Wiz's Computer and Website Security Blog

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common type of spam this week (again) is pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. The most common spam subject and message body text included or started with the words "Canadian Pharmacy."

For those who don't know, "Canadian Pharmacy" is a fake pharmacy, with fake accreditation banners, that is either hosted on compromised home or office computers (in Bot-nets), or on "bullet-proof" web hosting servers in China, Korea, Vietnam, Romania, Russia, or The Ukraine. The Canadian Pharmacy spam gang sells counterfeit drugs that could harm or even kill you, but certainly won't help you in the manner advertised. This fake pharmacy is used by cyber criminals to raise money for themselves and to fund illegal activities that they engage in. Once they get your credit or debit card number they may max out your spending limit, or empty out bank account, or sell your credit card details to other criminals.

The runner up subject begins with"from" followed by fake first and last names. The body text often contains "Canadian Pharmacy" or "CanadianRX," or other words alluding to pharmaceuticals, and leads to compromised computers running the Russian Nginx server software, unbeknownst to their owners. Those zombie computers are used to host the fake Canadian Pharmacy website. My spam log also showed a large number of other repetitive pharmaceutical subjects, such as: Doctor Approved and Recommended, Enlarge, Very discreet shipping and billing, and RE: Message (5 to 7 numbers). Please do not be deceived into thinking that these are legitimate online pharmacies. Despite any banners, labels, or claims to the contrary, they are NOT approved to sell their (counterfeit) pills in most countries outside of China. Don't become a victim - delete all spam on sight!

Other categories of spam that rated a sizable percentage included unsecured loans, credit cards, or debt reduction. Common Subject words include "Refinance" or "Loans." These are scams. No legitimate company ever uses spam sent through botnets to advertise its financial services! Never, ever, ever buy anything that is "spamvertised!"

MailWasher Pro spam category breakdown for Sept 22 - 28, 2008. Spam amounted to 53% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 2:12 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on September 24, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ ActiveToolBand
+ AntiSpywareMaster
++ AntispywareProXP
+ BookedSpace
++ Cleaner2009
+ Fake.MSAntivirus
+ Fraud.AntiMalwares
+ Fraud.AntiSpyware2008XP
+ Fraud.Antivirus2008
+ Fraud.PC-Antispy
++ Fraud.SmartAntiVirus2009
++ InternetSpeedMonitor
++ PCCleanPro
+ Smitfraud-C.
+ Virantix (8)
+ Win32.Agent.pz
++ Win32.Hangame
+ Win32.Renos
+ Win32.VB.lu
+ WinSpyKiller
+ WinXDefender
+ Worldsecurityonline.FakeAlert

Spyware
++ EBlaster

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Adclicker
+ Command Service
+ Fake.IKEA-Bill
++ Popguide
++ ProGroup.ProRat
+ Vanbot
++ Virtumonde.atr
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ WebBuyingAssistant
++ Win32.Agent.hz
+ Win32.Agent.msgr
++ Win32.Antilam.20
++ Win32.AutoRun.dmh
+ Win32.BabyDel
++ Win32.BHO.fdj
+ Win32.BHO.df
+ Win32.ConHook.ah
++ Win32.Delf.gxz
++ Win32.Rays
+ Win32.Small.buy
++ Win32.VB.aoo
+ Zlob.Downloader.apl
+ Zlob.Downloader.mot
+ Zlob.Downloader.vdt
+ Zlob.Vcodec
+ Zlob.XPasswordManager

Total: 1137868 fingerprints in 283533 rules for 4288 products.

False positive detections reported or fixed this week:

There is an as yet unconfirmed, but reported false positive of "FakeAlert" in the Windows System file "msvideo.dll." According to the user who reported this, "the description SpyBot gives indicates that FakeAlert creates an autorun entry but I don't see anything that arouses my suspicion." If it is a FP it will be corrected in next week's updates. If Spybot flags this file on your computer use caution and check with the Spybot False Positives Forum before allowing it to be deleted.

RegCleaner by Jouni Vuorio is a confirmed false positive and was fixed with the updates last Wednesday.

Extended Comments

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Posted by Wiz at 2:47 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of spam messages.While spam is an annoyance to most people, it is combat for me. I publish custom filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common type of spam this week (again) is pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. The most common spam subject included or started with the words "Canadian Pharmacy."

For those who don't know, "Canadian Pharmacy" is a fake pharmacy, with fake accreditation banners, that is either hosted on compromised home or office computers (in Bot-nets), or on "bullet-proof" web hosting servers in China, Korea, Vietnam, Romania, Russia, or The Ukraine. The Canadian Pharmacy spam gang sells counterfeit drugs that could harm or even kill you, but certainly won't help you in the manner advertised. This fake pharmacy is used by cyber criminals to raise money for themselves and to fund illegal activities that they engage in.

The runner up subject begins with"from" followed by fake first and last names. The body text often contains "Canadian Pharmacy" or "CanadianRX," or other words alluding to pharmaceuticals, and leads to compromised computers running the Russian Nginx server software, unbeknownst to their owners. Those zombie computers are used to host the fake Canadian Pharmacy website.

Other categories of spam that rated a sizable percentage included unsecured loans, credit cards, or debt reduction. Common Subject words include "Refinance" or "Loans." These are scams. No legitimate company ever uses spam sent through botnets to advertise its financial services! Never, ever, ever buy anything that is "spamvertised!"

MailWasher Pro spam category breakdown for Sept 15 - 21, 2008. Spam amounted to 56% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:16 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on September 17, 2008:

Dialer (Dialers silently try to use your modem to call pay per minute numbers in foreign countries)
+ EGDAccess

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AntiSpywareMaster
+ CoolWWWSearch.OleHelp
++ Fraud.PCHealth
+ DyFuCa.InternetOptimizer
+ ISearchTech.ISTsvc
+ MagicControl.Agent
+ Smitfraud-C.
+ SpywareBOT.SpywareStop
+ Win32.Agent.pz
+ WinSpywareProtect
+ ZenoSearch

Spyware
+ 180Solutions.SearchAssistant
+ TargetSaver

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ Agent.Clicker
+ CoolWWWSearch.GonnaSearch
+ Fraud.AntiMalwares
++ IRCBot.svchost
++ ProGroup.ProRat
++ Win32.Agent.hnk
+ Win32.Agent.hz
++ Win32.Delf.jl
++ Win32.Delf.gkw
++ Win32.Delf.rtk
+ Win32.Flux.fm
++ Win32.Joleee.K
+ WebBuyingAssistant
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Virtumonde.Crack

Total: 1219618 fingerprints in 292344 rules for 4237 products.

False positive detections reported or fixed this week:

RegCleaner by Jouni Vuorio is a false positive and was fixed with the updates this Wednesday.

Extended Comments

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Posted by Wiz at 5:02 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of spam messages.While spam is an annoyance to most people, it is combat for me. I publish custom filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common type of spam this week (again) is pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. The most common spam subject included or started with the words "Canadian Pharmacy."

For those who don't know, "Canadian Pharmacy" is a fake pharmacy, with fake accreditation banners, that is either hosted on compromised home or office computers (in Bot-nets), or on "bullet-proof" web hosting servers in China, Korea, Vietnam, Romania, Russia, or The Ukraine. The Canadian Pharmacy spam gang sells counterfeit drugs that could harm or even kill you, but certainly won't help you in the manner advertised. This fake pharmacy is used by cyber criminals to raise money for themselves and to fund illegal activities that they engage in.

The runner up subject begins with"from" followed by fake first and last names. The body text also contains "Canadian Pharmacy, or other words alluding to pharmaceuticals, and leads to compromised computers running the Russian Nginx server software, unbeknownst to their owners. Those zombie computers are used to host the fake Canadian Pharmacy website.

Other categories of spam that rated a sizable percentage included unsecured loans, credit cards, or debt reduction. These are scams. No legitimate company ever uses spam sent through botnets to advertise its financial services! Never, ever, ever buy anything that is "spamvertised!" Replica watches also kept showing up in measurable spam numbers this week. All of the spam and scams were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never have and never will buy anything that is Spamvertised!

MailWasher Pro spam category breakdown for Sept 8 - 14, 2008. Spam amounted to 53% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 4:10 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on September 10, 2008:

Adware
++ Give4Free.BHO
++ zztoolbar

Dialer (Dialers silently try to use your modem to call pay per minute numbers in foreign countries)
+ eGroup.InstantAccess

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ ActiveToolBand
+ AdwareAlert
+ AdwarePro
+ AntiSpyCheck
+ ErrorSmart
+ ErrorSweeper
++ Fake.MSAntivirus
+ Fraud.AntiMalwares
++ MalwarePro
++ Redtube
+ RegClean
+ Smitfraud-C.
+ Spyhunter
++ Win32.Agent.ys
+ Win32.BHO.je
+ Win32.Renos

PUPS (Possibly Unpopular Software or Unwanted Programs)
+ FunWebProducts
+ MyWay.MyWebSearch
++ RegCleanr

Spyware
++ SolutionClass.pws

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ Fake.PCTools
++ RightMedia
++ StormCodec
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ VisualBreeze
+ Win32.Autoit
++ Win32.AutoRun.buv
++ Win32.BHO.kv
++ Win32.Hupigon.eez
++ Win32.LdPinch.fzw
++ Win32.Small.ba
++ Win32.VB.bbd
+ Zlob.Downloader.apl

Total: 1215016 fingerprints in 291150 rules for 4227 products.

Extended Comments

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Posted by Wiz at 8:04 PM | Permalink

back to top ^

This is the latest entry in a series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening program that goes between your email servers and your desktop email client (application). It uses a variety of techniques to recognize what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common type of spam this week (again) is male enhancement products, Viagra, Cialis and other drugs. The most common spam subject was "Solution for your sexual problems," or something including the words "Canadian Pharmacy."

For those who don't know, "Canadian Pharmacy" is a fake pharmacy, with fake accreditation banners, that is either hosted on compromised home or office computers (in Bot-nets), or on "bullet-proof" web hosting servers in China, Korea, Vietnam, Romania, Russia, or The Ukraine. The Canadian Pharmacy spam gang sells counterfeit drugs that could harm or even kill you, but certainly won't help you in the manner advertised.

The runner up again is spam for unsecured loans, credit cards, or debt reduction. These are scams. No legitimate company ever uses spam sent through botnets to advertise its financial services! Never, ever, ever buy anything that is "spamvertised!" Exploit video links and replica watches also kept showing up in measurable spam numbers this week. All of the spam and scams were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never have and never will buy anything that is Spamvertised!

MailWasher Pro spam category breakdown for Sept 1 - 7, 2008. Spam amounted to 56% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

Posted by Wiz at 2:10 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

News Flash!
Spybot Search and Destroy 1.6 was released on July 8, 2008. Upgrade now! The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on September 3, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
++ Win32.KeyLogger.ap

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ 1ClickPCFix
+ ErrorSafe
+ Fraud.AntiMalwares
++ Fraud.AntiSpyXP
++ Fraud.Antivirus
++ Fraud.XPAntivirus.gen
+ Power-Antivirus-2009
+ Smitfraud-C.bs
++ Smitfraud-C.ul
++ Virantix (7)
++ WinReanimator
++ XPSecurityCenter

PUPS (Possibly Unpopular Software or Unwanted Programs)
+ FunWebProducts
+ MyWay.MyWebSearch
++ Win32.HackTool.Aid (652)

Security
+ Microsoft.Windows.AppFirewallBypass

Spyware
++ CashBar

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ CSR.tr
++ Fake.HostProcess
+ Hupigon
+ Maran.J
++ Nebuler.BHO
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.ark
++ Win32.Agent.ayo
++ Win32.Agent.es
++ Win32.Banker.egt
++ Win32.BHO.bc
++ Win32.Bzub.fh (579)
++ Win32.Delf.if
++ Win32.Disabler.i
++ Win32.Fujack.b
++ Win32.Nosok.b
++ Win32.Pigeon.DLA
++ Win32.VBS.Generic.23
+ Win32.Webdir.b
++ Zlob.Downloader.got
+ Zlob.Downloader.vdt
+ Zlob.Downloader.wet

Hosts file additions to note
SweetIM is a fancy smiley program used by a lot of people addicted to instant messenger conversations. SweetIM.com has been blocked in the latest Hosts file update. It is regarded as Adware and is virtually impossible to remove by normal procedures. Attempting to remove it is known to cause a barrage of popups protesting your decision. Treat is as possible spyware, as it tracks the websites you visit to throw targeted ads at you.

Total: 1209640 fingerprints in 290002 rules for 4232 products.

False positive detections reported or fixed this week:

A couple more false positive heuristic detections were fixed with today's Spybot updates. These include "FixPolicies.exe" and "DCProSetup.exe." This is an ongoing problem where a normal scan using definitions shows nothing wrong, but a heuristic manual scan shows all kinds of infections. When in doubt, believe the definitions scan, rather than any heuristic scan. The same thing applies to your anti virus scanner. Mine gives occasional false positives with generic names, using heuristics, when in fact no infection exists in those files.

Extended Comments

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Finally, if you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Posted by Wiz at 9:42 AM | Permalink

back to top ^