Wiz's Computer and Website Security Blog

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced.

Additions made on October 29, 2008:

Hijackers
+ MT-Dials

Keyloggers (Keyloggers steal your typed logins and passwords)
++ LightLogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ AntispywareProXP
+ Fraud.PCHealth
++ Fraud.SystemAntivirus
+ Fraud.XPAntivirus
+ MicroAntivirus
+ Smitfraud-C.
+ Win32.Agent.cmn

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ WGDTEAM.GoldCashHack

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Network Essentials.Hopper
+ RS32UPS.ru
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.agee
+ Win32.Agent.frl
+ Win32.Brontok.q
++ Win32.Delf.gycn
+ Win32.Exchanger.ch
++ Win32.Small.Ybe
++ Win32.VB.ayo
++ Win32.VB.bg
++ Win32.VB.bj
+ Zlob.Downloader
+ Zlob.Downloader.wet

Total: 944259 fingerprints in 242323 rules for 4324 products.

False positive detections reported or fixed this week:

There were no false positives reported this week.

Extended Comments

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 1:30 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common type of spam this week (again) is pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. This week I saw a big decrease in the amount of spam for the fake "Canadian Pharmacy." This is a scam website, hosted unknowingly on hijacked (Botnetted) personal computers, or on bulletproof Chinese hosting servers owned by criminals in Russia. The male enhancement spams are mostly leading to Botnetted computers hosting a web page touting VPXL, or other herbal enlargement formulas, all of which are scams.

MailWasher Pro spam category breakdown for October 20 - 26, 2008. Spam amounted to 67% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:18 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on October 22, 2008:

Adware
+ AdDestination
++ Win32.SmartPops.c

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Command Service
+ MicroAntivirus
++ PornBHO.ru
+ Smitfraud-C.
+ SpywareBOT.SpywareStop
++ TotalSecure2009
+ Win32.Renos
++ UltimateSpyKiller

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ Joke.BadGame
++ Joke.Train
+ MyWay.MyWebSearch
+ Network Monitor
++ Sleepy

Security
+ Microsoft.Windows.AppFirewallBypass
++ Microsoft.Windows.Comfile.HideExtension

Spyware
+ webHancer
++ Spy-net

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ IRC.crt
++ OIN.Analytics
++ RS32UPS.ru
++ SysVenFakP
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.aach
+ Win32.Agent.ark
++ Win32.AutoRun.dcw
++ Win32.AutoRun.diq
++ Win32.Delf.aam
++ Win32.Delf.ake
++ Win32.Delf.yj
+ Win32.Delf.zq
+ Win32.Exchanger.ch
++ Win32.MSN.Autoruner
+ Win32.Mutant.yf
++ Win32.Qhost.aei
++ Win32.SDBot.wus
+ Win32.Small.buy
++ Win32.VB.as
++ Win32.XPACK.Gen
+ Zlob.Downloader
+ Zlob.HQCodec

Total: 1152094 fingerprints in 286970 rules for 4336 products.

False positive detections reported or fixed this week:

One reader reported a false positive detection of "Caishow" in the Windows system file "gdiplus.dll," under the "Heuristics" section. This is a confirmed FP that has been fixed this week.

Again, some users of version 1.4 of Spybot S&D are reporting various false positives. Those folks have been advised to upgrade to the current version, 1.6.0.30, which eliminates those false positives. If you have any version older then 1.6 you should remove all immunizations and uninstall the product, then download the current version and install/update it.

Extended Comments

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 12:24 AM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common type of spam this week (again) is pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. At this time almost all spam email for any kind of pharmaceuticals is pointing to the fake "Canadian Pharmacy" website, hosted unknowingly on hijacked (Botnetted) personal computers, or on bulletproof Chinese hosting servers owned by criminals in Russia. The male enhancement spams are mostly leading to Botnetted computers hosting a web page touting VPXL, or other herbal enlargement formulas, all of which are scams.

For those who don't know, "Canadian Pharmacy" is a fake pharmacy, with fake accreditation banners, that is either hosted on compromised home or office computers (in Bot-nets), or on "bullet-proof" web hosting servers in Panama (200.63.40/21), China (CNCGROUP - 218.60.0.0/15), Korea, Vietnam, Romania, Russia, or The Ukraine. The Canadian Pharmacy spam gang sells counterfeit drugs that could harm or even kill you, but certainly won't help you in the manner advertised. This fake pharmacy is used by cyber criminals to raise money for themselves and to fund illegal activities that they engage in. Once they get your credit or debit card number they may max out your spending limit, or empty out bank account, or sell your credit card details to other criminals. Please do not be deceived into thinking that these are legitimate online pharmacies. Despite any banners, labels, or claims to the contrary, they are NOT approved to sell their (counterfeit) pills in most countries outside of China. Don't become a victim of the fake Canadian Pharmacy scam.

MailWasher Pro spam category breakdown for October 13 - 19, 2008. Spam amounted to 61% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 1:45 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on October 15, 2008:

Adware
+ AdDestination
+ Winzix

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax (2)

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.SmartAntiVirus2009 (2)
+ Smitfraud-C.
+ Swizzor
++ TotalSecure2009 (2)

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ SniffPass

Spyware
+ CommonName

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Bifrose.LA
+ Refpron (2)
+ Virtumonde.sdn
+ Win32.Agent.cmn
+ Win32.Agent.wo
++ Win32.Bifrose.zxe
+ Win32.Exchanger.ch
+ Win32.Small.axy
+ Win32.Sohanad.as
++ Win32.VB.atg
++ Win32.VB.bda
++ Win32.WPA_Kill.AK
+ Zlob.Downloader
+ Zlob.Downloader.vdt
+ Zlob.Downloader.wet

Total: 1148843 fingerprints in 286076 rules for 4310 products.

False positive detections reported or fixed this week:
None reported as of today.

Extended Comments

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 1:26 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common type of spam this week (again) is pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. At this time almost all spam email for any kind of pharmaceuticals is pointing to the fake "Canadian Pharmacy" website, hosted unknowingly on hijacked (Botnetted) personal computers, or on bulletproof Chinese hosting servers owned by criminals in Russia. The male enhancement spams are mostly leading to Botnetted computers hosting a web page touting VPXL, or other herbal enlargement formulas, all of which are scams.

For those who don't know, "Canadian Pharmacy" is a fake pharmacy, with fake accreditation banners, that is either hosted on compromised home or office computers (in Bot-nets), or on "bullet-proof" web hosting servers in Panama (200.63.40/21), China (CNCGROUP - 218.60.0.0/15), Korea, Vietnam, Romania, Russia, or The Ukraine. The Canadian Pharmacy spam gang sells counterfeit drugs that could harm or even kill you, but certainly won't help you in the manner advertised. This fake pharmacy is used by cyber criminals to raise money for themselves and to fund illegal activities that they engage in. Once they get your credit or debit card number they may max out your spending limit, or empty out bank account, or sell your credit card details to other criminals. Please do not be deceived into thinking that these are legitimate online pharmacies. Despite any banners, labels, or claims to the contrary, they are NOT approved to sell their (counterfeit) pills in most countries outside of China. Don't become a victim of the fake Canadian Pharmacy scam.

MailWasher Pro spam category breakdown for Sept 29 - October 5, 2008. Spam amounted to 54% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 2:22 PM | Permalink

back to top ^

I got the idea for this article while reading through various recent Craigslist items listed for sale in my city; Flint, Michigan. The listing that got my attention is: W. H. Turner Bronze "Fox and Goose" Sculpture, which was listed on October 8, 2008. According to the description of this item, it is a numbered bronze sculpture of "a fox diving after a fleeing goose and catching it by its tail feathers," and would be of interest to collectors of such things.

So, what has a bronze sculpture got in common with scammers and spammers? Plenty! Like a hungry sly fox, scammers and spammers craft their ploys to enable them to sneak up on their intended victims, striking when the victim is in a vulnerable position. Much of the spam and scams that I catch in my spam traps is crafted to catch people off-guard by playing on their inadequacies or curiosity. The subjects and body text are designed to fool gullible recipients into thinking that the links in those spam email messages can bring them something they are lacking, or to show them a video that is titillating, or sensational in content.

This is sucker bait. All of these things being advertised via spam emails (I call them Spamvertised) are scams and are meant to either steal your money or credit, or sell you counterfeit drugs, shoes, or watches, or to trick you into installing a Trojan Horse application onto your computer. Think of the web surfing general public as being akin to free-spirited geese, searching the World Wide Waters for knowledge and goodies, and criminal spammers as foxes - looking to turn them into prey.

So, the next time you get a spam email offering you incredible discounts on Viagra, Cialis, herbals, male enhancement products, or unsecured loans, or cheap "Bling" from counterfeit goods, or sensational videos of phony news or imaginary events involving actors or recording artists, or alarming messages supposed coming from a financial institution you may deal with, think twice or three times before you click on the links in those messages. The criminal minds behind these spam blasts are like foxes. They are sneaky and use stealth to trap their intended victims. They do not come in peace. They want to steal from you. If you are tricked into purchasing something spamvertised chances are very high that your credit or debit card information is in the hands of criminals. They may use it themselves, and/or sell it to the highest bidder, on special chat forums frequented by members of the spam underground. Buy from a spammer and your "goose" is going to be cooked. The fox has your account by the tail, like the fox in the sculpture gets the goose.

My own solution - and suggestion for you - is to use MailWasher Pro to filter out spam email before you download it to your email client. The program is very effective at recognizing spam, using a built-in learning filter, consulting online databases of known spam senders and domains, and custom written spam filter rules, many of which I write and publish.

Posted by Wiz at 12:42 AM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on October 8, 2008:

Adware
++ InternetGameBox

Hijackers
+ MediaTickets

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.PCHealth
++ MicroAntivirus
+ Smitfraud-C.

PUPS (Possibly Unpopular Software or Unwanted Programs)
++ FuckMailBomber

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ Refpron
+ Virtumonde
+ Virtumonde.sdn
++ Win32.Agent.fbx
+ Win32.Agent.JH
++ Win32.Bifrose.boa
+ Win32.Buzus.jqw
++ Win32.Buzus.ytg
++ Win32.Delf.abk
++ Win32.Ikmet.c
++ Win32.MataAVG
+ Win32.Small.fb
+ Win32.Sohanad.as
++ Win32.Virut.q
+ Zlob.DNSChanger
+ Zlob.DNSChanger.rtk
++ Zlob.Downloader.bit

Total: 1147480 fingerprints in 285772 rules for 4296 products.

False positive detections reported or fixed this week:

abyssmedia.com has been removed from the HOSTS blocklist, with this today's updates.

Extended Comments

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 4:10 PM | Permalink

back to top ^

For the past several weeks I have seen a huge increase in the volume of spam email promoting the fake Canadian Pharmacy. I write about it in my weekly reports about the classifications of spam, according to the anti-spam program MailWasher Pro and my custom MailWasher spam filters.

Whenever a spam email makes it through my automatic deletion spam filters I analyze it's contents and add the appropriate words or regular expressions to existing filter rules, or create new ones. Since most spam messages contain links to the spamvertised websites I will perform a stealth investigation of the website in the spam links. So far, all of the links in a recent spate of fake Fox News spam email lead to the fake Canadian Pharmacy. There is also a huge amount of spam the begins with the words Canadian Pharmacy.

Each day, or multiple times per day, the links point to a different website where the spamvertised pharmacy resides. So, I lookup the domains every now and then, using commercial Whois tools. Sometimes the fake pharmacy is located on a zombie computer in a Botnet. These are easy to spot because the header of the website reveals that it is running on the Nginx web server. Nginx is a tiny http server, made in Russia, and a favorite tool for use by Russian criminals to install on zombie machines under their control. But, not all Whois reports lead to zombies.

A large number of Whois IP traces in Canadian Pharmacy and Male Enhancement scams now lead to websites hosted on PanamaServer.com. This server farm is a new favorite place for spamvertised websites, phishing website, malware hosting and other dodgy goings on. Normally, one would not even know about the existence of PanamaServer unless they rented space on them to do business, or did Whois lookups of spam domains. But all that changed today for me, in another way.

I read my raw access logs every day, looking for sources of abuse, or referring domains, or other matters of interest to a Webmaster. Today's log revealed a long list of hits from somebody trying to harvest my entire website and trying to post spam comments via my contact form (failed due to my security implementation). All of these hits came from one IP address: 200.63.42.91, which the Whois reports as belonging to PanamaServer.com. The IP range (CIDR) assigned to this company is 200.63.40.0/22, ranging from 200.63.40.0 to 200.63.43.255. I have added that CIDR to my published Exploited Servers Blocklists, in .htaccess form and in iptables form. If you have an Apache based website you can block this domain and all spammers and scammers operating through websites hosted there. Just add 200.63.40.0/22 to your deny from list in .htaccess, or to the iptables list. Or, just download my Exploited Servers blocklist in the format you can use and install the entire blocklist. You will be protected against a huge number of exploited servers.

In case you don't know which list applies to your server, here's how to decide. If you are the administrator of the server and have root access to the Linux operating system, go with the iptables blocklist. If you are a customer on a shared hosting server, you must use the .htaccess blocklist. Full instructions for use are included on each blocklist.

I also maintain other country wide blocklists, in both .htaccess and iptables form. The landing pages for these blocklists are found at htaccess-blocklists.html and at iptables-blocklists.html.

Posted by Wiz at 4:24 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common type of spam this week (again) is pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. The most common spam subject and message body text included or started with the words "Canadian Pharmacy" along with fake Fox News Newsletters, with all of the links going to a fake Canadian Pharmacy website, hosted unknowingly on hijacked (Botnetted) personal computers.

For those who don't know, "Canadian Pharmacy" is a fake pharmacy, with fake accreditation banners, that is either hosted on compromised home or office computers (in Bot-nets), or on "bullet-proof" web hosting servers in Panama, China, Korea, Vietnam, Romania, Russia, or The Ukraine. The Canadian Pharmacy spam gang sells counterfeit drugs that could harm or even kill you, but certainly won't help you in the manner advertised. This fake pharmacy is used by cyber criminals to raise money for themselves and to fund illegal activities that they engage in. Once they get your credit or debit card number they may max out your spending limit, or empty out bank account, or sell your credit card details to other criminals. Please do not be deceived into thinking that these are legitimate online pharmacies. Despite any banners, labels, or claims to the contrary, they are NOT approved to sell their (counterfeit) pills in most countries outside of China. Don't become a victim of the fake Canadian Pharmacy scam.

MailWasher Pro spam category breakdown for Sept 29 - October 5, 2008. Spam amounted to 53% of my incoming email this week.

Download MailWasher Pro Here

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:12 PM | Permalink

back to top ^

As many of you know, I write and publish custom spam filters for the anti-spam program named MailWasher Pro. In addition to publishing my custom MailWasher Pro filters on my own website, I have a thread about them on the new Firetrust MailWasher Forum. The title and location is: Wizcrafts Custom MailWasher Pro Filters discussed here.

For the curious who are not yet using MailWasher Pro, you can read about it on my MailWasher Pro web page. There are links there to try it or buy it. There is a one time fee of $39.95 US to license the program and all updates to the program itself are then free for life. It does have an included reporting service called FirstAlert! that is subscription based, but is purely optional. All new purchasers get the first year of FirstAlert! for free.

The spam filters used by MailWasher Pro (MWP) are in plain test and are stored in a file named: filters.txt. That file, along with the blacklist (and friends list), the bayesian learning filter database and other personalized files are stored separately from the program itself, inside your user profile, under Application Data, or AppData for Vista users. That location depends on which version of Windows you are using. If you don't already know about the location of your application data, open the Run box by pressing the "Windows" key + R together and when the Run box opens, type in : %AppData% and press Enter. If you are notified that the contents are hidden, click on the link to Show these files, and/or modify your Folder View options to Display hidden files and folders and to not hide known file type extensions.

Once you open your personal identity's Application Data (or AppData) directory, look for the MailWasherPro subdirectory. Your own filters.txt and blacklist.txt files, spamlog.txt and the learning filter database are all inside that location. To edit filters.txt, or to use my custom downloadable filters you must first close MailWasher Pro, or your changes will be overwritten.

Download MailWasher Pro Here

Some things to keep in mind when editing filters.txt are as follows:

• Every rule starts with either [enabled] or [disabled]


• Every rule starts on a new line and occupies one long line of code.


• you must not have any blank spaces after the end of any rule.


• There must not be any blank lines between rules.


• MWP will add a single line feed to the last rule if none is present in your custom filters.


• Comments are proceeded with double forward slashes: // and will be overwritten with the default comments after the program opens and closes.


• Pay careful attention to double quotes (") in your rules. A misplaced quote will cause that rule to be deleted when the program opens! If there are spaces between words or regular expressions, you must enclose that segment inside double quotes. If there are bouble quotes in the rule you must add another double quote to each one, thus "escaping" them.


• If in doubt you should use the custom filter wizard to add data to fields and select your desired actions. The wizard will add the necessary quotes for you and the correct terminology for matching conditions. You can then open your filters.txt and see how the rule looks in the list.

Posted by Wiz at 12:47 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Additions made on October 1, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ PerfectKeylogger
+ SCKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ AdRotate
++ AntispywareProXP
++ MicroAntivirus
++ MySideSearch
+ Smitfraud-C.
+ SpywareBOT.SpywareStop
++ Win32.VB.ij


Security
++ Microsoft.Windows.Disabled.DispSettings

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ Refpron
++ Stration.dtp
++ Virtumonde.atr
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Autoit
++ Win32.AutoRun.ET
++ Win32.AutoRun.HomeVideo
+ Win32.Delf.rtk
++ Win32.Small.axh
++ WinDestroyerGolden
++ Zlob.ARg

Total: 1141725 fingerprints in 284288 rules for 4285 products.

False positive detections reported or fixed this week:

There is a confirmed false positive detection of Troyan Win32.Small.fb in Wine, which is a Windows translation layer used on Linux computers, to allow (some) Windows programs to be run on Linux. The displayed report was: "Win32.Small.fb: [SBI $3B3DD39E] <$WINSOCK>" This false positive has been fixed in this week's updates.

There is still an as yet unconfirmed, possible false positive of "FakeAlert" in the Windows System file "msvideo.dll." According to the user who reported this, "the description SpyBot gives indicates that FakeAlert creates an autorun entry but I don't see anything that arouses my suspicion." If it is a FP it will be corrected in next week's updates. If Spybot flags this file on your computer use caution and check with the Spybot False Positives Forum before allowing it to be deleted.

Extended Comments

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

Posted by Wiz at 10:43 PM | Permalink

back to top ^