Wiz's Computer and Website Security Blog

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again, accounting for well over 70% of all incoming spam. All of them have links to websites hosted in China, where the counterfeit drugs are produced. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit medicine?

Noticeably reduced this week were numeric links to Storm Trojan infected computers. However, counterfeit watches and Pump-And-Dump stocks are back in the countable statistics, along with a strong surge in pirated software.

My current statistics show that spam is now 82% of all my incoming email, for the week of September 24 through 30, 2007. This is an 14% increase from the week before, which topped out at 68%. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide "Spam-demic" (Wow, I think I just coined a new word!).

MailWasher Pro spam category breakdown for Sept 24 through 30, 2007.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 1/4% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 12:20 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-09-26

Hijacker
+ TNS-Search

Keylogger
+ Ardamax
+ SpyAgent

Malware
+ AntiSpyWare2007
+ AntiVirGear
+ FlashDollars.AntiVirusProtection
+ Nous-Tech.UCleaner
+ Performance Optimizer
+ Smitfraud-C.
+ SurfSideKick
+ Win32.Renos

PUPS (Potentially Unwanted Programs)
+ DriveCleaner 2006

Trojan
+ 1und1_Haxdoor
+ Bifrose.LA
+ Cassava
+ Haxdoor-H
+ MailSkinner.rtk
+ MessengerSkinner.rtk
+ Win32.BHO.df
+ Win32.LoadAdv.h
+ Win32.Murlo.ff
+ Win32.Poison.k
+ Zlob.ImageActiveXAccess
+ Zlob.VideoActiveXAccess
+ Zlob.XXXPlugin

Total: 449837 fingerprints in 87792 rules for 3296 products.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

If you haven't already upgraded to the new version, Spybot S&D version 1.5 is now available on the downloads page.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 12:36 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, totally a whopping 87% of all incoming spam. All of them have links to Chinese web hosts who are friends, or partners in crime with the spammers. The senders are all BotNetted computers with spam relays installed, and probably infected with the Storm Trojan.

Noticeably reduced this week were counterfeit watches and the Pump-And-Dump stocks scammer, but I see from the last few messages that the Pump and Dump spammer is about to unleash a new spam run, promoting a new penny stock scam.

My current statistics show that spam is 68% of all my incoming email, for the week of September 17 through 23, 2007. This is an 8% increase from the week before, which topped out at 60%

MailWasher Pro spam category breakdown for Sept 17 through 23, 2007.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that only a tad over 1% of the spam detections flew under my radar and was classified as DNS Blacklists, for this reporting period. All other spam was classified and dealt with by my filters.

Posted by Wiz at 11:24 AM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4 and 1.5. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-09-19

Hijacker
+ ISearchToolBar

Malware
+ AzeSearch
+ eAcceleration
+ ErrorSafe
+ MicroBillingSystem
+ Nous-Tech.UCleaner
+ SecCenter
+ SpywareDetector
+ Swizzor (248)
+ SyperCrypt.Overwriter
+ VirusProtectPro

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ FamilyCyberAlert
+ CC2Bank

Trojan
+ Banker.FAT
+ DioCleaner
+ PremiumSearch
+ Smitfraud-C.
+ Virtumonde
+ Virtumonde.generic
+ Win32.Agent.AVK
+ Win32.Banker.fn
+ Win32.BHO.df
+ Win32.ConHook.ah
+ Win32.Small.ah
+ Zlob.HQCodec
+ Zlob.VideoActiveXAccess
+ Zlob.XPasswordManager
+ Zlob.ZipCodec

Total: 448187 fingerprints in 87214 rules for 3280 products.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 10:27 PM | Permalink

back to top ^

Mozilla, the owners of the Firefox browser, have released a security update on September 18, 2007, labeled version 2.0.0.7 . This update fixes just one critical vulnerability that was able to be exploited with a QuickTime Media File running a command against the Firefox "chrome." Successful exploitation could lead to complete browser, and/or system takeover, depending on the privileges of the logged in user. Yesterday's updates end the ability of third party software to run command lines in Firefox, entirely.

Firefox can be updated from within the program interface by clicking on Help > Check for Updates. If you see that a new version is available allow it to download and install it. Your browser will close for a minute, then re-open as a new version. If you use a software firewall, like ZoneAlarm, it will pop-up a challenge because the MD5 checksum of Firefox has changed. Allow the change and allow it to access the Internet.

All of the extensions that worked in version 2.0.0.6 continued to work after upgrading to 2.0.0.7. If you don't already have Firefox you can download the current version here

Despite Firefox releasing a patched version, the actual vulnerable program is and remains the Apple Quicktime plug-in. Expect a patched version to be available soon. I will blog about it when it becomes available.

Posted by Wiz at 10:04 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, totally a whopping 72.29% of all incoming spam. Most, but not all, are sent from Korea, Turkey and Poland, and all of them have links to Chinese web hosts who are friends, or partners in crime with the spammers. The senders are usually BotNetted computers with spam relays. Noticeably absent this week was the Pump-And-Dump stocks scammer.

My current statistics show that spam is 60% of all my incoming email, for the week of September 10 through 16, 2007. This is a big increase from the week before, which topped out at 47% These numbers may change by Sunday night and I will update this report to show the final figures

MailWasher Pro spam category breakdown for Sept 10 through 16, 2007.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that only a tad over 1% of the spam detections flew under my radar and was classified as DNS Blacklists, for this reporting period. All other spam was classified and dealt with by my filters.

Posted by Wiz at 11:38 AM | Permalink

back to top ^

The so-called Storm (Worm) Trojan has been continuously changing the subject and body text used to trick victims into clicking on links which cause their computers to become part of the "Storm" Botnet. Previously, all Storm scam messages came in with numeric links to compromised Windows computers, on broadband connections, which were a clear giveaway to even the most casual recipient that something was not right. Then, at the beginning of September I began to see Storm scams that had the numeric IP destinations wrapped inside a fake domain name. The true, numeric destination was revealed by mousing-over the link, so it was still relatively easy to detect that the message was most likely as scam.

It is extremely unusual for hyperlinks to be numeric, but not totally unseen. Most websites use a "friendly name" for the domain; like example.com. On very rare occasions a website may not use a friendly name, usually when it is in transit from one server to another, and DNS changes need time to propagate throughout the name servers system. In the case of the webpages hosted on Storm Trojan infected computers the URLs had to be numeric. This was because the zombie computers did not have registered domain names. Instead, they have a small web server, called NginX, installed by the Storm Trojan, and are usually always connected to broadband Cable or DSL Internet Services, with infrequently changing IP addresses. Since the IP addresses of these zombie computers do occasionally change, due to rebooting the modem, or forced IP renewals by their ISP, the authors of the Storm Trojan had to come up with a new way to keep them available through changes in IP addresses, and they have done just that.

In a new twist to the previous numeric IP scam, the authors of the new scam are using free DNS services to point their parked domain name servers to always on cable Internet computers that are part of the BotNet. Thus, if the intended victim mouses-over the link it still displays the friendly domain name (e.g: example.com). If they are fooled by the scam pitch into clicking on that link, they will arrive at what looks like a standard, large web page all about the subject of the scam message. There will be lots of links on that page, just like you would find on a real web page. But, in this instance, what you don't know can and will hurt you!

See my extended comments for a more technical description about this new NFL Tracker threat.

Your best defense against the Storm (Worm) Trojan, in all of its incarnations, is to use common sense and not click on links in unexpected emails, featuring dubious text sales pitches. If you use anti-spam software you should train it to recognize what you recognize as spam, or scams.

I use MailWasher Pro to screen all of my incoming email. It uses a variety of methods to identify and deal with known, or suspected spam email, including custom filter rules that define the kinds of spam that are most common. I happen to write and publish three sets of custom filters for MailWasher. They are in direct response to the daily variations in email spam and scam threats that I see as I check my numerous accounts on 12 minute intervals. While my filters admittedly slow down the processing of your incoming messages, they provide a defined warning in the Status field, indicating what types of spam filters have been matched. The first two sets of filters only flag spam that is matched by my rules, leaving you to decide if they are truly spam, or legitimate - false positives.

filters.txt is the largest set with rules going back several years, including the most current rules.

filters2.txt uses a reduced set of the most current filters, which I use a more potent version of.

filters3.txt is what I call my Judge Dread rules, because they, like my personal filters, are set to automatically hide and/or delete anything that is identified as spam. I describe them as my "Murder-Death-Kill rules," as borrowed from the movie "Judge Dread." In the rare instances where a legitimate email is automatically deleted by a filter, I can review and restore that message from the MailWasher Pro Recycle Bin.

To recap, the authors of the Storm Trojan are constantly changing the subject and body text, in an effort to deceive more and more people and to accumulate the largest BotNet in the history of distributed computing. As of this week, it is estimated that the Storm BotNet has more computer and CPU power than all five of the World's top 5 Super Computers put together. The damage that has been, is and may come from this BotNet is beyond anything ever seen on the Internet, until now. If all of these machines are used in DDoS attacks there is very little that would be able to stand up to them. That includes websites, governments, even entire countries (The country of Estonia was effectively taken offline by a huge DDoS attack, earlier this year).

I strongly urge every reader of my blog to install the best anti virus and anti spyware software that you can afford, keep it completely updated and scan for threats every night.

About the destination web pages on Storm Trojan Zombie computers

The web page at the redirected location is typically about 32 kb in size (varies) and contains all manner of links supposedly allowing the victim to "track" the performance of their favorite NFL football teams or players, using a program called a "Tracker," or "NFL Tracker." What isn't obvious, unless you read the source code (as I do), is that every link on that page goes to the same local executable file. There is even an image that is a clickable image map, which also leads to the very same Trojan Horse file. In this football scam the file name will contain the word "tracker."

Visiting these Storm Trojan websites is extremely dangerous, as some have JavaScript exploits installed in the HEAD section. Even if they don't use JavaScript redirects, anybody clicking on the links will already be deceived into thinking they are installing a program to track a sports team (probably to place bets) and will not even be aware that they are infecting their own computers. Instead, they will cause their computer to become a Zombie in the Storm BotNet, to be used for who knows what criminal purpose.

Posted by Wiz at 5:07 PM | Permalink

back to top ^

Today, after looking at the updates to the Spybot Search and Destroy malware definitions, I clicked over to the News page and discovered that, lo and behold, Spybot Search & Destroy version 1.5 has finally been released for public downloading! This is the first new release since May 31, 2005. I peeked at the download page and saw that the actual version available today is 1.5.1, which indicates that incremental program updates can be expected along the way.

What's new in Spybot Search & Destroy 1.5:

This new version features a lot of improved detection mechanisms (which in parts were already made available through the regular 1.4 updates in the past months), improved Operating System support (Windows Vista integration, restored support for Windows 95, more compatibility with Wine, support for bootable Windows CDs), improved browser support (e.g. for immunization) and much more - you can find an overview of noticable changes and some screenshots here.

You can download various versions of Spybot Search and Destroy at the Spybot.info Downloads page

I have been using Spybot S & D since 2002 and I will be testing the new version very soon. I will report my impressions of the new release on my blog. In my case that will be on a Windows XP Professional computer. I will be checking on whether the new program can be installed on top of the old version, or if it needs to be installed separately, or if an uninstall of version 1.4 is necessary before 1.5 can be installed.

You can subscribe to my blog feed, or use the Change Detection button and sign up for notices whenever I add new articles, to keep up with news about this and other security issues.

Posted by Wiz at 6:15 PM | Permalink

back to top ^

If you use the famed, freeware, anti-spyware program "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released today, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in version 1.4. If you don't do this the new immunizations against hostile ActiveX programs will not be applied.

2007-09-12

Adware
+ Zango.WeatherDPA
+ Zango.AntiSpamBar

Malware
++ SafetyBar
++ SpyDefender
+ SpyShredder
+ Swizzor
+ VirusLocker
++ Win32.Kwod.a
+ Smitfraud-C.
+ MalwareBurn
+ DeepDive

PUPS
+ Spionfrei

Security
+ Microsoft.WindowsSecurityCenter.TaskManager
+ Microsoft.WindowsSecurityCenter.RegistryTools
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ Spybanker
+ StealthWebsiteLogger

Trojan
+ 3wPlayer
++ Click.Agent.np
++ Crypt.Spambot.qk
++ Fake.Sys-Browser
+ Fraud.ProtectionBar
+ IEReport
++ Kolweb-N
+ Smitfraud-C.
++ Smitfraud-C.MSVPS
+ Vanbot
+ Virtumonde.rtk
++ Win32.Agent.afy
+ Win32.Peed
+ Win32.SdBot.aad
++ Win32.SdBot.bfl
++ Win32.SdBot.crt
+ Winsoftware.WinAntiVirusPro2007
+ Zlob.Downloader
+ Zlob.Downloader.ixt
+ Zlob.ImageActiveXAccess

Total: 438100 fingerprints in 81643 rules for 3268 products.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

As you can see from the long list of new detections this has grown into a major piece of work for the author and he could sure use some financial assistance to cover the huge amount of time it takes to update these definitions. There is a donation button on this page and I know he will appreciate your contributions!

Posted by Wiz at 6:03 PM | Permalink

back to top ^

The authors and promulgators of the Storm Trojan are very devious and criminally clever people. Every month they seem to completely change the nature of the scams used in the spam emails sent from already infected computers. Each new scam uses a different type of social engineering to deceive spam recipients into clicking on the (numeric) link embedded in those messages. Usually the links are shown as numeric, but lately some are concealing the destination until you hold the mouse over the link, at which time you will see a numeric URL. An example of a numeric URL would be: http://127.0.0.1/. The same link wrapped inside a friendly name cover might resemble this: devious words, which leads to the same numeric destination, when you mouse-over the link. The destinations in my examples go to your own computer, at 127.0.0.1 (local machine), for safety sake.

Earlier this summer the trick most widely used was the postcard scam. Now they are kicking it up a notch and appealing to sports fans' curiousity; to fool them into infecting themselves. With the US professional football season kicking off this month (pun intended), the criminal minds authoring the Storm Trojan email scams have unleashed a series of new messages all aimed at enticing football fans into downloading a so-called "game tracker." As with all of the previous Storm Trojan payloads this one resides inside infected computers onto which a web server has been installed. If you click on the link in the scam email you will see a real web page containing all kinds of descriptions and links to features and information. There is even an image map that is one huge link. Every single one of the links on these pages go to one and only one place: "tracker.exe." Click on that and what you thought was a game tracker program will in reality turn your computer into another zombie member of the Storm Trojan BotNet.

Another trick being employed by the Storm Trojan is a link supposedly to a program that prevents the RIAA from tracking files shared illegally over peer to peer networks. Again, this is the Storm Trojan at the other end of those links.

If you use MailWasher Pro to screen your incoming email and are not already using my custom spam filters, what are you waiting for? They are free for you to use! They are my gift to the World. I hate spam and want to help others detect and delete it, before threats like the Storm Trojan can fool them into becoming unwitting victims. You can even discuss my filters in my own topic labeled: Wizcrafts Custom MailWasher Pro Filters discussed here, on the Firetrust.com forums.

Please use caution with any links arriving in email messages from senders you don't know, or even those you do know. Do not click blindly on links in emails, especially if they are numeric! Those IP addresses are infected home or office computers, on DSL or Cable Internet services.

The Storm Trojan keeps changing its tactics to entice as many people as possible into becoming members of its BotNet. As such your computer will be used to host web pages containing extremely dangerous files, and will have a spam email relay installed and other malware. Your computer may even be used in criminal acts such as denial of service attacks. Be sure you keep your Windows computers fully patched with Windows Updates and have anti-spyware and anti-virus programs and a firewall installed, updated and running. Scan for acquired threats often. There are plenty of legitimate anti-malware programs available for you to use to protect your computers from threats like this and some of them are advertisers on this blog. They are Spy Sweeper, Spyware Doctor, Norton Internet Security, Spybot Search and Destroy and others.

Read my blog articles about running as a Limited or Power User to protect Windows XP and 2000 PCs from most malware threats. If you use Windows Vista do not turn off the user account control security alerts! Do not run as a computer administrator for your daily browsing. Use the Administrator account to do maintenance or to install drivers, but not to surf the Internet.

Posted by Wiz at 10:59 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

Anybody who receives email that is not cleared by a challenge-response email provider, is probably receiving more spam now than almost any time before. I know that I am and I am reporting it to SpamCop and using the data I collect to create or update my MailWasher Pro custom spam filters. It is my belief that this huge upswing in the volume of spam over the last two weeks is because it is being sent from computers that are infected with the Storm Worm Trojan and are all members of the same BotNet, but belonging to different peer-to-peer spam relay cells. All summer long this BotNet spewed out tens of millions of spam emails pretending to be ecards, greeting cards, or postcards, with numeric links that led to infected computers that spread the Storm Trojan to the computers that were lured to them. Suddenly, the postcard scams have halted, only to be replaced by huge amounts of spam messages for male enhancement drugs, pump and dump stocks, counterfeit watches, pirated software and loans.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I'll post a new report each week, running from Monday through Sunday.

My current statistics show that spam is 47% of all my incoming email, for the week of September 3 through 9, 2007.

MailWasher Pro spam category breakdown for Sept 3 through 9, 2007.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that only a tad over 1% of the spam detections flew under my radar and was classified as DNS Blacklists, for this reporting period. All other spam was classified and dealt with by my filters.

Posted by Wiz at 11:02 PM | Permalink

back to top ^

Back in the days of Windows 95 I bought a program called PowerQuest Drive Image. Drive Image allowed me to take snapshots of my entire hard drive and save them to other hard drives, to be used to recover a failed master hard disk. Drive Image contained a fabulous utility named Magic Mover, which allowed me to move entire programs, with all of their settings and distributed system files, from one PC, or partition, to another. Unfortunately, Powerquest is no more, along with Magic Mover.

While answering questions on a computers section of a specialty forum, where I act as moderator, a member asked questions about moving programs, settings and preferences from his XP computer to his new Vista computer. Another member pointed him to the Windows Vista "Easy Transfer" utility, which can "move" a number of programs, which it knows about, from an XP computer to the Vista computer, over a cable or network connection.

Unfortunately, the original poster had programs he wanted moved, but are not listed in the Easy Transfer database. That's when another member mentioned a program by LapLink, called PCMover. This program can indeed move any or all of your programs, files, settings, or desktops, between two computers running Windows 95, 98, NT, Me, 2000, Media Center, XP, or Vista. Instead of taking one or more days to migrate all of your programs and settings, you can do this with PCMover in a few hours, or less.

PCmover can migrate your PC across a network, Laplink USB cable, Laplink parallel cable, Windows Easy Transfer Cable, or any type of removable media that can be read by both PCs. If your computer has multiple users, PCmover gives you the option to migrate some or all of the users at once. The security information about file ownership and access control is preserved for each user. You can even use PCmover to migrate your PC to an Intel-based Mac!

A single license of PCmover ($49.95) allows you to migrate from a single old (source) PC to a single new (destination) PC. Additional migrations require the purchase of additional licenses. For most end users this is not a problem, since they rarely have to perform such major transfers of programs. There is significant discount pricing available from LapLink, for people or businesses requiring multiple computer migrations, in 5 or 10 packs of migration licenses. Upon payment of a migration fee, the software transfers files and settings from your old computer to your new computer.

You can read more about PCMover - here.

Posted by Wiz at 12:53 AM | Permalink

back to top ^