Wiz's Computer and Website Security Blog

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

Before I get into the various categories of spam received this week, I want to mention the fact that while the volume of spam is still down from October and early November, it is definitely on the rise, with a 10% increase from last week. The volume of spam had dropped to near zero a couple of weeks ago, due to the termination of service to a server co-location hosting company, named McColo. McColo's customers were responsible for over 75% of the daily spam sent from zombie computers in several major Botnets. The "zombie" computers in these Botnets were unable to receive instructions from their mothership controllers and had mostly fallen silent; but have now begun to awaken.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common types of spam this week is for fake watches and various pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. Spam for the fake "Canadian Pharmacy" remained strong as usual, but was surpassed for a second week by spam caught by my "Hidden ISO Subject" filter. Most of the Hidden ISO spam is for Indian Viagra or ineffective male enhancement pills and patches.

"Canadian Pharmacy" and it's offshoot "Canadian Health and Care Mall" is a scam website, hosted unknowingly on hijacked (Botnetted) personal computers, or on bulletproof Chinese hosting servers owned by criminals in Russia. The prescription drugs and herbal remedies promoted by the fake Canadian Pharmacy come from a lab in India, named after a flower. Those prescription drugs are illegal to import into the US or Canada and may be seized by postal inspectors upon arrival.

The male enhancement spams are mostly leading to Botnetted computers hosting a web page touting VPXL, Power Gain Plus, or other herbal enlargement formulas, all of which are scams. Male enhancement pills are totally ineffective and may even be dangerous to your health.

MailWasher Pro spam category breakdown for November 24 - 30, 2008. Spam amounted to 25% of my incoming email this week, with 74 spam messages analyzed.

Hidden ISO Subject:	27.03%
Blacklisted Domains/Senders: (by pattern matching wildcard rules)	13.51%
Fake "Canadian Pharmacy" spam (Viagra, Cialis, etc):	13.53%
Other filters: (See my MWP Filters page)	10.81%
Counterfeit Watches:	8.11%
Known X-Mailer Spam:	5.41%
Viagra spam:	4.05%
DNS Blacklists:	4.05%
Fake Diplomas:	4.05%
Lottery Scams:	2.70%
HTML Tricks:	2.70%
Misc. Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	2.70%
Bayesian learning filter:	1.35%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 2:26 PM | Permalink

back to top ^

On November 14, 2008, I published an article on my blog about how spam had dropped significantly following the shutdown of McColo, a server co-location hosting company. The reason for the huge drop in spam was because several of the World's largest and busiest Botnets had their Command and Control (C&C) servers housed and connected to the Internet by McColo. The C&C servers send instructions and spam templates to the Zombies under their control. When those C&C servers lost their connections to the Internet the Zombie computers in the Botnets they controlled all fell silent; becoming sleeper agents awaiting new instructions from new Controllers.

Today I began seeing an increase in the number of spam emails arriving in my spam screening program, MailWasher Pro. I did a little digging into security news and discovered that this increase is not a coincidence. Apparently, the so-called "Srizbi Botnet" has been rebuilding its C&C computers, which are now hosted in Estonia. Those C&C machines are now issuing instructions to the sleeping zombies, which are awakening and beginning to send out spam again. While researchers and detectives are able to identify the new locations of those C&C machines, shutting them down will be difficult, as the people hosting them and local Government officials could care less about the damage being done by the Botnets under their control.

Whether today's spam is coming from the Srizbi Botnet, or some other Botnet is unimportant to spam recipients. Unless you are a security researcher you are probably more interested in blocking this spam than in knowing who designed it and ordered it to be sent to you. I can help you do that, using special rules in a spam filtering program named MailWasher Pro. This can only be done if you read your email in a POP3 desktop email client, like Outlook, Outlook Express, Windows Live Mail, Apple Mail, Mozilla Thunderbird, etc. MailWasher Pro stands between the Internet email servers and your desktop email client, where it filters out spam, scams and virus threats, before downloading any messages to your desktop email client. If you are not already using MailWasher Pro you can read about it here and download a trial or purchase a copy for yourself.

The first prong in my attack against spam is to add wildcard email addresses, that spammers repeatedly forge as the sender, to the program's Blacklist. Blacklist rules are processed before other types of rules, so the wildcard addresses in the Blacklist will cut down a lot on the amount of unclassified spam you have to deal with. Open MailWasher Pro, click on the "View" menu item, then select "Filter Side Bar." The Filter Side Bar will appear on the right side of the program. It has three tabbed sections: "Friends List" and "Blacklist" and "Filters." Click on the "Blacklist" tab, then click on the round green "Add" button. A new "Add address to list" box will open. Click on the option "Wildcard expression." Copy and paste, or type in the following codes, one per Blacklist entry, then click OK to close each new entry box. Repeat the sequence for each of the six Blacklist additions listed below. The first two entries are very commonly matched right now.

kef+diz@+

lin+met@+.de

dw+m@+

_+@+.+

-+@+.+

+@mail.*ru

After saving these Blacklist Wildcard rules you must decide how you want MailWasher Pro to deal with the messages matching these expressions. While still in the mail Blacklist tab, click on the "Options" button. In the "Actions" section select "Delete the email." Just under that you can choose whether that happens manually, where you see the email flagged as "Blacklisted" in the incoming messages list, or if any messages matching those criteria are automatically deleted off the email server, on the spot. I use automatic deletion, as nobody I communicate with has an email prefix or suffix matching these criteria. To be safe, use manual deletion for a while, while listing (add to Friends list) any false detections, then switch to "Automatically, without notification" when you are confident in the accuracy of these (and other) Blacklist rules.

Next, go to my MailWasher Pro Custom Filters web page and scroll down to the iframe, in which one of my three versions of my custom MailWasher Pro filters will be loaded. Read the notes about each of these filters and choose the one that you prefer to use. You can either copy and paste the rules from the iframe into your own "filters.txt" file, or download the file, deposit it into the appropriate location, renaming it to filters.txt if required. MailWasher Pro keeps all user settings, filters and white/black lists in your logged-in identity's %AppData%\MailWasherPro folder. You may need to edit your Folder View settings to unhide hidden and system files and folders, and show known extensions, to see these files. You can also locate and open the data folder where the filters.txt lives by clicking on "Help" (with MailWasher Pro open), then "About," then click on the link to your application data files, at the bottom of the "About" box. More details about using my filters are found on the aforementioned Custom Filters web page.

If you choose manual deletion of email messages that match a MailWasher Pro Blacklist or custom filter rule, the messages that are matched by that rule will be flagged by the name of the custom filter, or else will say "Blacklisted," if they match a sender's wildcard address in the Blacklist.

Between using the Wildcard Blacklist entries and my custom filter rules, which are regularly updated, you will be able to cut down to just a trickle the amount of spam messages you have to read before realizing they are indeed spam. If you set the rules to automatically delete spam without notification, you will only see a few variants that I have not yet created rules for (but will create soon). I estimate that my automatic deletion rules and Blacklist entries remove 95% of the incoming spam without my ever having to look at it. Mistakes are restored via the built-in configurable Recycle Bin.

Posted by Wiz at 4:20 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced.

Additions made on November 26, 2008:

Adware
++ Win32.BHO.hxp

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
++ Fraud.AntiSpywareXP
+ Smitfraud-C.

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ FunWebProducts + MyWay.MyWebSearch + WildTangent

Security
+ Microsoft.Windows.AppFirewallBypass

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Beast
+ Virtumonde
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.amwr
++ Win32.Agent.amyy
++ Win32.Agent.ddl
++ Win32.Agent.gpr
++ Win32.Agent.ik
++ Win32.AutoRun.AW
++ Win32.AutoRun.im
++ Win32.AutoRun.Malas
+ Win32.Bagle.A
+ Win32.Bagle.C
+ Win32.Bagle.F
+ Win32.Bagle.G
+ Win32.Bagle.H
+ Win32.Brontok.q
+ Win32.Exchanger.ch
++ Win32.HermanAgent
++ Win32.Omega.aik
++ Win32.RA.51122
+ Zlob.DNSChanger
+ Zlob.Downloader
++ ZombieRat

Total: 1193059 fingerprints in 340806 rules for 4414 products.

There is a big increase in the number of Trojans added to the detections database, with the November 26 updates. These programs do not come in peace and they do mean you harm! Please update your definitions, then apply all immunizations to all of your user accounts on your PC.

False positive detections reported or fixed this week:

There was a confirmed false positive detection of "MailSkinner.rtk" in 4 Registry keys (OutlookAddin.Addin), plus files in some BlueTooth program folders, and in the Kaspersky anti spam toolbar for Microsoft Outlook. This was fixed in today's updates.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 2:25 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

Before I get into the various categories of spam received this week, I want to mention the fact that I saw a humongous drop in the volume of incoming spam analyzed by MailWasher Pro, beginning Tuesday, November 11 and continuing throughout this past week. It was on November 11, 2008, that Global Crossing and Hurricane Electric disconnected a server co-location hosting company named McColo from the Internet. McColo's customers were responsible for as much as 75% of the daily spam sent from zombie computers in several major Botnets. The "zombie" computers in these Botnets are unable to receive instructions from their mothership controllers and have mostly fallen silent; for now.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common types of spam this week is for fake watches and various pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. Spam for the fake "Canadian Pharmacy" remained strong as usual, but was surpassed this week by spam caught by my "Hidden ISO Subject" filter. Most of the Hidden ISO spam is for Indian Viagra or ineffective male enhancement pills.

"Canadian Pharmacy" and it's offshoot "Canadian Health and Care Mall" is a scam website, hosted unknowingly on hijacked (Botnetted) personal computers, or on bulletproof Chinese hosting servers owned by criminals in Russia. The prescription drugs and herbal remedies promoted by the fake Canadian Pharmacy come from a lab in India, named after a flower. Those prescription drugs are illegal to import into the US or Canada and may be seized by postal inspectors upon arrival.

The male enhancement spams are mostly leading to Botnetted computers hosting a web page touting VPXL, or other herbal enlargement formulas, all of which are scams. Male enhancement pills are totally ineffective and may even be dangerous to your health.

MailWasher Pro spam category breakdown for November 17 - 23, 2008. Spam amounted to a mere 15% of my incoming email this week, with only 44 spam messages analyzed.

Hidden ISO Subject:	25.81%
Blacklisted Domains/Senders: (by pattern matching wildcard rules)	16.13%
Fake "Canadian Pharmacy" spam (Viagra, Cialis, etc):	12.90%
Male enhancement spam (subject or body):	9.68%
Counterfeit Watches:	9.68%
Viagra spam:	6.45%
Dating scams:	3.23%
Misc. Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	3.23%
Bayesian learning filter:	3.23%
Casino Spam:	3.23%
Blocked Countries, RIPE, LACNIC, APNIC:	3.23%
Joe Job Bounces:	3.23%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 1:40 AM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced.

Additions made on November 19, 2008:

Adware
+ Win32.TrafficSol.c

Hijackers
++ Win32.Startpage.nil

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax
+ SCKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ CarpeDiem Vars
+ Fraud.XPAntivirus
++ Gool
++ MadInjection.rtk
+ PornBHO.ru
+ Smitfraud-C.
+ Win32.Renos
+ Win32.Small.buy

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Facegame
++ Fake.Javacore
+ IRC.Zapchast
+ PWS.Small.bs
++ Speedrunner
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.prx
+ Virtumonde.sci
+ Virtumonde.sdn
++ Webtools.tCPV6
++ Win32.Agent.di
++ Win32.Agent.hk
++ Win32.Agent.ll
++ Win32.Agent.sd
++ Win32.Agent.yvr
++ Win32.AutoRun.SilentSoftech
+ Win32.Bagle.AV
++ Win32.Delf.hj
++ Win32.Delf.kp
+ Win32.Exchanger.ch
++ Win32.LdPinch.adk
++ Win32.Mailbot.dc
++ Win32.Renos.au
+ Win32.Small.rc
+ Zlob.Downloader
++ Zlob.Downloader.eit
++ Zlob.Downloader.ger
++ Zlob.Downloader.miu
++ Zlob.Downloader.rot
++ Zlob.Downloader.sit
++ Zlob.Downloader.swo

Total: 1187003 fingerprints in 338944 rules for 4407 products.

There is a big increase in the number of Trojans added to the detections database, with the November 19 updates. These programs do not come in peace and they do mean you harm! Please update your definitions, then apply all immunizations to all of your user accounts on your PC.

False positive detections reported or fixed this week:

There was a confirmed false positive detection of "Spybouncer" in empty zip files. This was fixed in today's updates.

There was a confirmed false positive detection of "win32.anilogo.i" in a file named Domino.exe, which is a legit file used by a usb camera. This was fixed in today's updates.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 11:14 AM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

Before I get into the various categories of spam received this week, I want to mention the fact that I saw a large drop in the volume of incoming spam analyzed by MailWasher Pro, beginning Tuesday, November 11. It was during the afternoon of November 11, 2008, that Global Crossing and Hurricane Electric disconnected a server co-location hosting company named McColo from the Internet. McColo's customers were responsible for as much as 75% of the daily spam sent from zombie computers in several major Botnets. Spam began diminishing on Tuesday and continues to drop today. A BIG THANKS goes to HostExploit and it's research partners who compiled evidence over a more than two year period, that led to the termination of McColo's connectivity to the Internet. I recently published an article about how the volume of spam dropped when McColo was disconnected from the Internet.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common types of spam this week is for fake diplomas and various pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. Spam for the fake "Canadian Pharmacy" continues to dominate all spam categories. This type of spam had decreased last month, after the arrest and indictment of some of the people behind these scams. Unfortunately, other criminals have taken up the slack and continue to promote their own "Canadian Pharmacy."

"Canadian Pharmacy" and it's offshoot "Canadian Health and Care Mall" is a scam website, hosted unknowingly on hijacked (Botnetted) personal computers, or on bulletproof Chinese hosting servers owned by criminals in Russia. The prescription drugs and herbal remedies promoted by the fake Canadian Pharmacy come from a lab in India, named after a flower. Those prescription drugs are illegal to import into the US or Canada and may be seized by postal inspectors upon arrival.

The male enhancement spams are mostly leading to Botnetted computers hosting a web page touting VPXL, or other herbal enlargement formulas, all of which are scams. Male enhancement pills are totally ineffective and may even be dangerous to your health.

MailWasher Pro spam category breakdown for November 10 - 16, 2008. Spam amounted to 49% of my incoming email this week, with 229 spam messages analyzed.

Fake "Canadian Pharmacy" spam (Viagra, Cialis, etc):	30.60%
Viagra spam:	13.43%
Fake Diplomas:	12.69%
Other filters: (See my MWP Filters page)	9.70%
Male enhancement spam (subject or body):	9.70%
Hidden ISO Subject:	5.97%
Misc. Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	3.73%
One line spam url:	2.99%
HTML Tricks:	2.99%
Casino Spam:	2.99%
Lottery Scams:	2.99%
Blacklisted Domains/Senders: (by pattern matching wildcard rules)	1.49%
DNS Blacklists:	0.75%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 1:43 PM | Permalink

back to top ^

My incoming volume of Spam email has dwindled this week, steadily, since Tuesday, November 11. I have waited a few days to write about this in order to see how matters played out. Interestingly, Tuesday was also Veterans' Day in the USA and Armistice Day around the World. Coincidentally, there was a temporary armistice between the senders of spam and the targets of their spam messages. This armistice occurred around 1:30 PST in San Jose, California, USA.

Something major happened on Tuesday, November 11, 2008, that resulted in the huge drop in the volume of spam hitting my MailWasher Pro spam filtering program. It was on Tuesday afternoon, November 11, 2008, that Internet Backbone and Colocation Provider Hurricane Electric and global IP-based network Global Crossing terminated their Internet peering connections to the web server colocation hosting company known as McColo Corporation, located in San Jose, California. They did this after being presented with irrefutable evidence of long-term extreme badness being conducted by the hosting customers of McColo. It is estimated that up to 75% of the spam sent out on a daily basis is run by Command and Control servers hosted on machines at McColo's facilities. Without being commanded to receive new spam templates and then send out spam runs, the zombie PCs in numerous Botnets fell silent over the last few days.

This badness conducted by the McColo customers includes various unfriendly and illegal activities, including, but not limited to the following:

• Hosting distribution machines for malware executables and browser exploits, to be served to innocent web surfers drawn there by trickery, to infect their computers with Trojans and make them members of botnets.


• Command and Control over the World's most prolific Botnets, the members of which are remotely controlled to send spam, host malware laden web pages, or launch denial of service attacks on behalf of the Bot Masters.


• Hosting fake anti virus and rogue anti spyware scanners, used to scam victims into paying for useless removal programs. The so-called removal programs in fact only remove the pop-up notices, or balloon messages, or phony screensavers or desktop backgrounds that are made to resemble a Windows BSOD. They operate in collusion as a tandem infection.


• Hosting Phishing web sites that steal login credentials from banking customers, then empty their bank accounts, or make unauthorized purchases with their stolen credit card accounts.


• Hosting of illegal child pornography.


• Hosting of payment portals and systems by means of which cyber criminals receive payments.


• Hosting servers that are used to store information stolen by means of Phishing or Dictionary attacks against innocent parties.


• Databases containing the names and locations of Bot Masters, cyber criminals, pornographers and spammers.


• The hosting of fake pharmacy websites and payment systems.


• Launching DDoS attacks against the Republic of Georgia infrastructure and Government websites, and against other legitimate governments and companies.

McColo hosted the so-called command-and-control servers for botnets that are used to instruct PCs to send spam. The botnets included Rustock, Srizbi, Pushdo/Cutwail, Ozdok/Mega-D and Gheg, according to this report. If you are troubled by the sheer volume of spam that you must fight off everyday, take the time to read the report and you will gain a better understanding of how the cyber criminals behind these operations are able to conduct their illegal activities and where many of them are actually located.

The cyber criminals whose servers were taken offline when McColo went dark will eventually find other places to operate their servers and will rebuild their illegal businesses. In the meantime, you and I can enjoy a few days relief from the constant onslaught of spam that paralyzes our inboxes everyday. I can only hope that this shutdown will be a major inconvenience to them and will cost them a lot of time and money to rebuild. You and your friends can do your part by deleting all spam messages and by never ever buying anything that is spamvertised!

If you are in need of an effective spam filtering program that sits ahead of your email client, I use and recommend MailWasher Pro. MailWasher Pro intercepts your incoming POP3 email and filters out spam before you download it to your desktop email application.

Posted by Wiz at 4:42 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced.

Additions made on November 12, 2008:

Adware
++ PlayMP3z

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Keylogger-Pro
+ PerfectKeylogger

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ ErrorClean
+ Fraud.XPAntivirus
+ Smitfraud-C.
++ Win32.KillFiles.ip
+ ZenoSearch

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ FunWebProducts
+ MyWay.MyWebSearch

Spyware
++ SuperYahooMessengerArchiveDecoder
++ Win32.Outlooker

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
+ Smitfraud-C.MSVPS
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Brontok
++ Win32.Delf.NKB
++ Win32.OnLineGames.dr
++ Win32.TDSS.rtk
+ Zlob.Downloader
+ Zlob.Downloader.ger

Total: 1096518 fingerprints in 293830 rules for 4396 products.

False positive detections reported or fixed this week:

Confirmed false positive detection of "Spyware Cease" as "Malware." This was fixed in today's updates. The program is not a threat at all.

There were reported false positives of a Vitumonde.sdn infection within C:\Windows\system32\ptipbmf.dll and also in c:\windows\system32\psqlpwd.dll. These were fixed with today's F/P optional updates.

If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 6:12 PM | Permalink

back to top ^

A faulty definitions update issued on November 9, 2008 caused AVG Anti Virus 7.5 and 8.0 (free and paid versions) to either automatically or manually delete and/or quarantine a required Windows XP System file; User32.dll, as soon a scheduled scan came to that file, or when a user opened the System32 directory to search files in it. Without this file in the System32 directory, Windows will not boot! AVG released updated definitions shortly thereafter to fix the false positive detection. If your computer was still on and you checked for AVG updates again before shutting it down, you may have received the patched definitions and are OK to operate as usual. You will know the next time you reboot or shut down and restart your computer!

If this bad update occurred while your PC was operating and you either rebooted, or shut it down, before obtaining the updates that fixed the false detection, it will not boot into Windows again until you disable the AVG Resident shields using the Recovery Console and restore user32.dll from a backup image, or location, or from your Windows XP CD.

The system can be restored by using the Windows XP Recovery Console to copy a backup of User32.dll into the System32 directory. If you have already installed the Recovery Console as a boot option, boot into it, then run the copy command listed in the next paragraph.

If you haven't installed the Recovery Console, but you do have your bootable Microsoft XP CD, it contains the Recovery Console. Boot from the Microsoft Windows XP CD and choose Setup Option "R" to Repair your Windows Installation using the "Recovery Console." You will be taken to a black screen with white text which will halt at a blinking command prompt (just like MS DOS). The Recovery Console command to type in would be as follows:

copy c:\windows\system32\dllcache\user32.dll c:\windows\system32\user32.dll

Press Enter and wait a second or two. If it reports "1 file copied" then the Windows boot portion of the problem is fixed. However, you will still need to disable the AVG Resident shields from the Recovery Console, as described in my extended comments and on the AVG Support website, until you are able to boot into Windows and run a manual check for AVG updates and receive the patched definitions file. Don't forget to reactivate the resident shields after updating the definitions (as described in my extended comments or on the AVG Support site)!

If the above code fails, try the following:

copy c:\windows\servicepackfiles\i386\user32.dll c:\windows\system32\user32.dll

If that doesn't work you will have to expand and copy it from the XP CD, as follows:

copy d:\i386\user32.dl_ c:\windows\system32\user32.dll

The above uses drive letter "d:" as the source for the CD drive containing the recovery media. Your CD drive letter may be different, depending on how many hard disks or partitions you have installed. So, for instance, if your Windows CD is in drive F, substitute F: for D: in the last command.

If this, or another update or software installation has crippled your PC and you use Acronis True Image to make daily backups, insert your bootable Acronis Recovery CD (you were told to create that CD when you installed Acronis True Image), boot into the rescue interface, locate the most recent backup of the entire computer and restore it to the C drive. You should be up and running within about a half hour, or so.

If you don t have any recent backup images, nor a Windows operating system CD, your OEM hard drive might have a hidden recovery partition on it. Reboot your computer and press the Pause key when the first screen appears. It will usually contain information about pressing a particular key to restore your computer to "Day-1" condition. You will lose everything you have saved or created since that day, but at least the PC will boot into Windows. This is a worse case scenario for most of you.

How to disable the AVG Resident Shields via the Windows XP Recovery Console

If AVG has erroneously deleted a Windows System file named User32.dll and you are able to restore a fresh copy from a backup location, or using the Windows Recovery Console, you are only halfway done with the fix. Unless you disable certain AVG resident services there is a strong likelihood that AVG will delete the restored file as Windows is booting into its graphical interface (which User32.dll is part of). To save yourself a lot of repetitive recovery procedures, fix the whole ball of wax at the same time.

While still in the Recovery Console, either before or after having successfully restored a fresh copy of User32.dll to the Windows\System32 directory, type the following commands to disable the AVG Resident Shield from loading, pressing Enter after each one (some of these might not be present in all AVG editions):

For AVG 8.0 try these:

disable avgMfx86
disable avgMfa86
disable avgldx86
disable avglda86

For AVG 7.5 try these:

disable Avg7Core
disable Avg7RsW
disable AvgClean
disable Avg7RsXP
disable AvgMfx86

If you have not already restored User32.dll as described in my main comments, type the following command (in the Recovery Console):

expand D:\i386\user32.dl_ c:\windows\system32\

In case the command fails, please use the following command to rename original user32.dll and repeat the command above.

ren user32.dll user32.bak

Type "quit" to exit the Recovery Console and boot into Windows.

Re-enable the AVG Resident Shields

To enable the resident shields after restoring User32.dll, reboot into the Recovery Console again and at the command prompt type each of the following commands, pressing Enter after each one (only valid services will respond):

For AVG 8.0 try these:

enable avgMfx86
enable avgMfa86
enable avgldx86
enable avglda86

For AVG 7.5 try these:

enable Avg7Core
enable Avg7RsW
enable AvgClean
enable Avg7RsXP
enable AvgMfx86

Type "quit" to exit the Recovery Console and boot into Windows. When Windows finishes loading look in your System Tray for the AVG icon, right-click on it and select Check for Updates (or whatever words are to that effect). Accept the new definitions and apply them. Open the Interface by double clicking on the AVG icon and find the settings for various scanning options. In all instances, if the option is preset to automatically heal and quarantine suspected files, change it to "Ask me what to do," or similar wording. Click Allpy, then use the Scan links to scan a particular file and navigate to (C): Windows\System32\user32.dll and scan the file. It should show as clean if you have obtained the corrected definition file.

Of course there is always the possibility that your user32.dll really is infected with an injected virus, or other malware threat. But, that's another story. This article is about a false positive detection in User32.dll.

AVG Support recommends downloading the latest version of your AVG program, then installing it using the Repair installation option. This will ensure that you have the most recent "engine" for your security application. If you use this method you need not use the Recovery Console to re-enable the resident shields, as this will be done by the Repair installation. Note, that you may need to re-enter (copy/paste) your AVG license code after using the Repair method.

Restart your computer and immediately update AVG to the latest definitions.

I hope this helps you!

Posted by Wiz at 4:48 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common types of spam this week is for pirated software, fake diplomas and various pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. This week I saw another resurgence in the amount of spam for the fake "Canadian Pharmacy." This type of spam had decreased after the arrest and indictment of some of the people behind these scams.

"Canadian Pharmacy" and it's offshoot "Canadian Health and Care Mall" is a scam website, hosted unknowingly on hijacked (Botnetted) personal computers, or on bulletproof Chinese hosting servers owned by criminals in Russia. The prescription drugs and herbal remedies promoted by the fake Canadian Pharmacy come from a lab in India, named after a flower. Those prescription drugs are illegal to import into the US or Canada and may be seized by postal inspectors upon arrival.

The male enhancement spams are mostly leading to Botnetted computers hosting a web page touting VPXL, or other herbal enlargement formulas, all of which are scams. Male enhancement pills are totally ineffective and may even be dangerous to your health.

MailWasher Pro spam category breakdown for November 3 - 9, 2008. Spam amounted to 50% of my incoming email this week.

Other filters: (See my MWP Filters page)	22.75%
Viagra spam:	13.33%
Fake "Canadian Pharmacy" spam (Viagra, Cialis, etc):	10.98%
Male enhancement spam (subject or body):	10.98%
Pirated Software:	8.24%
Fake Diplomas:	6.67%
Casino Spam:	5.10%
HTML Tricks:	5.10%
Known Spam Subjects (by my filters):	4.31%
Misc. Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	3.92%
Blacklisted Domains/Senders: (by pattern matching wildcard rules)	3.53%
Phishing Scams:	3.53%
Bayesian learning filter:	1.18%
DNS Blacklists:	0.39%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:28 PM | Permalink

back to top ^

Today I reviewed my daily access log for this website, and I discovered a large number of repeated attempts to spam my access log, all coming from the IP address: 64.182.124.212. The spam attempt was referrer field entries for a medial search engine and a social networking and dating website.

The IP address 64.182.124.212 belongs to a web hosting company known as CI Host, and is assigned to hosting customer PacificAir.com, an amateur looking website. The spamvertised websites in the referrer field look just as amateur as the PacificAir website and are hosted on the same server. The IP range assigned to CI Host is 64.182.0.0 through 64.182.255.255, or in CIDR notation: 64.182.0.0/16.

The way I respond to attempts to spam my access logs is that I place the offending IP address, and/or CIDR of their hosting company, on my published IP blocklists. I did just that, placing the CIDR 64.182.0.0/16 on my Exploited Servers Blocklist. If you are getting spammed from the IP address 64.182.124.212 and want to block them in your .htaccess file, on your Apache Hhosted website, just add one of the following rules to a section labeled <Files *>:

<Files *>
order deny,allow
deny from 64.182.124.212
</Files>

If, like me, you decide to block the entire ISP/web hosting company, use this rule:

<Files *>
order deny,allow
deny from 64.182.0.0/16
</Files>

NOTE:
If you have your website hosted by CI Host please read the warning in my extended comments!

WARNING
If you have your website hosted by CI Host, on a server withing the IP range of 64.182.0.0 through 64.182.255.255 and you use this blocklist entry, you may block access to your own website. It's a good idea to discover your website's IP address first, just to be safe. You can do this from a Windows computer by opening a Command Window and typing in the following:

ping your-domain.com
Press Enter

Your website's IP address will be displayed in the results of the Ping test. You can also use Tracert your-domain.com to get the IP address.

If your IP is included in the blocked range you should poke a hole in the blocklist, as follows.

If some or all of your own webpages are 403'd by this blocklist, place your server's IP address(es)s after "allow from" below, just before the closing </Files>.

<Files *>
order deny,allow
deny from 64.182.0.0/16
#deny from - entire exploited servers list or other IP addresses, or CIDRs
allow from your server's IP
</Files>

Another way to avoid blocking access to a website hosted inside a denied IP range is to use all relative links on your web pages. This means that instead of having your internal links begin with http you would just have a forward slash (folder path) and file name. Here is an example of this: Instead of http://www.example.com/index.html you could use /index.html to go to your home page.

If you are interested in blocking unwanted traffic from other sources, I maintain published blocklists for China (and neighbors), Nigeria (and neighbors), and Russia and Turkey. Each of my blocklists is available in two formats; .htaccess and iptables. If your website is hosted on an Apache/Linux server and you have administrator/root access, you may be able to use the iptables format, in your Linux firewall. Otherwise, for shared hosting customers, use the .htaccess format in your public_html directory, or whatever your publicly visible web root folder is named.

If you find these blocklists beneficial to protecting your website, or server, donations are accepted on all of my blocklist pages and are most welcome.

Posted by Wiz at 3:10 PM | Permalink

back to top ^

If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.

If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.

If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.

* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."

Spybot Updates - published every Wednesday

Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.

Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced.

Additions made on November 5, 2008:

Keyloggers (Keyloggers steal your typed logins and passwords)
+ Ardamax

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AntiSpyCheck
+ AntiSpywareMaster
+ Fake.MSAntivirus
+ FakeAlert.cc
++ FakeBill.CourtCologne
+ Fraud.Antivirus2008
++ Fraud.AntiVirusLab2009
+ Fraud.PC-Antispy
+ Fraud.PCHealth
++ Fraud.PCProtectionCenter2008
++ Fraud.PowerAntivirus
+ Fraud.SystemAntivirus
++ Fraud.VirusResponseLab2009
+ Fraud.XPAntivirus
+ MicroAntivirus
+ PCCleanPro
++ RapidAntivirus
+ Smitfraud-C.
+ Smitfraud-C.gp
+ SpywareBOT
++ SpywareCease
+ UltimateAntivirus2008
+ VistaAntivirus2008
++ Win32.mIRC.603
++ Win32.VB.dn
+ Win32.Renos
+ XPSecurityCenter
+ YourWebSafe

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
++ Joke.Password
++ MSNFlood
+ FunWebProducts
+ MyWay.MyWebSearch
+ WildTangent

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm!)
++ Facegame
+ Hupigon
+ Netbus
++ PoisonIvy
++ Rbot.XXY
+ RS32UPS.ru
+ Virtumonde
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.aec
++ Win32.Agent.aiae
++ Win32.Agent.jg
+ Win32.Agent.alo
++ Win32.Agent.nmy
++ Win32.Agent.wf
++ Win32.Anilogo.i
+ Win32.Autoit.p
++ Win32.BHO.gok
+ Win32.BHO.je
++ Win32.Delf.phh
++ Win32.DNSChanger.axi
++ Win32.Drefir.e
++ Win32.Pakes.kso
++ Win32.Rbot.vd
++ Win32.Rbot.viy
+ Win32.SdBot.aad
++ Win32.VB.bco
+ Zlob.Downloader
+ Zlob.Downloader.bit

Total: 861687 fingerprints in 264737 rules for 4396 products.

False positive detections reported or fixed this week:

There is a confirmed false positive detection of Virtumonde.sdn: [SBI $68FD4395] Library (File, nothing done), in C:\WINDOWS\system32\tphklock.dll. This was fixed with this week's F/P optional updates.

A customer ran the "right-click Spybot scan" in explorer over Symantec Ghost Solution Suite v2.5 and SpybotSD 1.6.0.30 with detection updates from October 15 through 29, 2008 reported that one file "gdiplus.dll" contained "Caishow" under the "Heuristics" section. This is a false positive that is fixed with this week's F/P updates.

There is a discussion underway between Frank Bauer, Co-owner of ViralURL.com, and Team Spybot, regarding the blacklisting of his website, which is in Spybot's HOSTS file immunizations. At this point the URL remains blacklisted. If this changes I will so inform you. If you have business with that website, and use Spybot S&D, you will have to manually remove its entry from your HOSTS file.

Extended Comments

Malware Removal Guides

The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.

If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.

If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0.

Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.

With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range by more than 40% to more than 250,000 detection patterns to identify more than one million malware "fingerprints."

To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page.

If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.

Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Posted by Wiz at 1:49 PM | Permalink

back to top ^

If you are reading this you have a computer. If you have a computer you also probably have at least one email address. Unless you live on another planet, or your email provider only allows whitelisted email through, you, like me, get a lot of junk mail, a.k.a. "spam" messages.While spam is an annoyance to most people, it is combat for me. I publish custom spam filters to block spam email for people who use the MailWasher Pro anti-spam email client.

This is the latest entry in a weekly series about classifications of spam, according to my custom filter rules used by the anti-spam tool, MailWasher Pro.

MailWasher Pro is a spam screening POP3 email program that goes between your email servers and your desktop email client (application). With this program you can actually read all of your incoming email in plain text, and click on links, if you are so inclined. MailWasher Pro uses a variety of techniques to recognize and designate what is and isn't spam, including a learning filter and user created custom filter rules. I personally write and use MailWasher Pro custom filters to detect and delete most incoming spam email. I have created and published a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.

MailWasher Pro has a "Statistics" display page that breaks down the types of spam it has deleted, listed by categories. Each program and user-created filter has a name and when a measurable percentage of spam is matched by a particular filter it shows up in the Statistics, with its percentage shown next to it. The percentages for various categories of spam listed below are taken from my MailWasher Pro "Statistics" page.

The category "Other Filters" combines several of my custom filters which did not receive enough spam to rate a measurable percentage, thus were all grouped into the one category called "Other Filters." Since I have a lot of custom filters and spam types do vary every week, the Other Filters category is always quite large, percentage-wise.

When it comes to major spam runs, sent entirely through zombie computers which are unwittingly members of Botnets, certain types of spam rise to the top of the threat list, every week or two. The most common types of spam this week is for casinos, loans, and pharmaceuticals, including male enhancement pills, Viagra, Cialis and other sex oriented drugs. This week I saw a resurgence in the amount of spam for the fake "Canadian Pharmacy." This type of spam had decreased after the arrest and indictment of some of the people behind these scams.

Canadian Pharmacy is a scam website, hosted unknowingly on hijacked (Botnetted) personal computers, or on bulletproof Chinese hosting servers owned by criminals in Russia. The prescription drugs and herbal remedies promoted by the fake Canadian Pharmacy come from a lab in India, named after a flower. Those prescription drugs are illegal to import into the US or Canada and may be seized by postal inspectors upon arrival.

The male enhancement spams are mostly leading to Botnetted computers hosting a web page touting VPXL, or other herbal enlargement formulas, all of which are scams. Male enhancement pills are totally ineffective and may even be dangerous to your health.

MailWasher Pro spam category breakdown for October 27 - November 2, 2008. Spam amounted to 61% of my incoming email this week.

Casino Spam:	18.03%
Other filters: (See my MWP Filters page)	12.68%
Loans/Bankruptcy/Refinance/Insurance Scams:	12.68%
Known Spam Domains: (mostly pharmaceutical spam)	10.70%
Misc. Pharmaceutical spam (inc. Viagra, Cialis, Levitra & misc. pills & herbals):	10.14%
Viagra spam:	9.58%
Male enhancement spam (subject or body):	9.01%
Known Spam Subjects (by my filters):	5.07%
Fake "Canadian Pharmacy" spam (Viagra, Cialis, etc):	4.23%
Phishing Scams:	2.54%
HTML Tricks:	2.54%
Blacklisted Domains/Senders: (by pattern matching wildcard rules)	1.69%
DNS Blacklists:	1.13%

If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as an incoming email screener for your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Live Mail, Eudora, Mozilla and other stand-alone email programs).

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. I never buy anything that is Spamvertised and recommend you don't either! Remember, almost all spam is now sent from compromised home or business PCs, zombies in various Botnets, all of which are controlled by criminals. If you purchase anything advertised in spam messages, you have given your credit or debit card information to the criminals behind that enterprise. If you are really lucky you will only be charged for the fake items you purchased, but, if not, you might find your credit limit used up, or your bank account emptied (for debit card transactions), by cyber criminals.

Also, unsubscribing through links in botnet-sent spam messages is futile, as you never opted-in, in the first place; your email address was captured by an email harvester on an infected computer belonging to somebody you corresponded with. Instead of receiving less spam as one might expect (by unsubscribing), all it does is confirm that your email address is active and you will see even more spam than before.

Another common way your email address may get harvested by spammers is if it appears in a large C.C. (Carbon Copy) list on a computer that gets Botnetted. Many people engage in forwarding messages among all their friends. Each time they forward chain letters their address gets added to the growing list of recipients (called Carbon Copy, or CC). If just one recipient of that message has an email harvesting malware infection, all of the email addresses listed in that message will be sent home to the spammer behind that spam run.

Smart folks who want to forward or send a message to multiple recipients use B.C.C. instead of C.C. Using B.C.C. hides all of the recipients from displaying. The To field will just show "Undisclosed Recipients" in a message sent using B.C.C. This is safest for you and your friends or mailing list. All email clients have a means of displaying a B.C.C. field.

Posted by Wiz at 3:11 PM | Permalink

back to top ^