Wiz's Computer and Website Security Blog

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on Feb 27, 2008: and false positive removals

Malware
+ AdwareAlert
+ AdwareBot
+ AntiSpyware2007
+ AntiSpyWare2007
+ AntiSpywareBOT
+ CoolWWWSearch.am
+ ErrorKiller
+ ErrorSmart
+ EvidenceEraser
+ Fake.SpywareRemover
+ MacroVirus
+ MalwareBOT
+ PrivacyControl
+ PWS.OnLineGames
+ RegClean
+ RegistryBot
+ RegistrySmart
+ RegRecall
+ Smitfraud-C.
+ Spyware-Secure
+ VirusHeat
+ Win32.Agent.bpb
+ Win32.BHO.je
+ Win32.Renos

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ PassStealer

Trojans
+ Hupigon
+ IE-Improver
+ Smitfraud-C.MSVPS
+ Win32.Banker.gen
+ Win32.Delf.dgb
+ Win32.Rungbu.a
+ Win32.Small.azl
+ Win32.Tibia.aj
+ Zlob.Downloader
+ Zlob.Downloader.anz
+ Zlob.Downloader.se
+ Zlob.Downloader.vdt
+ Zlob.VideoActiveXObject

Total: 542580 fingerprints in 119017 rules for 3652 products.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 12:50 AM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories. Most of the spam emails for pharmaceuticals have links to websites hosted in China, where fake and counterfeit drugs are produced. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters.

My current statistics show that spam is now 53% of all my incoming email, for the week of February 18 through 24, 2008. This is down 2% from last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for February 18 through 24, 2008.

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the four 'biggies" that typically block 26+% of all spam.

I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case.

My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:

MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+

MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+

MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+

MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de

MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com

Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:

[enabled],[email protected],BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"

Learn more about MailWasher Pro, or Get MailWasher Pro here

Posted by Wiz at 2:20 PM | Permalink

back to top ^

All of the above mentioned malware types are threats to anybody running a Windows based operating system, especially when they are connected to the Internet. There are malware threats that are specifically targeted at other operating systems, like MacIntosh and Linux, but they are less prevalent, mostly due to the smaller installed base of those OS's. Some come to you over the wires, so to speak, via TCP/IP attacks against open "ports." A router between you and your external broadband modem can stop those attack vectors (unless you have poked holes in the router's firewall). However, no common router has the means of protecting you against malware threats that come in as you read email, or use your Internet browser. Unless you have an advanced router that receives regular updates to it's malware detections, you will need to keep a software firewall running on your computer, to protect it against hostile incoming TCP threats.

Malware threats do not just come from the Internet. I got into computer troubleshooting before I was connected to the Internet, due to an infected floppy disk. Floppies are mostly gone nowadays, but there are still some CD's, DVD's and plug-in memory devices that are somehow infected before going to, or during production. Then, you have certain music companies who knowingly install programs onto their CD's, which install rootkits onto the computers of legitimate buyers, to prevent copying those CD's (DRM protection). This was done a couple of years ago by Sony-BMG. Those DRM rootkits were then exploited by cyber-criminals to install other, much more dangerous types of malware.

Every week or two there seems to be a new type of malware attack method discovered, as well as constant variations of existing methods of infection. This article will review the latest methods of delivering viruses, spyware, rootkits, backdoors, keyloggers and Trojans to your PC. All of the threats listed are already "in the wild." Most of them are being used to draft unprotected, or insufficiently secured Windows PC's into Botnets. Others are used to steal login information to websites control panels, servers, banks, eBay, PayPal, or similar institutions. Then there are the pop-up ad windows that can render a computer unusable, and rogue anti-spyware programs that trick you into paying to remove the threats that the program itself invented, or installed. Your best defense against all of these threats is to keep a firewall running at all times, keep the most current version of anti-virus and anti-spyware programs working and updated, and keep fully current with Windows or MacIntosh security patches and updates (yes, Apple releases security patches too).

The most prevalent malware threats, in the Wild, include the following (The Dirty Dozen):

• Lunar eclipse video scam - link leads to Trojan and Botnetting if clicked


• IRS rebates and refunds phishing scams - targets US citizens by mail or phone


• Bank Of America phishing scam


• Hillary Clinton video download scam - link downloads a Trojan if clicked


• Britney Spears and Paris Hilton video scams - link downloads a Trojan if clicked


• Storm Trojan numeric links in spam emails continue, but are reduced.


• Thousaands of compromised web servers are still allowing JavaScript redirection exploits to occur, leading to stealth download infection attacks to many visitors of the web sites hosted on those servers.


• Compromised individual web sites have had hidden iframes installed, by criminal hackers, leading to instant infection of insufficiently secured PC's visiting those web sites.


• Adobe Reader had a vulnerability that, if exploited, allowed complete computer takeover. Everybody using Adobe Reader or Acrobat should be sure they update to the latest, patched version. Use the program's Help menu to check for updates and install them.


• Apple QuickTime exploits are in the wild. Make sure you update to the current version.


• There are Java virtual machine exploits on compromised web pages. Make sure you computer has the latest version of Sun's Java.


• Finally, rounding out the Dirty Dozen, certain brands of wired and wireless routers are being targeted with DNS redirect attacks. This involves sending code, from simply opening a hostile spam email message, to the targeted router, which reprograms the router to send users to a phishing banking website, or other financial institution, if you try to logon to that institution. Router exploits that are in the wild were recently successful against millions of Mexican DSL routers, many of whose owners used the bank that the redirect was aimed at. All of these router attacks depended on the users not setting a personal Administrator password! Those with a password were not affected.

If you have a Mac OS PC, make sure you check for updates at least once a month, or turn on automatic checking for security updates. Mac's "Finder" has a link to check for Apple Updates. If you have iTunes installed, it may need updates occasionally as well.

If you have a Windows PC, the quickest method you can use to check the security level is to visit the security website, Secunia.com, and run their online Secunia Software Inspector (requires Java). After you read the instructions and click on Start, a second page will load, then click on Start on that page and it will scan your PC for vulnerable software in it's database, and missing Windows Updates. If the Software Inspector finds out dated versions of software it will highlight them with a red mark and expand their details to tell you what vulnerability exists. It will also provide a direct link to the applicable page where you can download the patched version. Sometimes, Secunia will locate an older version of Flash, or Java, that has been left behind after updating to the current version. It will show the locations of those still-vulnerable files, which you should manually delete, or uninstall (Control Panel > Add/Remove Programs).

To protect your router from code exploits, establish a unique Administrator password (do not use the word "password"), disable remote administration and turn off UPnP. If you have a wireless router, setup the best level of encryption your receiving computers can work with. Most broadband routers come with a firewall, with configurable rules and a means of "poking holes" in them. Make sure your router's firewall is turned on and do not allow any port holes unless they are necessary for your personal or business use (e.g: filesharing, VPN, remote desktop, ftp. etc). Routers use "NAT" to hide your personal network computers from the public Internet. This makes them a less visible target for TCP/IP exploits.

Finally, if your PC shipped with a free trial version of a security program and it has expired, and you have not paid to renew it, you had better either pay for it, pay to upgrade it, or uninstall it and get a different security program. An expired anti-virus or anti-spyware program is totally useless and it's only current affect is to eat up valuable system resources! There are many fine security programs available, both in retail stores and online. I have ads for several brands on this blog and on my other web pages, all of them reputable. However, I have my eye on one in particular that seems to be pulling ahead of the others, especially in the area of intercepting web site borne malware threats. That company is Trend Micro. They have a technology that is included in the Trend Micro Internet Security 2008, also known as "PC-cillin," that analyzes the content of web pages you visit, screening them for either known hostile codes, or potentially hostile embedded exploits, based on heuristics. If such codes are discovered Trend Micro's web threat protection will block the harmful content, while allowing safe content to be delivered. Or, it can block the entire web site from downloading anything, if you prefer. This type of defense is invaluable when you consider that much of today's malware is being delivered through website exploits and hidden redirects.

The Trend Micro Security Suite 2018 also comes with a two way firewall, anti-virus, anti-spyware and anti-phishing protection, with multiple daily automatic updates, all for a reasonable subscription price and allowing you to protect up to three PC's under one license. Get 10% Off a 1 year subscription to Trend Micro Internet Security 2008, using Coupon Code: TrendIS08.

Posted by Wiz at 1:17 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on Feb 20, 2008: and false positive removals

Keyloggers (Keyloggers steal your logins and passwords)
+ Goldeneye
++ SolidKeylogger
++ WinKey.StealthKeylogger

Malware
+ PWS.OnLineGames
+ Win32.BHO.je
+ Win32.Renos

Trojans
+ Hupigon
+ IE-Improver
+ Smitfraud-C.MSVPS
+ Virtumonde.generic
++ Win32.Agent.dlo
+ Win32.Delf.s
+ Win32.PolyCrypt.d
+ Win32.VNC.a
+ Zlob.Downloader
+ Zlob.Downloader.se
+ Zlob.Downloader.vdt
+ Zlob.Downloader.xot

Total: 530848 fingerprints in 116890 rules for 3632 products.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 1:41 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories. Most of the spam emails for pharmaceuticals have links to websites hosted in China, where fake and counterfeit drugs are produced. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. The only rational explanation for the continued existence of these fake pharmacies must be that there are enough gullible people in the World, who will purchase enough drugs from links in spam emails to make it financially worth while for spammers to pay to rent botnets to send this crap. Considering the fact that most of these pharmaceuticals are fake, or contaminated, one has to wonder how many people get sick, or die, because they foolishly bought spamvertised, counterfeit medicine from fraudulent, online pharmacies?

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters.

My current statistics show that spam is now 55% of all my incoming email, for the week of February 11 through 17, 2008. This is up 1% from last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for February 1 through 17, 2008.

These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Posted by Wiz at 3:30 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on Feb 13, 2008: and false positive removals

Dialer
+ Maxadult

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
+ HellzLittleSpy
+ SpyLantern

Malware
+ Clickspring.Outerinfo
+ ErrorSweeper
+ Win32.Alphabet.ap

Spyware
+ SpyMail

Trojans
+ Hupigon
+ QQ-Pass
+ Smitfraud-C.MSVPS
+ Tibiabot.pk
+ Win32.Bifrose.LA
+ Win32.Delf.aoa
+ Win32.Delf.dch
+ Win32.Expiro
+ Win32.RJump.c
+ Win32.Small.azl
+ Win32.Sohanad.t
+ Zlob.Downloader.se

Total: 526414 fingerprints in 113946 rules for 3611 products.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 1:25 AM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again (no surprise here). All of them have links to websites hosted in China, where the counterfeit drugs are produced, or Korea. Foremost among these are fake pharmacy websites, like the so called "CanadianPharmacy," which is not in Canada at all (China and Indo-China), and their drugs are definitely not FDA approved. Most of the "CanadianPharmacy" web pages are now hosted on compromised home PC's that are unknowingly members of various spam Botnets. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit, or contaminated medicine?

The Storm Botnet is actively spamming emails proclaiming love messages, getting an early start on the upcoming Valentine's Day greetings season. They all contain a short "love" message and (numeric) links to Storm Trojan infected computers. People who are tricked into clicking on those links will in all likelihood have their PCs drafted into the Storm Botnet. If past history tells us anything it is that the links will not always be numeric, for Storm Trojan spam messages. Just beware of any short email from unknown (or even known) senders, containing a brief (usually one line) message, with just a link that is either numeric, or has a word related to "love" or "Valentine" in the link.

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special filter rule, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being catagorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters.

My current statistics show that spam is now 54% of all my incoming email, for the week of February 4 through 10, 2008. This is down 2% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for February 4 through 10, 2008.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over a month now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for illicit Viagra, or male enhancement drugs.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 2% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 3:24 PM | Permalink

back to top ^

On February 7, 2008, Mozilla.org released the newest update to the renowned Firefox browser; version 2.0.0.12. This is primarily a security release, fixing ten major issues, nine of which deal with security vulnerabilities. If you are allowing Firefox to automatically check for updates you should be getting yours sometime on Feb 8, 2008, in a little pop-up notice. Otherwise, if you are in a hurry to upgrade now, open Firefox 2.x, click on the menu item Help >> Check for Updates. A pop-up box will appear, then check for updates, then will display the notice that a new version, 2.0.0.12 is available. You can just download the minimum required files and upgrade it on the spot. After the files are downloaded to a temporary directory the installer will ask for permission to restart Firefox, which should only take about 30 seconds, or so. You can confirm that you have the new version by clicking on the Menu item Help >> About Mozilla Firefox.

Firefox is also available for manual downloading and installation, from the main Firefox product page. Just download it and install it over the previous version. It will import/re-use all of your Bookmarks and History, and your Add-ons, if they are still compatible with the new release and it's security fixes. Rest assured, that most add-ons get updated shortly after the authors learn that they have stopped working in a new security release, or major build upgrade.

If you prefer to use a version of Firefox in a language other than English, there is a link in the lower right area of the Download page, where you can select your desired language. There are currently 44 different language versions of Firefox available. They are all available for Windows, Mac OSX and Linux operating systems.

What's New in Firefox 2.0.0.12?

Fixed in Firefox 2.0.0.12
MFSA 2008-11 - Web forgery overwrite with div overlay
MFSA 2008-10 - URL token stealing via stylesheet redirect
MFSA 2008-09 - Mishandling of locally-saved plain text files
MFSA 2008-08 - File action dialog tampering
MFSA 2008-06 - Web browsing history and forward navigation stealing
MFSA 2008-05 - Directory traversal via chrome: URI
MFSA 2008-04 - Stored password corruption
MFSA 2008-03 - Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 - Multiple file input focus stealing vulnerabilities
MFSA 2008-01 - Crashes with evidence of memory corruption (rv:1.8.1.12)

If you are not already using Firefox and wonder why you should switch, I'd say that security is reason number 1, as Firefox simply does not run or interpret any of the ActiveX Controls that are used in Internet Explorer. Most, but not all, hostile take-overs of Internet Explorer occur via ActiveX exploits. When a new security vulnerability is found in the Wild, for Firefox, the developers usually come out with a patched version in a matter of days. Internet Explorer users usually have to wait a month for patches, which come with your monthly Patch Tuesday Windows Updates. Which reminds me to remind you; Windows Updates are coming next Tuesday, February 12. There will be 12 security updates, including one for Internet Explorer.

Note; If you use a software firewall that monitors files for changes, like ZoneAlarm does, you will need to approve the changed Firefox browser permission to continue to access the Internet. The same will apply to Internet Explorer, next Tuesday. This happens because the file sizes and signatures are changed when the browsers are patched to a new version number. Just tell your Firewall that the change is allowed and have it remember your decision.

Posted by Wiz at 1:25 AM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on Wednesday, this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a + sign are additions, or updated detections, with multiple additions indicated by a number in parenthesis or a double ++ in front of it's name. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Additions made on Feb 6, 2008:

Keyloggers (Keyloggers steal your logins and passwords)
+ Ardamax
+ Elite Keylogger
+ Perfect Keylogger

Malware
+ AdvancedCleaner
+ Fraud.XPAntivirus
+ Smitfraud-C.
+ Win32.Agent.oh
+ Win32.Renos

Trojans (6 new Zlob variants)
+ CoolWWWSearch.SearchToolbar (They're baaack!)
+ Firehole
+ Hupigon
+ MalwareAlarm
+ Smitfraud-C.MSVPS
+ Zlob.Downloader.eaw
+ Zlob.Downloader.gen
+ Zlob.Downloader.oid
+ Zlob.Downloader.se
+ Zlob.Downloader.tnd
+ Zlob.Downloader.vdt
+ Win32.Agent.aga
+ Win32.Agent.bid
+ Win32.Agent.ea
+ Win32.Bandok.av
+ Win32.Delf.dsf
+ Win32.Delf.zq
+ Win32.Harnig.bn
+ Win32.Lineage.bus
+ Win32.Small.ih

Total: 525864 fingerprints in 113680 rules for 3602 products.

Spybot Search & Destroy version 1.5.2, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. If you are still using version 1.4 I recommend that you update to 1.5.x, using the company links below.

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Posted by Wiz at 5:35 PM | Permalink

back to top ^

I analyze sources and destinations of various types of spam I capture in my honeypot accounts and I've begun seeing numeric IP links in spam for fake pharmacies. The numeric links point to Windows based PC's that are Zombie members of the Storm Trojan Botnet, because they did not have all available patches or good security programs installed and updated. These compromised computers are, unknown to their owners, hosting web pages containing advertisements for fake pharmacies and counterfeit drugs and male/female enhancement solutions.

As my regular readers already know, virtually all numeric links in spam messages are actually the IP addresses assigned to the modems of residential, or business customers, of DSL and Cable Internet companies. The people who think they own these computers are not aware that their computer is now owned by a criminal Botmaster, who has herded millions of insecure PC's into his network, called a Botnet. Most of the numeric links in spam messages are sent by computers in the "Storm" Botnet, the World's largest, at this time. Each one of these computers are acting like "sleeper agents," acting normally until their Botmaster sends them a remote command - to send spam, or launch a denial of service attack, or to receive a web page and file that they will host, to infect curious web surfers who are enticed there by cleverly worded spam messages.

We are 11 days away from this year's Valentine's Day celebration, and the Storm Botnet is already busy generating love messages to sucker as many people as possible, into infecting their own computers by following links in spam messages sent from other Storm Botnet zombie computers. Now, you also have them using pharmaceuticals and male enhancement as bait. The authors of these messages, while being 100% criminals, are nonetheless brilliant at social engineering. They jump on major news stories to rewrite scripts that their zombie computers will use to send spam runs, with current topics in the subject or body, all linking to infected computers that attempt to spread this Trojan to every sucker that is sent to them. Don't be one of those suckers!

I discuss how the Storm Trojan uses hidden rootkit technology to hide its presence from the computer owners, in my extended comments.

If you are using a Windows based computer and are operating it with administrator level privileges, you are at risk from all manner of malware threats. Most, if not all malware requires full administrator privileges to properly install its components into the operating system of Windows computers. Users who are smart about these matters have learned to operate as Limited, Standard, or Power Users, especially Windows Vista customers - where this is the standard setup. These types of account are less or least privileged and often require extraordinary physical interaction to even install an update to some programs. I operate as a Power User and have to jump through hoops sometimes, but it is well worth the protection this offers me against drive-by downloads, or threats embedded in hijacked web pages or servers. It also protects me and others running with reduced privileges from "rootkits."

Rootkits are computer programs and services that are able to completely hide their existence behind the workings of the operating system into which they are hooked. Although there are some tricks that can be used to reveal their presence, like trying to create a new file or folder with a particular file name, that won't always work on the newest variations of these stealthy applications. Rooting out rootkits takes big guns.

The current version of the Storm Trojan hides its presence from visible detection by employing rootkit technology. The criminal Botmaster who planted it on your computer doesn't want you to know that it is there. He is making lots of money oby exploiting your PC. This type of infection is difficult to detect by normal anti-virus methods and requires advanced anti-rootkit applications that have special detection engines. Most of the top anti-virus and anti-spyware programs have been updated recently to ferret out rootkits, but they require constant online updates to know about the latest changes to those hidden applications. If you have a security program that is capable of detecting and removing rootkits, but haven't updated it in a month, you better do that right now, then scan for malware of any kind that you may have inadvertently picked up. If your security program is more than 6 months old it may not be able to even detect such a threat.

Here are some links to reputable companies that have security products capable of detecting rootkits.

• Trend Micro PC-cillin Internet Security 2008


• Trend Micro AntiVirus plus AntiSpyware 2008


• Windows Malicious Software Removal Tool


• GMER

Posted by Wiz at 4:05 PM | Permalink

back to top ^

This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.

I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.

My analysis of this week's spam shows that various pharmaceuticals, including illicit prescription drugs, male and female enhancement pills and weight loss capsules lead the pack, again (no surprise here). All of them have links to websites hosted in China, where the counterfeit drugs are produced, or Korea. One has to wonder how many people are dying, or ending up in emergency rooms every day, because they foolishly bought spamvertised, counterfeit, or contaminated medicine?

The Storm Botnet is actively spamming emails proclaiming love messages, getting an early start on the upcoming Valentine's Day greetings season. They all contain a short "love" message and (numeric) links to Storm Trojan infected computers. People who are tricked into clicking on those links will in all likelihood have their PCs drafted into the Storm Botnet. If past history tells us anything it is that the links will not always be numeric, for Storm Trojan spam messages. Just beware of any short email from unknown (or even known) senders, containing a brief (usually one line) message, with just a link that is either numeric, or has a word related to "love" or "Valentine" in the link.

Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special filter rule, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being catagorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters.

My current statistics show that spam is now 56% of all my incoming email, for the week of January 28, through February 3, 2008. This is down 4% from last week. Without my MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm Trojan. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."

MailWasher Pro spam category breakdown for January 28, through February 3, 2008.

These spam categories and their relative percentages will probably shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, beginning this week, I have begun blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working.

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).

Regarding my custom MailWasher Pro spam filters; due to my continuing work of refining these filter rules, their accuracy has increased to the point that less than 3% of the spam detections flew under my radar and were classified as DNS Blacklists, for this reporting period (ditto for the learning filter). All other spam was classified and dealt with by my custom filters.

Posted by Wiz at 2:05 PM | Permalink

back to top ^