Wiz's Computer and Website Security Blog

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. 3 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 13 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. These include a variant of the infamous Zbot, a.k.a Zeus, banking Trojan. If you have the Zbot on your computer and use that PC for online banking, call your bank right away. Cyber-criminals in Eastern Europe may have already emptied your accounts!

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 03/31/2010

Malware
++ Fraud.ControlComponents
++ Fraud.PCBugFinderPro
+ Fraud.Sysguard
+ Lop
+ Smitfraud-C.
+ Win32.Agent.ieu

Security
+ Microsoft.Windows.RedirectedHosts

Spyware
+ AdRotator
++ Fake.AdobeUpdater
+ Win32.Spynet.a

Trojans
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.exp
++ Win32.Agent.per
++ Win32.Agent.spy
++ Win32.Agent.sun
++ Win32.AutoRun.tmp
++ Win32.OnLineGames.tnfg
++ Win32.OnLineGames.tnmk
++ Win32.OnLineGames.tnrh
++ Win32.OnLineGames.utvz
+ Win32.ZBot

Worm
+ Win32.Amburadul

Total: 2168355 checksums in 814643 rules for 5285 products.

False Positives Reported This Past Week

One possible false positive was reported for this week and is still under investigation. It is possible that people with Avast Pro 5.0.462 and Spybot will get a report that they have a rootkit named "Win32.ZBot.rtk" in various strange files, after updating to the 3/31/2010 definitions. I'll update when something is finally determined

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above..

Posted by Wiz at 4:53 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit prescription drugs dispensed without the required prescriptions. The totally fake Canadian Pharmacy is back in the count, with a lot of landing pages hosted on spaces.live.com pages. Other measurable categories of spam included counterfeit watches, fake diplomas, pirated Adobe software, Russian bride dating scams and Phishing scams. The Phishing scams included a bunch forging the US IRS as the sender, with subjects pertaining to alleged underreported income. The links in those scams lead to the download and installation of the ZBot/Zeus Trojan keylogger and backdoor.

My updated blacklisted senders list proved very effective this week, auto-deleting over 20% of all incoming spam (see my extended content for details). I saw another increase in the number of emails forging my own accounts as the senders, with 60 this week. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 22 - 28, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for March 22 - 28, 2010. Spam amounted to 56% of my incoming email this week. This represents a -2% change from last week.

This was a medium week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

Known Spam Domains
Male Enhancement [B]
Phishing Scam [S or F]
Phishing Scam [B]
Porn Spam
Viagra.com
Viagra Spam [S]
New: Subject is Date and Time
New: Chase Bank Online legitimate filter

The following recent MailWasher Pro Email Blacklist entries were able to block over 20% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]
[email protected] (New)

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 11:48 AM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. 6 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 25 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. These include 2 variants of the infamous Zbot, a.k.a Zeus, banking Trojan. If you have the Zbot on your computer and use that PC for online banking, call your bank right away. Cyber-criminals in Eastern Europe may have already emptied your accounts!

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 03/24/2010

Adware
++ WhereSphere

Malware
+ FakeAlert.gen
+ Fraud.PersonalSecurity
++ Fraud.SecurityGuard
+ Fraud.Sysguard
++ Fraud.SystemDefence
++ Fraud.UserProtection
++ IRC.wbp
+ Lop
+ Win32.FraudLoad.edt
++ Win32.Refpron
+ Win32.Virut.ag

Spyware
+ Win32.Spynet.a

Trojans
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.ddrv
++ Win32.Agent.inc
++ Win32.Agent.mscs
++ Win32.Agent.phe
++ Win32.Agent.syn
++ Win32.Agent.tmp
++ Win32.Agent.wer
+ Win32.Ambler
++ Win32.Autoit.xp
++ Win32.Banker.pp
+ Win32.CeeInject
+ Win32.FakeAlert.ttam
+ Win32.FraudPack
+ Win32.Monderb.aqpu
++ Win32.OnLineGames.breq
++ Win32.OnLineGames.mfcu
++ Win32.OnLineGames.mfew
++ Win32.OnLineGames.usco
++ Win32.OnLineGames.uvqe
++ Win32.OnLineGames.uvwv
++ Win32.Runouce.ch2
+ Win32.ZBot
+ Win32.ZBot.rtk

Total: 2166574 checksums in 813768 rules for 5286 products.

False Positives Reported This Past Week

One possible false positive was reported for this week, as of the time this article was published. It is still being investigated, as it may be a legitimate Windows file.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above.

Posted by Wiz at 1:58 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 8% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit prescription drugs dispensed without the required prescriptions. The totally fake Canadian Pharmacy is back in the count, with a lot of landing pages hosted on spaces.live.com pages. Other measurable categories of spam included counterfeit watches, fake diplomas, offshore casinos, phony car warranties hosted in Korea and Russian bride dating scams.

My updated blacklisted senders list proved very effective this week, auto-deleting over 30% of all incoming spam (see my extended content for details). I saw another increase in the number of emails forging my own accounts as the senders. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 15 - 21, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for March 15 - 21, 2010. Spam amounted to 58% of my incoming email this week. This represents a +8% change from last week.

This was a quiet week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

Dating
Live.com Spam Link
Known Spam Domains
Known X-Mailer
Pharmaceuticals [S]
Unlicensed Prescription Drugs
(New) Fake Extended Car Warranty Spam

The following recent MailWasher Pro Email Blacklist entries were able to block over 30% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected] (New)

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 1:35 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. 11 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 29 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. These include 2 variants of the infamous Zbot, a.k.a Zeus, banking Trojan.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 03/17/2010

Adware
++ Ulineguide

Malware
++ Fraud.Antivirus7
++ Fraud.CleanUpAntivirus
++ Fraud.ContentCleaner
++ Fraud.ErrorWiz
++ Fraud.MyComGuard
+ Fraud.MySecurityWall
+ Fraud.PCSecurity2009
++ Fraud.PrivacyOn
++ Fraud.SmartSecurity
+ Fraud.Sysguard
++ Fraud.XPInternetSecurity2010
+ Lop
++ Win32.Downloader.aafm
+ Win32.FraudLoad.edt

Spyware
+ AdRotator
+ Win32.Spynet.a

Trojans
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.ddod
++ Win32.Agent.fla
++ Win32.Agent.shi
+ Win32.Allaple.ab
+ Win32.Ambler
++ Win32.AutoRun.fw
++ Win32.Banker.ju
+ Win32.Banload.up
++ Win32.Clicker.ad
+ Win32.FakeAlert.ttam
+ Win32.FraudPack
++ Win32.IRCBot.sys
+ Win32.Koobface
+ Win32.OnLineGames.down
++ Win32.OnLineGames.mfbh
++ Win32.OnLineGames.mfeg
++ Win32.OnLineGames.mffa
++ Win32.OnLineGames.mffh
++ Win32.OnLineGames.mfgr
++ Win32.Rbot.mum
++ Win32.SdBot.wch
+ Win32.Swisyn
+ Win32.TDSS.rtk (rootkit)
+ Win32.ZBot (a.k.a.: Zeus)
+ Win32.ZBot.rtk (Zeus rootkit)
++ XPInternetSecurity2010.FakeAlert
+ Zlob.PornPassManager

Worm
+ Win32.Amburadul

Total: 2161084 checksums in 812212 rules for 5267 products.

False Positives Reported This Past Week

One possible false positive was reported for this week, as of the time this article was published.

1: Confirmed false positive detection of "win32.downloaderx.hav" in several (number).tmp files in the \Windows\System32 directory. The temp files are harmless, belonging to the Sophos AR security application.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above.

Posted by Wiz at 5:08 PM | Permalink

back to top ^

I recently became a member of the online service known as Twitter. Ok, you all know about Twitter and are already members for a couple of years. I am the last one in, so what?

I like Twitter because of its limitations. One is only allowed to post messages, known as Tweets, of no more than 140 characters. This includes spaces and punctuation marks. You really have to be able to think small to say anything meaningful in no more than 140 keystrokes. Try to add a hyperlink and you can easily go over the limit. Twitter just cuts off anything past the 140th character and posts the first 140 key strokes.

Twitter Tweets can be placed from computers, or cellphones equipped with web access plans and mobile web browsers, or email readers. Tweets are done in text only, with no graphics other than the author's uploaded photo (for now). They post fast and display fast, on computer monitors and cellphones alike. Some cellphones let their users set a special ringtone for incoming text messages, or email notices about new Twitter messages and followers.

I have taken a liking to Tweeting, because it makes me think small. I tend to ramble on in some of my blog postings, giving you all as much information as possible, as though I'm getting paid for my thoughts. I wish! I make squat from this blog! Still, I publish my alerts, reports and updates about spam and malware issues and solutions, in the hopes that they will help some of you avoid falling victim to the scams and attacks launched against you in spam emails, browser and plug-in vulnerability attacks and attacks on your shared hosting websites or dedicated servers.

While my blog articles are like short novels in some cases, Twitter Tweets are like news bulletins over a wire service. They're like telegrams, START using few wrds to imprt important msgs, w/abbreviations everywhere STOP. After joining Twitter I discovered that they offer website "widgets" to display one's public Tweets on a web page. If you look at the right sidebar of this blog you will find my Twitter Widget. It contains a lot of my Tweets and a scrollbar on the right edge, to scroll through them. I am using this widget and my 140 maximum character posts to get information out to you, in the most concise and reduced fashion. Please take a few minutes to read these Tweets before you move on to other places. You may find something of great importance to you.

Many of my Tweets contain links to full articles; some posted here, some elsewhere. I shorten the links using TinyUrl, or place them in plain text. There are no hostile links in my Tweets. Some lead to articles I have previously posted on my blog over the past several years. Using a link in a Tweet to a blog article I posted three years ago will save you a lot of time searching for it by keywords (in my blog's search box).

Most of my Tweets are currently dealing with malware threats, vulnerability alerts, Botnet activity, spam issues and some SEO matters. I hope you find them useful. If you are a member of Twitter you can "follow" me and get my Tweets in your Twitter account, in the "Home" section. Twitter members can also reply to my posts, or re-tweet them. All I ask is if you quote me, do it accurately, not out of context.

You will also see me replying to, or referring to others in the security or SEO fields. Use the links in my posts to their Twitter profiles to see their posts and follow them also. There are some major players in these groups and more coming in all the time. It's helps us all to coordinate our findings and research, on a small scale per Tweet.

Posted by Wiz at 1:32 AM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 5% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit prescription drugs, sold unlawfully without a real prescription. Other measurable categories of spam included counterfeit watches and other goods, fake diplomas, pirated software, and Russian dating scams.

My updated blacklisted senders list proved effective this week, auto-deleting almost 10% of all incoming spam (see my extended content for details). I saw another increase in the number of emails forging my own accounts as the senders. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 8 - 14, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for March 8 - 14, 2010. Spam amounted to 50% of my incoming email this week. This represents a +5% change from last week.

This was a quiet week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

Dating Scam
Male Enhancement [B]
Nigerian 419 Scam #5 [B]]
Nigerian 419 Scam #6
Pharmaceuticals [S]

The following recent MailWasher Pro Email Blacklist entries were able to block almost 10% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected]

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 4:41 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on March 10, 2010, as listed below. 12 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 25 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Additions made on 03/10/2010

Adware
++ CNNIC.Searchbar

Dialer
++ Microflat

Malware
++ Fraud.ControlManager
++ Fraud.DrGuard
+ Fraud.MalwareDefender2009
++ Fraud.MySecurityWall
+ Fraud.PersonalSecurity
++ Fraud.PrivacyControl
++ Fraud.SpyTechSpyAgent
++ Fraud.WindowsAntivirus
++ Fraud.WindowsSecurityCenter
++ Fraud.XPMicroAntivirus
++ Win32.Agent.be
+ Win32.FraudLoad

Security Vulnerabilities
+ Microsoft.Windows.RedirectedHosts

Trojan
+ Fraud.avi
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.exp
++ Win32.Agent.jar
++ Win32.Agent.wio
++ Win32.Agent.wss
++ Win32.AutoRun.wu
++ Win32.Banload.up
++ Win32.Clicker.afo
++ Win32.Clicker.nqe
++ Win32.FakeAV.cn
+ Win32.FraudLoad.edt
+ Win32.FraudPack
+ Win32.Koobface
+ Win32.OnLineGames.mffm
++ Win32.OnLineGames.uedm
++ Win32.OnLineGames.uhbq
++ Win32.OnLineGames.uhgi
++ Win32.OnLineGames.uhmm
++ Win32.OnLineGames.uhvx
++ Win32.OnLineGames.uiwu
++ Win32.OnLineGames.uvmc
++ Win32.Swisyn
+ Win32.ZBot

Worm
+ Win32.Amburadul
++ Win32.Bzub.buz

Spybot S&D currently has 2153272 fingerprints in 809913 rules for 5228 products.

False Positives Reported This Past Week

One possible false positive was reported for this week, as of the time this article was published.

1: Possible false positive detection of "AzeSearch" in Microsoft Security Essentials. This is being investigated, in German. I will translate the results next week.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above..

Posted by Wiz at 3:22 PM | Permalink

back to top ^

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches and phones, illicit prescription drugs, fake Viagra, Canadian Pharmacy scams, pirated software, dating scams, and fake diplomas.

My updated blacklisted senders list proved less effective this week, auto-deleting only 4% of all incoming spam (see my extended content for details). The decline in blacklisted matches is the result of spammers changing their tactics from previous weeks. In fact, I saw a giant increase in the number of emails forging my own accounts as the senders. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 1 - 7, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

MailWasher Pro spam category breakdown for March 1 - 7, 2010. Spam amounted to 45% of my incoming email this week. This represents a -2% change from last week.

This was a quiet week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

Software Spam
URL Shortener Spam Link
Hidden/Foreign ISO, UTF, or ASCII Subject
Nigerian 419 Scam #3 [S, F, R]

(New Filters Added This Week)
NEW: Craigslist Scammer filter

The following recent MailWasher Pro Email Blacklist entries were able to block over 4% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
[email protected]
+@*.hinet.net
+@*ukrtel.net
[email protected]
[email protected]
[email protected]
[email protected]
notification*@googlemail.com
[email protected]
[email protected]
[email protected] (NEW)
*@loan.co.uk (NEW)

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Posted by Wiz at 3:27 PM | Permalink

back to top ^

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on March 3, 2010, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 19 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Additions made on 03/03/2010

Adware
++ WebPerform

Malware
+ Fraud.AntivirusPro2010
+ Fraud.VolcanoSecuritySuite
+ Lop
++ Municheventos
+ Win32.Bifrost
+ Win32.FraudLoad.edt
++ Win32.Philis

Pups (Potentially Unwanted Software)
+ Live-Player

Security Vulnerabilities
+ Microsoft.Windows.RedirectedHosts

Spyware
+ AdRotator
+ Win32.Spynet.a

Trojan
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.mpc
+ Win32.Agent.sys
+ Win32.Allaple.ab
+ Win32.Autorun.mbzt
++ Win32.OnLineGames.mfen
++ Win32.OnLineGames.mfes
++ Win32.OnLineGames.mffd
+ Win32.OnLineGames.mffm
++ Win32.OnLineGames.mfjj
++ Win32.OnLineGames.mfqj
++ Win32.OnLineGames.utza
++ Win32.OnLineGames.uvij
++ Win32.OnLineGames.uxkq
+ Win32.TDSS.vot
+ Win32.ZBot
+ Zlob.Downloader

Spybot S&D currently has 2128838 fingerprints in 801788 rules for 5266 products.

False Positives Reported This Past Week

Thus-far, no false positives were confirmed for this week, as of the time this article was published.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above..

Posted by Wiz at 1:45 AM | Permalink

back to top ^