and/or personal security. Update your Spybot Search and Destroy definitions, then scan for and fix any malware that is detected.

After updating your Spybot S&D definitions, if they include new Immunization definitions you need to click on the Immunize button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-05-02

Hijacker
+180Solutions.SearchAssistant
+2020Search
+7FaSSt
+Hyperlinker
+Tasker

Keylogger
+FreeKeylogger.CN.a
+PaqTool
+Perfect Keylogger
+SmartKeystrokeRecorder

Malware
+ABetterInternet
+ErrorSafe
+IconDropper
+Smitfraud-C. (2)
+Smitfraud-C.FakeAlert
+Smitfraud-C.Toolbar888
+SpyDawn
+Vcodec.Intcodec
+Win32.Delf.amh
+Win32.Agent.aeu
+Win32.VanBot.ax
+Win32.Warezov.fb

PUPS (Potentially Unwanted Programs)
+EnterCasino
+NewDotNet

Spyware
+Fake.AviraBill
+ICQ-SpyMonitor
+SecondThought.STCLoader
+VX2.h.ABetterInternet

Trojan
+AdSpy.TTC (4)
+BraveSentry (2)
+DELF.Sysmd
+Downloader.Tsupdate.L
+FakeBill
+RC.Sdbot
+Nurech
+PurityScan
+Smitfraud-C.CoreService
+Smitfraud-C.KooWo
+Stration +Stration.ICQ (2)
+SysOfferMgr
+WebBuyingAssistant
+Win32.Rbot.bms
+Win32.VB.zf
+ZenoSearch.Q
+Zlob.Command Service
+Zlob.ImageActiveXObject
+Zlob.VideoAccessActiveXObject
+Zlob.VideoActiveXObject
+ZQest.K8L
Total: 381546 fingerprints in 67046 rules for 2867 products.

See links to and more information about using Spybot Search and Destroy in my extended comments.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Posted by Wiz at 3:51 PM | Permalink

back to top ^

May 2, 2007

Apple today released QuickTime 7.1.6 for Mac and QuickTime 7.1.6 for Windows which delivers numerous bug fixes, addresses a critical security issue with QuickTime for Java and includes support for:

Final Cut Studio 2
Timecode and closed captioning display in QuickTime Player

This update is recommended for all QuickTime 7 users, including Firefox users. (Firefox uses the QuickTime Plug-in which is vulnerable and needs updating)

About the security content of QuickTime 7.1.6:

CVE-ID: CVE-2007-2175
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9, Windows XP SP2, Windows 2000 SP4

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: An implementation issue exists in QuickTime for Java, which may allow reading or writing out of the bounds of the allocated heap. By enticing a user to visit a web page containing a maliciously-crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. The code will run with the privileges of the target user.

QuickTime 7.1.6 is available via Software Update and also as standalone installers, using the following links:

QuickTime 7.1.6 for Mac (43.6MB)
http://www.apple.com/support/downloads/quicktime716formac.html

QuickTime 7.1.6 for Windows (19.1MB)
http://www.apple.com/support/downloads/quicktime716forwindows.html

The official Apple advisory is available at:
http://docs.info.apple.com/article.html?artnum=305446

Posted by Wiz at 7:54 PM | Permalink

back to top ^

Spywareblaster is not like most anti-spyware programs, in that it does not "run" as such, as an active process in memory. It is more like a preventative shot that innoculates your computer against certain common avenues of attack, mostly ActiveX threats, by means of the following vectors:

1: It prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
2: It blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
3: It restricts the actions of potentially unwanted sites in Internet Explorer.

SpywareBlaster 3.5.1 Database Update

SpywareBlaster Latest Definitions: 4/29/2007

7,637 total items in the database, 187 new.
Update via the application.

Note that SpywareBlaster does not publish a list of programs that are blocked or added to their definition databases.

Be sure to enable protection for the newly added items once you update the definitions.

Note: If you use IE-SPYAD, Spybot Search & Destroy, SpywareGuide Blocklist, SpywareBlaster, a hosts file or any combination of those, please check all protections and re-enable as needed whenever any of the aforementioned is updated.

Download: Online Updater in the program interface * (see extended comments)

Learn more, or download the current version here: http://www.javacoolsoftware.com/spywareblaster.html

* SpywareBlaster is freeware for personal and educational use and offers two updating options:

1.) AutoUpdate - keep your protection up-to-date automatically!
2.) Check for Updates - manually check for and download the latest updates

The built-in (manual) Check for Updates function is completely free. To access Check for Updates, simply click on the "Updates" tab on the left side of the SpywareBlaster interface, and then press the "Check for Updates" button.

If you would like the convenience of the AutoUpdate feature, more information can be found in SpywareBlaster itself. (Click on the "Updates" tab, and then the "AutoUpdate" tab.)

A SpywareBlaster AutoUpdate subscription is $9.95 (US) per computer, per year, and is good on the computer from which it is purchased. Subscriptions do not automatically renew - you will be prompted to purchase a new subscription when your current subscription expires.

Learn more, or download the current version here: http://www.javacoolsoftware.com/spywareblaster.html

Posted by Wiz at 1:04 PM | Permalink

back to top ^

Anti Spyware/Adware program Ad-Aware, by Lavasoft has had it's definition file updated. Users of the free version should check for and install the new definitions manually. The + sign (number) after a malware type indicates the number of new detections for that program, that have been added with the new definition file. This reflects the fact that many types of common malware are released with multiple variants to try to slip past your anti-spyware programs. No + sign indicates a single detection update.

Ad-Aware Personal provides advanced protection from known data-mining, aggressive advertising, Trojans, dialers, malware, browser hijackers, and tracking components. This software is downloadable free of charge, or is available for as a paid subscription, with automatic updates. By regularly checking for and applying updates you will have the best possible protection afforded by Ad-Aware, or any security program.

Current Definition File:
SE1R168 30.04.2007

New definitions:
====================
Adware.CDN +25
Annoyware.Dizzy
MalwareStopper +6
Win32.Backdoor.PoisonIvy
Win32.Backdoor.Prosti
Win32.SpamTool.Agent +4
Win32.TrojanProxy.Dlena +7

Updated definitions:
====================
Adware.Agent +13
Adware.BHO(generic) +9
Adware.Mirar
Adware.NewWeb +4
Adware.Yazzle +2
AdwarePunisher
BraveSentry +2
Dialer +23
DriveCleaner +3
FakeAlert +2
PcTurboPro +4
PurityScan
Softomate Toolbar
Win32.Backdoor.Agent +14
Win32.Backdoor.Agobot +4
Win32.Backdoor.Bifrose +12
Win32.Backdoor.PcClient +6
Win32.Backdoor.Poebot
Win32.Backdoor.RBot
Win32.Backdoor.SDBot +3
Win32.Backdoor.VanBot +2
Win32.Backdoor.VB +6
Win32.Generic.PWS +11
Win32.Generic.Worm
Win32.Trojan.Agent +2
Win32.Trojan.Delf
win32.Trojan.Dnschanger
Win32.Trojan.Downloader +3
Win32.Trojan.Horst +5
Win32.Trojan.Spy +13
Win32.TrojanClicker +13
Win32.TrojanDownloader.Adload +2
Win32.TrojanDownloader.Agent +13
Win32.TrojanDownloader.Banload +6
Win32.TrojanDownloader.ConHook +2
Win32.TrojanDownloader.Nurech +2
Win32.TrojanDownloader.Small +3
Win32.TrojanDownloader.VB +2
Win32.Trojandownloader.Zlob +7
Win32.TrojanDropper +8
Win32.TrojanProxy.Agent.dl +10
Win32.TrojanProxy.Cimuz
Win32.TrojanProxy.Small +4
Win32.TrojanPWS.LdPinch
Win32.TrojanPWS.Lmir
Win32.TrojanPWS.Maran +3
Win32.TrojanPWS.OnlineGames +16
Win32.TrojanPWS.QQPass +3
Win32.TrojanPWS.WOW +2
Win32.TrojanSpy.Banker +9
Win32.TrojanSpy.BZub +2
Win32.TrojanSpy.BZub +8
Win32.Worm.MSNMaker
Win32.Worm.Zhelatin +16
WinAntispyware
WinAntiVirusPro +2
Virtumonde +28

MD5 checksum is 6fd3a3a3aaf9fa4049a4f220ef66dfa9

You can use Webupdate to install the new reference file, or download
it manually from: http://download.lavasoft.com/public/defs.zip

Download the current version of Ad-Aware here: http://www.download.com/3405-8022-5153545.html

Watch my blog for news about a new version of Ad-Aware, "2007," now in beta 2 stage of development.

See all security program update notices in this catagory

Posted by Wiz at 12:36 PM | Permalink

back to top ^