Wiz's Computer and Website Security Blog

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common type of spam this week is male enhancement products and drugs. The most common spam subject was "Solution for your sexual problems."

The runner up was spam for loans or debt reduction. These are mostly scams. No legitimate company ever uses spam sent through botnets to advertise its financial services! Never, ever, ever buy anything that is "spamvertised!"

MailWasher Pro spam category breakdown for August 25 - 31, 2008. Spam amounted to 53% of incoming email this week.

Male enhancement spam (subject or body):	35.29%
Other filters: (See my MWP Filters page)	18.63%
Loans/Bankruptcy/Insurance Scams:	13.24%
Video Exploit links to Trojan download:	8.33%
Known Spam Subjects:	4.90%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	4.42%
Counterfeit Watches:	2.94%
Blacklisted Domains/Senders: (by pattern matching wildcard rules)	2.94%
DNS Blacklists:	2.94%
Digits or Consonants forged sender:	2.45%
"Opera Mail" Spam:	1.96%
X-Mailer: The Bat:	1.96%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 2:34 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on August 27, 2008:

Adware
++ BannerStyles.Optimizer
++ RXToolbar
+ SmartShopper
+ Zango
+ Zango.ShoppingReport
++ MorpheusToolbar

Hijackers
++ CoolWWWSearch.Aff.Madfinder

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ Fakealert.gen
+ Fraud.XPAntivirus
+ Fraud.Antivirus2008
+ IEDefender
+ MalwareProtector2008
++ WinDefender
+ WinSpywareProtect
++ XPSecurityCenter

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ Joke.FakeFormat
++ WildTangent

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
+ ShopAtHome

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ CSR.tr
++ Fraud.AntiSpyware2008XP
++ Fraud.Installer.as
+ Hupigon13
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.bm
++ Win32.Agent.cui
++ Win32.Agent.dj.rtk
++ Win32.Agent.rso
++ Win32.Agent.uzf
++ Win32.AutoRun.bck
+ Win32.BHO.je
++ Win32.Brontok.q
++ Win32.Bzub.fh
++ Win32.Delf.vb
++ Win32.Disabler.i
+ Win32.Exchanger.ch
++ Win32.Injecter.adv
++ Win32.Mutant.yf
+ Win32.Poison.k
++ Win32.ShowPass
++ Win32.Small.aafc
++ Win32.VB.el
++ Wukill.B
+ Zlob.Downloader.Gen
++ Zlob.Downloader.mot
++ Zlob.rtk

Worms
+ Win32.Socks.T (1471)

Total: 1188431 fingerprints in 286605 rules for 4213 products.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 6.0.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Posted by Wiz at 1:07 AM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common email threat this week is male enhancement products. Previously, it was Trojan Video exploit links. These messages either have fake news headlines, or use the names of famous actresses in the subject, with ludicrous or nasty claims about their activities. The message body may contain links to read more, view or play a video, or even have a pornographic image of the actress whose name is used in the subject. All either have links to exploit web pages, or to directly download a Trojan file.

If you have clicked on one of these Trojan download links you may have either knowingly, or unknowingly allowed a hostile file to be installed, and are probably in need of the services of an up-to-date anti-spyware program to disinfect your PC. I recommend Spyware Doctor, from PC Tools, because it specializes in spyware detection and removal, and is updated very frequently. As Spyware tools go, Spyware Doctor is one of the top rated in the industry. Symantec also thinks that PC Tools makes great security programs and just bought the company. However, PC Tools will continue to market Spyware Doctor on its own, so you are assured of continuing updates and support..

MailWasher Pro spam category breakdown for August 18 - 24, 2008. Spam amounted to 47% of incoming email this week.

Male enhancement spam (subject or body):	27.62%
Video Exploit links to Trojan download:	20.95%
Other filters: (See my MWP Filters page)	15.69%
Loans/Bankruptcy/Insurance Scams:	14.29%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	6.68%
Counterfeit Watches:	4.29%
Known Spam Subjects:	3.81%
Blacklisted Domains/Senders: (by pattern matching wildcard rules)	2.86%
Digits or Consonants forged sender:	2.38%
DNS Blacklists:	1.43%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 1:32 PM | Permalink

back to top ^

The authors of the Storm, Srizbi, Pushdo and Rustock botnets (and others) are ramping up their individual efforts to assemble the largest collective botnet the World has ever seen, using fake news headlines in the subject and body of spammed emails. The latest fake news about the Olympics is sent from the Storm Botnet. Almost all of the BotMasters are purported to be based in Russia and are members, or former members of the notorious Russian Business Network. The purpose of this rush to acquire more and more zombie computers in a short time is undisclosed right now, but may be in preparation for a cyber war, in which the zombie computers will be used in denial of service attacks against other governments, anti-Russian websites, universities, or military installations.

Or, the purpose may just be to have more power to send gazillions of spam messages hawking male enhancement pills, fake pharmaceuticals, shady loans, or counterfeit watches and shoes, but I think they already have enough zombie computers to do that work.

I don't want any of my readers to fall into these traps and have their PCs drafted into these hostile robotic armies. Therefore, you need to know that the authors of the tens of millions of spam messages that are spewing out of hundreds of thousands of zombie computers, some at the rate of up to 10,000 spam emails per day - per PC, are using every social engineering trick they can come up with to fool you into clicking on a link in just one of these scam messages.

The fake news alerts I referred to earlier usually have sensational subjects and short descriptions in the body, some of which match the subject, but some of which are totally unrelated. There may or may not be links to a real news website, but there is always one or more to a compromised computer or website, or directly to a hostile file. These hostile links may have the text "Read More," or "Watch Video," or "Play," etc. If you mouse over the links you will see the real destination in the status bar of your browser, for browser-based email, or your email client. They will not lead to CNN, or the news agency they claim to represent, but to a strange web site, or numeric IP, where you will be attacked by all manner of exploit codes.

If these automatic exploits fail to infect your computer you will be offered a manual link to do it to yourself. This is usually in the form of a pop-up about your needing to download a new version of ActiveX Object, or Flash Player, or Video Codec. Some of the most recent spam messages I have seen this week have direct links to download Trojan files. They are disguised by words like Play, Movie, Watch(it), Video, etc, to make you think you are going to see a movie clip about the news in the spam message. Instead, you will become instantly infected with whatever Trojan is being hosted on the destination web server, or zombie PC.

If you want to read the news online just go to cnn.com, or abc.com, etc, and read it. If you subscribe to breaking news alerts you could be fooled into opening a scam message that uses a subject and body text and images stolen from CNN, MSNBC, Reuters, or the BBC. Because of these scams being in the wild right now, and being so hard to authenticate, you are best to download a news widget from the organization to which you wish to subscribe. CNN has a breaking news widget that sits in the Windows System Tray until a news alert comes through. Then, it opens a balloon message above the System Tray with the headline displayed. If you click on the story it will open in your default browser. Other news organizations may offer a similar widget. Just be sure you go directly to the news website to look for it. Do not click on links in unsolicited email messages.

The volume of these messages is increasing, not decreasing and the subjects, body text and link anchor text is morphing on a daily, or bi-daily basis. Learn to spot these scams and delete them from your inboxes. If you have a real email client that allows you to create filter rules, just add the subjects to your blacklist. If you use MailWasher Pro to screen your incoming email for spam or link threats you can download and install my custom MailWasher Pro filters, which are updated frequently to detect these ever changing scams. Since the Trojan video link spams began pumping out a couple of weeks ago I have sometimes been updating my published MailWasher filters on a daily basis. Contact me if you wish to consult with me about anti spam solutions.

MailWasher Pro also lets you read the full headers with one mouse click on a button. This is useful when you want to verify who the sender really is, if you know how to interpret the information in the headers. Most of the fake news alerts spammed out in the last few weeks have forged sender domains that do not match the organization they claim to come from. Here is what you can look for, when reading the headers.

With the Headers displayed in the Preview Pane, look at the "Received: from" lines to see if it contains the domain belonging to the news organization listed. CNN will always send email alerts from its own email servers (e.g. mail.cnn.com). Ditto for every other reputable source of news. Also, look at the "From:" line to see the domain of the sender, not just the name that displays in the "From" column in MailWasher or your email reader. While this field is always forged in spam messages, the most recent CNN and MSNBC scams had sender domains after the @ sign that did not end with cnn.com, or msnbc.com. This is a dead giveaway that they did not come from a real news organization.

If you want to install my Wizcrafts' Custom MailWasher Pro Filters there are three versions to choose from. Filters.txt contains a lot of older filters dating back over 8 years, plus my newest filters. All are set to notify only by checking the Delete box, in the Delete column. You must manually click the Process Spam button to actually delete them from the mail server.

Filters2.txt contains my current filters and some from the last year or so and is considerably faster that filters.txt. It also flags spam for manual deletion.

Filters3.txt is the one I use, minus my personal identity filter rules. It automatically deletes most spam that is matched by its filter rules and even adds some senders to the blacklist, for automatic deletion of subsequent spam messages. Some is still marked for manual deletion when I can't be certain that a rule will not match a legitimate email message. Better safe than sorry! However, MailWasher Pro has a Recycle Bin, just in case you delete a wanted email message. As long as you set the scanning depth to at least 275 or 300 lines you should be able to recover most accidentally deleted messages. That scan level will slow down your email processing, because my rules use a lot of complex regular expressions, but this also makes them more accurate.

MailWasher Pro can simultaneously check for incoming POP3 email on numerous accounts and different mail servers, on assignable standard or SSL ports. You can download a 30 day trial, or purchase MailWasher® Pro here. The current price is only $39.95, for a lifetime license, which includes free upgrades for as long as you or the maker continues to grace this planet. You can install MailWasher Pro on multiple computers or transfer it to new computers once you purchase the license key and paste it into the Registration field. Just save the email that contains your registration key. They even offer a 6 month money back guarantee, so you really can't lose anything but about 95% of your spam!

Posted by Wiz at 1:51 AM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on August 20, 2008:

Adware
+ Zango.ShoppingReport

Hijackers
++ FM.Toolbar (2800)
++ SearchPixieBar
++ Win32.Control.pg

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ AdvancedXPFixer
+ AntiSpyCheck
+ BrowserAid
+ Fraud.Antivirus2008
+ Fraud.XPAntivirus
++ Power-Antivirus-2009
+ RegistrySmart
+ Smitfraud-C.
+ SpyShredder
++ UltimateAntivirus2008
+ VistaAntivirus2008
+ Win32.Agent.pz
+ Win32.BHO.je
++ Win32.FraudLoad
+ Win32.Renos
++ Win32.Stud.a
+ Win32.VB.ck

PUPS (Possibly Unpopular Software or Unwanted Programs)
+ CasinoRoyal.PT

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
++ Win32.FirefoxPSW.k

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ AntiLamerBackDoor
++ Fake.AntiSpywareCheck
++ Pigeon
+ Smitfraud-C.MSVPS
++ TargetedBanner.Optimizer
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Archivarius.a
++ Win32.Autoit.E
++ Win32.Beastdoor
++ Win32.Delf.ajx
++ Win32.LdPinch.r
++ Win32.Poison.aem
++ Win32.ScarMorph
++ Win32.Tibia.cn
++ Win32.VB.afa
++ Win32.VB.drc
++ Zlob.Downloader.apl
+ Zlob.Downloader.vdt

Worms
++ Win32.Socks.T (7559)

Total: 1172617 fingerprints in 283863 rules for 4186 products.

False positive detections reported or fixed this week:

Confirmed False Positive:

For reasons unknown, tinyurl.com is inserted into the hosts file and redirected to 127.0.0.1 and bookmarks to the website are labeled as malware. This is a false positive that will be rectified next week, but you should disregard this detection if you use the TinyUrl toolbar, or have links to the tinyurl.com website.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.6 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Spybot S&D News

Since version 6 was released there have been some major updates to the scanning engine and the "TeaTimer" module (monitors for and alerts about system or browser setting changes). Apparently, the new TeaTimer has balloon style pop-up notices about changes it monitors in real time and this is aggravating lots of users. If you want to turn off these balloon messages from TeaTimer, in the System Tray, the tray icon allows to disable any future balloons from its right-click context menu. Team Spybot will be making some code changes in the TeaTimer component next week, so updates to it and the main program are disabled this week. This upcoming update will quiet or disable the balloon pop-ups by default, but allow them to be enabled if you so desire.

Spybot Search & Destroy version 1.6.0, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. It scans for threats much faster than 1.5.2 does. If you are still using version 1.3 or 1.4, I strongly recommend that you update to 1.6.x, using the company links below. These older versions are giving more frequent false positives than ever before.

Spybot S&D is compatible with all versions of Windows from Windows 95 upward. Note that, starting with Windows NT onward, installing, un-installing and immunizing the program will require administrator privileges. From Windows 2000 onward this can be done by less privileges users via the right-click "Run As" command. Vista requires Administrator rights to run the program, so elevate your privileges to update and immunize.

Spybot S&D can run in Linux if you have Wine installed.

There is no support for Mac OS at this time.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 8:33 PM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category; "Other."

The most prevalent social engineering email threat continues to be a video exploit link scam that has a subject and sender containing the words "Breaking Alert" or "Breaking News." This threat is sent from a humongous botnet, and has transformed from claiming to be a CNN "My Custom Alert," to an "msnbc.com Breaking News," to the current just "Breaking News." All of these contain lines about fake breaking news stories, and all contain disguised links to a compromised web site hosting a payload named "get_flash(_update).exe" - or a variation thereof. This is not the real Adobe Flash Player, but a fake Video Codec, containing malware that has been identified as being either a "Tibs," "Zlob," or "Storm/Nuwar" Trojan variant. If you are lured to a web page containing such a link (mouse-over links to see their destination in your browser's status bar, on the bottom), and you survive the automatic attempts to exploit browser vulnerabilities, do not click on the download links offered to you! There may be a pop-up message claiming you require a video codec, or ActiveX Object to view a news story, but it is a trick to fool you into self-installing the Trojan.

If you have clicked on one of these Trojan download links and allowed the file to be installed, you are probably in need of the services of an up-to-date anti-spyware program. I recommend Spyware Doctor, from PC Tools, because it specializes in spyware detection and removal, and is updated very frequently. As Spyware tools go, Spyware Doctor is one of the top rated in the industry. It gets the job done where others fail.

MailWasher Pro spam category breakdown for August 11 - 17, 2008. Spam amounted to 47% of incoming email this week.

Video Exploit links to Trojan download:	21.47%
Male enhancement spam (subject or body):	15.95%
Other filters: (See my MWP Filters page)	15.34%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	14.10%
Loans/Bankruptcy/Insurance Scams:	13.50%
Blacklisted Domains/Senders: (by pattern matching wildcard rules)	6.75%
Known Spam Subjects:	4.91%
Counterfeit Watches:	3.68%
Image Spam:	2.45%
DNS Blacklists:	1.23%
Bayesian learning filter:	0.62%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Update on 8/18/2008

On Monday, August 18, 2008, the video news exploit scams changed again. This time the spam email subject is "Weekly top news" and the sender's name is set to "Top News Agency." The disguised link from this spam run points to a file on a compromised computer or server, ending with the file name "index1.html," with the anchor text: "Read All (two numbers) breaking news."

This combination is likely to change in a day or two, so be on a heightened state of alert concerning any unexpected email mentioning "News" in the subject or body, referring to alleged breaking news stories around the World.

Anybody foolish enough to click on the link in these scam emails will be fast forwarded to a compromised web site where they will be subjected to attempted driveby downloads, followed by manual encouragement to download a file ("install.exe"), which carries this social trickery text:

'You must download Video ActiveX Object to play this video file.

The file offered to you is not a "Video ActiveX Object," nor Adobe's Flash Player, nor a "Missing Video Codec." It is a very hostile Trojan file that will recruit your computer into a huge Botnet, for use in illegal activities such as spamming or distributed denial of service attacks against pro-Western governments in the former Soviet Union, security organizations or popular websites that annoy the mostly Russian bot herders.

Posted by Wiz at 2:48 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on August 13, 2008:

Adware
+ 2Search
++ Eroca
+ Zango

Hijackers
+ LoudMarketing.WinFavorites

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Goldeneye
+ SC KeyLog Pro
+ SCKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Krepper-G
+ PPCHook
+ SpyAxe
+ SyperCrypt.Overwriter
+ Win32.Agent.pz
+ Win32.VanBot.ax
+ WinFixer2005
+ Smitfraud-C.
+ AntiSpyCheck
+ Win32.BHO.je
++ Softland.Antivirus2008XP
++ Power-Antivirus-2009

PUPS (Possibly Unpopular Software or Unwanted Programs)
+ DriveCleaner 2006

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans
+ AdSpy.TTC
+ BackOrifice2k
+ Banker.PorSMTP
+ Crypt.Spambot.qk
++ CTFmona
+ Dropper.Mondo
+ HotKeysHook
+ Irc.Agobot
+ KBui32.SMTP
++ Nurech
++ PSCMain
+ Psyme
+ Smitfraud-C.MSVPS
++ TargetBanner
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.abv
+ Win32.Agent.ac
++ Win32.Agent.agb
++ Win32.Agent.JH
++ Win32.Agent.o
+ Win32.Autoit
++ Win32.AutoRun.acs
+ Win32.ConHook.ah
+ Win32.IRCBOT.cmn
+ Win32.mIRC
+ Win32.Rbot.aeu
+ Win32.SdBot.bkx
++ Win32.SDBot.iuf
++ Win32.VB.v
++ Win32.VB.vw
+ Zlob.Downloader.ol
++ Zlob.Downloader.apl
+ Zlob.Downloader.tfr
+ Zlob.Downloader.vdt
+ Zlob.ImageActiveXAccess
+ Zlob.VideoActiveXAccess
+ Zlob.VideoAXObject

Worms
++ Win32.Bnuff (7296)
+ Win32.Socks.T

Total: 1162519 fingerprints in 282447 rules for 4157 products.

False positive detections reported or fixed this week:

Confirmed False Positive:

CoolWWWSearch.Aff.Madfinder: [SBI $5C09119C] Executable (File, nothing done)
C:\WINDOWS\system32\svc.exe.

This file belongs to SrvStart, a program to run command or programs as a service. SVC.EXE is a simple Windows NT command-line program to manage NT services.

An "Alexa Related" false positive in Google searches was fixed in this week's updates.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.6 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Spybot S&D News

Since version 6 was released there have been some major updates to the scanning engine and the "TeaTimer" module (monitors for and alerts about system or browser setting changes). Apparently, the new TeaTimer has balloon style pop-up notices about changes it monitors in real time and this is aggravating lots of users. If you want to turn off these balloon messages from TeaTimer, in the System Tray, the tray icon allows to disable any future balloons from its right-click context menu. Team Spybot will be making some code changes in the TeaTimer component next week, so updates to it and the main program are disabled this week. This upcoming update will quiet or disable the balloon pop-ups by default, but allow them to be enabled if you so desire.

Spybot Search & Destroy version 1.6.0, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. It scans for threats much faster than 1.5.2 does. If you are still using version 1.3 or 1.4, I strongly recommend that you update to 1.6.x, using the company links below. These older versions are giving more frequent false positives than ever before.

Spybot S&D is compatible with all versions of Windows from Windows 95 upward. Note that, starting with Windows NT onward, installing, un-installing and immunizing the program will require administrator privileges. From Windows 2000 onward this can be done by less privileges users via the right-click "Run As" command. Vista requires Administrator rights to run the program, so elevate your privileges to update and immunize.

Spybot S&D can run in Linux if you have Wine installed.

There is no support for Mac OS at this time.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 11:38 AM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category; "Other."

The most recent social engineering email threat is a video exploit link spam that has a subject and sender containing the words "CNN Alerts: Custom Alert," which contains a link to a web page hosting a payload named "get_flash(_update).exe" - or a variation thereof. This is serious malware that has been identified as being either a "Tibs," "Zlob," or "Storm/Nuwar" Trojan variant. If you are lured to a web page containing such a link (mouse-over links to see their destination in your browser's status bar, on the bottom), and you survive the automatic attempts to exploit browser vulnerabilities, do not click on the download links offered to you! There may be a pop-up message claiming you require a video codec, or ActiveX Object to view a news story, but it is a trick to fool you into self-installing the Trojan.

MailWasher Pro spam category breakdown for August 4 - 10, 2008. Spam amounted to 45% of incoming email this week.

Loans/Bankruptcy/Insurance Scams:	25.00%
Male enhancement spam (subject or body):	16.41%
Exploit link to Trojan download:	15.63%
Blacklisted Domains/Senders: (by pattern matching wildcard rules)	10.94%
Other filters: (See my MWP Filters page)	9.38%
Known Spam Subjects:	5.47%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	5.47%
Known Spam Domains:	2.34%
Counterfeit Watches:	2.34%
Casino Spam:	2.34%
Diploma Spam:	2.34%
DNS Blacklists:	2.34%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 12:26 PM | Permalink

back to top ^

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you already are using "Spybot Search and Destroy" and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! Read more about it in my extended comments.

Additions made on August 6, 2008:

Adware
++ Downloader.Trymedia (55397)

Dialer (Dialers silently try to use your modem to call pay per minute numbers in foreign countries)
+ CarpeDiem Vars (177988)

Keyloggers (Keyloggers steal your typed logins and passwords)
++ DigitalKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts)
+ BannerRotator
+ Fraud.Antivirus2008 (2)
++ Fraud.PC-Antispy
++ PrivacyGuarantor
+ Win32.BHO.je

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
++ AlexaToolbar

Trojans
++ Gooochi.BHO
+ PWS.Small.bs
+ Smitfraud-C.MSVPS
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ VirusExterminator
++ Win32.Agent.alo
+ Win32.Agent.ark
+ Win32.Bancos.zm
++ Win32.Crackpai.A
++ Win32.Delf.arv
++ Win32.JunkPoly
++ Win32.Klone.ao
++ Win32.OnLineGames.anyz
++ Win32.QQPass.aom
+ Win32.Sohanad.as
++ Win32.VB.sp
+ Zlob.Downloader.rid
+ Zlob.Downloader.tfr
+ Zlob.Downloader.wet
++ Zlob.ur

Total: 1147318 fingerprints in 280413 rules for 4112 products.

False positive detections reported or fixed this week:

False positive registry entry detections of "TacOnlyOne" and "WinSpywareProtect" that have been reported were fixed in this week's F/P updates.

"Alexa related" may be a false positive detection for a Google toolbar search function.

Zlib.dll, in GuardianMonitor, detected when scanning manually, under the Heuristic section only, is a false positive.

If you are still using Spybot S&D 1.3, or 1.4, please read this!

I have read several false positive reports regarding CoolWWWSearch.hjg and HellzLittleSpy from people still using the old versions 1.3 and 1.4 of Spybot Search and Destroy. I must stress that you cannot trust these versions to be 100% accurate when updated with current definitions. In fact, the opposite appears to be true; they are producing false positive detections with recent updates.

These are false positive which occur because Spybot 1.3 is outdated and does not understand the more complex rules made for 1.6 and newer.

Apply the main update that shows up within the internal updater to upgrade to (1.6.x).

If your computer gets stuck in a logon/logoff loop, after updating and scanning with these older versions of Spybot, visit this forum page for a solution, from Team Spybot.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 6.0.

If you get an alert about that detection for a file you think is legitimate you should submit it to Team Spybot for analysis.

Spybot Search & Destroy version 1.6.0, the latest release, is compatible with Windows Vista and features a nicer interface and sports a separate updater window and application. It scans for threats much faster than 1.5.2 does. If you are still using version 1.3 or 1.4, I strongly recommend that you update to 1.6.x, using the company links below. These older versions are giving more frequent false positives than ever before.

Spybot S&D is compatible with all versions of Windows from Windows 95 upward. Note that, starting with Windows NT onward, installing, un-installing and immunizing the program will require administrator privileges. From Windows 2000 onward this can be done by less privileges users via the right-click "Run As" command. Vista requires Administrator rights to run the program, so elevate your privileges to update and immunize.

Spybot S&D can run in Linux if you have Wine installed.

There is no support for Mac OS at this time.

Some users are having problems with Spybot S&D updates when running as less privileged users (Limited or Power Users). First off, less privileged users can no longer apply most immunization rules from within their accounts, unless they use the "Run as" command to run the program as an administrator. Your solution is to first run the Spybot Updater, from your Start menu > Programs > "Spybot - Search & Destroy" > "Update Spybot-S&D." The updater is now a separate application. To avoid possible account corruption from the rootkit detections, run the Spybot Updater before you open the actual Spybot S&D program. Download all available updates from the best server location (I prefer the Safer Networking servers). Exit the updater after all definitions have been installed and green checkmarks are displayed for all updates.

After the updater has exited you can right-click on the shortcut to Spybot S&D and "Run As" an administrator, with your administrator account password (only if you login as a Limited or Power User). When the program opens you should immediately use the Immunize button to apply the level of protection you desire to the selectable applications. These typically include major browsers, domains, cookies, and the Windows HOSTS file. If you are an advertiser or publisher in an affiliate network be sure you exclude cookies for your affiliate programs that are in the detections list, or you'll have problems logging into your affiliate accounts. I have to exclude Commission Junction and Linkshare detections in both cookies, domains and HOSTS immunizations. Apparently, the authors of Spybot are down on advertising cookies and domains. Oh well (sigh).

Another problem being reported is when you run some versions of Spybot S&D it stops with a warning about problems including the file C:\Program Files\Spybot-Search_Destroy\Includes\TrojansC.sbi. The current errors with the Trojans.sbi and TrojansC.sbi files are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

English Language Company Links:
Spybot Search and Destroy English Home Page
Spybot Search and Destroy (Multi-Lingual Landing Page. Choose your language).
Spybot Search and Destroy Download page - Program and definition updates. You can download the latest version of Spybot S&D plus definition and tool updates here for inclusion later on.
Full tutorial about using and setting up Spybot Search and Destroy
Spybot Search and Destroy Update History

See all security program update notices in this catagory

A consequence of acquiring many of the parasites, keyloggers, hijackers and downloaders is that their files and startup settings are usually saved to your System Restore hidden folder, from whence they are automatically restored upon rebooting the computer. To completely remove these threats, and others, you should disable System Restore, then reboot, then clean all threats, then re-start System Restore, setting a new Restore Point, with a clean machine. Many people overlook this and are constantly reinfected after removing threats. There are few, if any security programs that can clean or remove infected files that are backed up in your protected System Restore directory.

To disable System Restore, go to My Computer and right-click on it's icon. From the flyout options select Properties. From the "System Properties" select the "System Restore" tab. There you will find a checkbox labeled "Turn off System Restore." Check it, then click Apply and wait while the System Restore files are deleted (takes some time). After the deletions are finished, click OK to close the Properties box, then reboot.

When you have thoroughly removed all infections follow the same procedure as above, unchecking the box that turned off System Restore.

In the event that Spybot mistakenly removes a file(s) due to a faulty detection update (a.k.a False Positive), you can restore it from the program itself. Just click on the "Recovery" button, that looks like a first aid kit, with a red cross in it, then locate the item(s) you wish to restore. Click on the select box(es) on the left of the detection name(s), to place a check mark in it/them, then click on "Recover selected items." The files, and/or registry entries will be replaced, from where they were deleted. The Spybot forums have discussions about false positives here.

For those of you who have not yet used Spybot Search and Destroy, if you were wondering if it "plays nice" with other anti spyware programs, it most certainly does! I have used Spybot S&D since it's inception, along with various other free and commercial security programs, and it has never caused any problems on my, or my customers' computers.

Spybot Search and Destroy has a Malware Removal Forum where trained volunteers can help you with spyware removal problems.

Finally, as an individuals who benefits from the free software that is produced and updated by the good folks who run Spybot Search and Destroy, at their own expense, it won't hurt us to send occasional donations to them, to help them financially in their efforts. There is a donate button on most pages of the Spybot S & D website. Think seriously about using it. Send what you can.

Posted by Wiz at 12:19 AM | Permalink

back to top ^

I'm writing this two days late, due to other commitments over the weekend.

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category; "Other."

For the last couple of weeks most of the spam/scam email I saw or auto-deleted, was in the form of ludicrous news headlines in the subject and body and a single link to website where your computer is bombarded with multiple exploits. Should your computer be too well protected to fall for the automatic exploits there is one left trick that is netting as many victims as the auto-exploits do. The web page presents you with a fake PornTube or YouTube player containing a notice that you must click to download a missing video codec to play the movie. Of course, the only thing downloaded when one clicks on the image is a copy of a Trojan installer file and your computer instantly becomes a Zombie member of a Botnet.

The most recent spate of video exploit link spam has a subject and sender containing the words "Daily Top 10" and has multiple stacked lines of "news" links, all leading to a single web page with a payload named "get_flash_update.exe" - or a variation thereof. This is malware that has been identified as being either a "Zlob" or "Storm/Nuwar" Trojan variant. If you are lured to a web page containing such a link (mouse-over links to see their destination in your browser's status bar, on the bottom), and you survive the automatic attempts to exploit browser vulnerabilities, do not click on those executable links!

MailWasher Pro spam category breakdown for July 28 - August 4, 2008 (one extra day). Spam amounted to 42% of incoming email this week.

Other filters: (See my MWP Filters page)	21.33%
Exploit link to Trojan download:	21.33%
Blacklisted Domains/Senders: (by pattern matching wildcard rules)	11.33%
Loans/Bankruptcy/Insurance Scams:	9.33%
Known Spam Subjects:	6.00%
"Opera Mail" Spam:	4.67%
"Apple Mail" Spam:	4.67%
Angelina Jolie Video Exploits:	4.67%
Counterfeit Watches:	4.00%
Male enhancement spam (subject or body):	3.33%
Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	3.33%
Digits or Consonants forged sender:	2.67%
DNS Blacklists:	2.67%
Bayesian learning filter:	1.33%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 11:59 AM | Permalink

back to top ^