Wiz's Computer and Website Security Blog

My Spam analysis for the week of March 15 - 21, 2010

2010-03-21T17:35:32Z

This is the latest entry in my weekly series about classifications of spam, according to my custom filter rules used by MailWasher Pro. The categories are shown on the "Statistics" page > "Junk Mail," as a pie chart, based on my custom filters and blacklist. The amount of email flagged as spam is shown on the "Summary" page of Statistics.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 8% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit prescription drugs dispensed without the required prescriptions. The totally fake Canadian Pharmacy is back in the count, with a lot of landing pages hosted on spaces.live.com pages. Other measurable categories of spam included counterfeit watches, fake diplomas, offshore casinos, phony car warranties hosted in Korea and Russian bride dating scams.

My updated blacklisted senders list proved very effective this week, auto-deleting over 30% of all incoming spam (see my extended content for details). I saw another increase in the number of emails forging my own accounts as the senders. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 15 - 21, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

]]> MailWasher Pro spam category breakdown for March 15 - 21, 2010. Spam amounted to 58% of my incoming email this week. This represents a +8% change from last week.

Blacklisted Senders (dating scams & Viagra, etc):	30.47%
Viagra:	16.25%
Pharmaceutical Spam:	10.16%
Known Spam Domains:	7.90%
Counterfeit Watches:	6.55%
Other Filters (misc filters):	6.32%
Live.com Spam Link:	4.51%
Casino Spam:	3.84%
Dating Scams:	3.61%
Canadian Pharmacy Scams:	3.61%
Warranty Scam:	3.39%
Diploma Scams:	2.93%
DNS Blacklisted Servers:	0.45%

This was a quiet week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

Dating
Live.com Spam Link
Known Spam Domains
Known X-Mailer
Pharmaceuticals [S]
Unlicensed Prescription Drugs
(New) Fake Extended Car Warranty Spam

The following recent MailWasher Pro Email Blacklist entries were able to block over 30% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@mail.com
+@*.hinet.net
+@*ukrtel.net
+@loan.co.uk
+@contact.co.uk
Job@DunHill.com
+@chinamobile.com
+@webmail.register.com
noreply@singlesnet.com
networks@facebook.com
med?@googlemail.com
notification*@googlemail.com
notification@facebookmail.com
noreply@message.myspace.com
+@adamjeeinsurance.com (New)

About MailWasher Pro

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration costs just $39.95 and is only required once, for the life of the program.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

If you use a POP email client on your desktop to send and receive your email, rather than your browser, you too will benefit from the added protection that MailWasher Pro provides. I can't even begin to tell you how many dangerous attachments, exploit encoded messages, 419 fraud, as well as courier, bank, eBay and PayPal phishing scams, plus hundreds of hostile link emails it has deleted, after identifying them with my rules and its own heuristic and known spam detections.

Finally, many security threats will come to you via spam email; some in hostile attachments, some as "phishing" scams, some as financial fraud or money laundering scams, and many more in links to web pages rigged to serve up exploit codes or Trojan downloads.You need really good up-to-date protection to fight off the multitude of attack codes flying like machine gun bullets these days. To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security (or Internet Security Pro for travelers). It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security. Best of all, you can try it fully functional for a month, then decide to pay to keep it or uninstall it.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Spybot Search & Destroy updates for March 17, 2010

2010-03-19T21:08:54Z

Spybot Search & Destroy is a free (for personal non-business use) anti-spyware/spyware removal program used by millions of people around the World, to protect their computers from spyware, adware, Trojans and other types of malware. Spybot updates for malware detections are released every Wednesday and this week's updates were released on schedule. If you are using Spybot S&D to protect your computer you should check for updates every Wednesday afternoon and apply all that are available.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. 11 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 29 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. These include 2 variants of the infamous Zbot, a.k.a Zeus, banking Trojan.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 03/17/2010

Adware
++ Ulineguide

Malware
++ Fraud.Antivirus7
++ Fraud.CleanUpAntivirus
++ Fraud.ContentCleaner
++ Fraud.ErrorWiz
++ Fraud.MyComGuard
+ Fraud.MySecurityWall
+ Fraud.PCSecurity2009
++ Fraud.PrivacyOn
++ Fraud.SmartSecurity
+ Fraud.Sysguard
++ Fraud.XPInternetSecurity2010
+ Lop
++ Win32.Downloader.aafm
+ Win32.FraudLoad.edt

Spyware
+ AdRotator
+ Win32.Spynet.a

Trojans
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.ddod
++ Win32.Agent.fla
++ Win32.Agent.shi
+ Win32.Allaple.ab
+ Win32.Ambler
++ Win32.AutoRun.fw
++ Win32.Banker.ju
+ Win32.Banload.up
++ Win32.Clicker.ad
+ Win32.FakeAlert.ttam
+ Win32.FraudPack
++ Win32.IRCBot.sys
+ Win32.Koobface
+ Win32.OnLineGames.down
++ Win32.OnLineGames.mfbh
++ Win32.OnLineGames.mfeg
++ Win32.OnLineGames.mffa
++ Win32.OnLineGames.mffh
++ Win32.OnLineGames.mfgr
++ Win32.Rbot.mum
++ Win32.SdBot.wch
+ Win32.Swisyn
+ Win32.TDSS.rtk (rootkit)
+ Win32.ZBot (a.k.a.: Zeus)
+ Win32.ZBot.rtk (Zeus rootkit)
++ XPInternetSecurity2010.FakeAlert
+ Zlob.PornPassManager

Worm
+ Win32.Amburadul

Total: 2161084 checksums in 812212 rules for 5267 products.

]]> False Positives Reported This Past Week

One possible false positive was reported for this week, as of the time this article was published.

1: Confirmed false positive detection of "win32.downloaderx.hav" in several (number).tmp files in the \Windows\System32 directory. The temp files are harmless, belonging to the Sophos AR security application.

Installing or uninstalling and Immunizing Spybot S&D

Installing, upgrading to a new version, or uninstalling Spybot requires Administrator level privileges. Updating definitions does not require these permissions most of the time. But, to immunize against all threats does require Admin privileges. If you. like me, operate as a Power/Standard User, you can right-click on the icon to launch Spybot S&D and Run As (an) Administrator. From there you can download the latest definitions, immunize completely and scan/disinfect with full administrator authority.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot Search & Destroy is free for personal use. No subscriptions, no download fees, but, donations are gladly accepted.

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

You can also download the latest definition includes file from a clean PC and save them to a removable disk or drive, then install them into the Spybot S&D program while the infected PC is offline. This helps you disinfect a PC that cannot presently get online, or cannot access security websites for updates (because of the Conficker or similar malware), or due to other networking problems. The downloaded definition includes will look for a typical Spybot installation location and will update it instantly, as long as the program is closed during the updating process.

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

In the case of Teatimer false positives that are fixed by updates, TeaTimer will have to be restarted after the update is applied. TeaTimer cannot be updated with new definitions if it is still running! After you update definitions to fix false positives, a restart of either TeaTimer or the Computer is required. If this doesn't fix the false positives, you may need to reset the TeaTimer detection list, as follows:

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

* start Spybot S&D
* switch to advanced mode
* navigate to "Tools" , then "Resident"
* uncheck the check box for Resident TeaTimer to close TeaTimer
* wait a bit so TeaTimer can unload completely, for instance wait 1min
* check the check box for Resident TeaTimer again to restart the TeaTimer

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

If you are running several brands of security software, make sure that only one active protection (realtime monitoring) feature runs at a time. In case you want to deactivate the TeaTimer, to avoid conflicts, you can do this in Spybot S&D advanced mode in Tools - Resident, as described above..

Twitter widget creates a blog within a blog, with short posts

2010-03-17T05:32:14Z

I recently became a member of the online service known as Twitter. Ok, you all know about Twitter and are already members for a couple of years. I am the last one in, so what?

I like Twitter because of its limitations. One is only allowed to post messages, known as Tweets, of no more than 140 characters. This includes spaces and punctuation marks. You really have to be able to think small to say anything meaningful in no more than 140 keystrokes. Try to add a hyperlink and you can easily go over the limit. Twitter just cuts off anything past the 140th character and posts the first 140 key strokes.

Twitter Tweets can be placed from computers, or cellphones equipped with web access plans and mobile web browsers, or email readers. Tweets are done in text only, with no graphics other than the author's uploaded photo (for now). They post fast and display fast, on computer monitors and cellphones alike. Some cellphones let their users set a special ringtone for incoming text messages, or email notices about new Twitter messages and followers.

I have taken a liking to Tweeting, because it makes me think small. I tend to ramble on in some of my blog postings, giving you all as much information as possible, as though I'm getting paid for my thoughts. I wish! I make squat from this blog! Still, I publish my alerts, reports and updates about spam and malware issues and solutions, in the hopes that they will help some of you avoid falling victim to the scams and attacks launched against you in spam emails, browser and plug-in vulnerability attacks and attacks on your shared hosting websites or dedicated servers.

While my blog articles are like short novels in some cases, Twitter Tweets are like news bulletins over a wire service. They're like telegrams, START using few wrds to imprt important msgs, w/abbreviations everywhere STOP. After joining Twitter I discovered that they offer website "widgets" to display one's public Tweets on a web page. If you look at the right sidebar of this blog you will find my Twitter Widget. It contains a lot of my Tweets and a scrollbar on the right edge, to scroll through them. I am using this widget and my 140 maximum character posts to get information out to you, in the most concise and reduced fashion. Please take a few minutes to read these Tweets before you move on to other places. You may find something of great importance to you.

Many of my Tweets contain links to full articles; some posted here, some elsewhere. I shorten the links using TinyUrl, or place them in plain text. There are no hostile links in my Tweets. Some lead to articles I have previously posted on my blog over the past several years. Using a link in a Tweet to a blog article I posted three years ago will save you a lot of time searching for it by keywords (in my blog's search box).

Most of my Tweets are currently dealing with malware threats, vulnerability alerts, Botnet activity, spam issues and some SEO matters. I hope you find them useful. If you are a member of Twitter you can "follow" me and get my Tweets in your Twitter account, in the "Home" section. Twitter members can also reply to my posts, or re-tweet them. All I ask is if you quote me, do it accurately, not out of context.

You will also see me replying to, or referring to others in the security or SEO fields. Use the links in my posts to their Twitter profiles to see their posts and follow them also. There are some major players in these groups and more coming in all the time. It's helps us all to coordinate our findings and research, on a small scale per Tweet.

My Spam analysis for the week of March 8 - 14, 2010

2010-03-14T20:41:30Z

Spam levels have increased 5% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit prescription drugs, sold unlawfully without a real prescription. Other measurable categories of spam included counterfeit watches and other goods, fake diplomas, pirated software, and Russian dating scams.

My updated blacklisted senders list proved effective this week, auto-deleting almost 10% of all incoming spam (see my extended content for details). I saw another increase in the number of emails forging my own accounts as the senders. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 8 - 14, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

]]> MailWasher Pro spam category breakdown for March 8 - 14, 2010. Spam amounted to 50% of my incoming email this week. This represents a +5% change from last week.

Viagra:	33.72%
Known Spam Domains:	14.56%
Counterfeit Watches:	11.88%
Blacklisted Senders (dating scams & Viagra, etc):	9.96%
Pharmaceutical Spam:	9.20%
Other Filters (misc filters):	7.28%
Diploma Scams:	3.83%
Known Spam [From]:	3.07%
Lottery Spam:	1.53%
Live.com Spam Link:	1.53%
Russian Sender:	1.15%
Dating Scams:	1.15%
DNS Blacklisted Servers:	0.77%

This was a quiet week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

Dating Scam
Male Enhancement [B]
Nigerian 419 Scam #5 [B]]
Nigerian 419 Scam #6
Pharmaceuticals [S]

The following recent MailWasher Pro Email Blacklist entries were able to block almost 10% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@mail.com
+@*.hinet.net
+@*ukrtel.net
+@loan.co.uk
+@contact.co.uk
Job@DunHill.com
+@chinamobile.com
+@webmail.register.com
noreply@singlesnet.com
networks@facebook.com
notification*@googlemail.com
notification@facebookmail.com
noreply@message.myspace.com
med?@googlemail.com

About MailWasher Pro

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Spybot Search & Destroy updates for March 10, 2010

2010-03-10T20:22:12Z

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on March 10, 2010, as listed below. 12 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 25 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Additions made on 03/10/2010

Adware
++ CNNIC.Searchbar

Dialer
++ Microflat

Malware
++ Fraud.ControlManager
++ Fraud.DrGuard
+ Fraud.MalwareDefender2009
++ Fraud.MySecurityWall
+ Fraud.PersonalSecurity
++ Fraud.PrivacyControl
++ Fraud.SpyTechSpyAgent
++ Fraud.WindowsAntivirus
++ Fraud.WindowsSecurityCenter
++ Fraud.XPMicroAntivirus
++ Win32.Agent.be
+ Win32.FraudLoad

Security Vulnerabilities
+ Microsoft.Windows.RedirectedHosts

Trojan
+ Fraud.avi
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.exp
++ Win32.Agent.jar
++ Win32.Agent.wio
++ Win32.Agent.wss
++ Win32.AutoRun.wu
++ Win32.Banload.up
++ Win32.Clicker.afo
++ Win32.Clicker.nqe
++ Win32.FakeAV.cn
+ Win32.FraudLoad.edt
+ Win32.FraudPack
+ Win32.Koobface
+ Win32.OnLineGames.mffm
++ Win32.OnLineGames.uedm
++ Win32.OnLineGames.uhbq
++ Win32.OnLineGames.uhgi
++ Win32.OnLineGames.uhmm
++ Win32.OnLineGames.uhvx
++ Win32.OnLineGames.uiwu
++ Win32.OnLineGames.uvmc
++ Win32.Swisyn
+ Win32.ZBot

Worm
+ Win32.Amburadul
++ Win32.Bzub.buz

Spybot S&D currently has 2153272 fingerprints in 809913 rules for 5228 products.

False Positives Reported This Past Week

One possible false positive was reported for this week, as of the time this article was published.

1: Possible false positive detection of "AzeSearch" in Microsoft Security Essentials. This is being investigated, in German. I will translate the results next week.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

]]> Installing or uninstalling and Immunizing Spybot S&D

Updating Spybot Search and Destroy

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

My Spam analysis for the week of March 1 - 7, 2010

2010-03-07T20:27:14Z

Spam levels have decreased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches and phones, illicit prescription drugs, fake Viagra, Canadian Pharmacy scams, pirated software, dating scams, and fake diplomas.

My updated blacklisted senders list proved less effective this week, auto-deleting only 4% of all incoming spam (see my extended content for details). The decline in blacklisted matches is the result of spammers changing their tactics from previous weeks. In fact, I saw a giant increase in the number of emails forging my own accounts as the senders. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 1 - 7, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

]]> MailWasher Pro spam category breakdown for March 1 - 7, 2010. Spam amounted to 45% of my incoming email this week. This represents a -2% change from last week.

Viagra:	23.55%
Known Spam Domains:	15.70%
Pharmaceutical Spam:	15.29%
Other Filters (misc filters):	11.16%
Counterfeit Watches:	10.74%
Blacklisted Senders (dating scams & Viagra, etc):	4.13%
Image Spam #11 Spam:	3.72%
Diploma Scams:	3.31%
UPS Phishing Scams:	3.31%
Russian Sender:	2.89%
Known Spam [From]:	2.48%
DNS Blacklisted Servers:	2.07%
Canadian Pharmacy:	1.65%

This was a quiet week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

Software Spam
URL Shortener Spam Link
Hidden/Foreign ISO, UTF, or ASCII Subject
Nigerian 419 Scam #3 [S, F, R]

(New Filters Added This Week)
NEW: Craigslist Scammer filter

The following recent MailWasher Pro Email Blacklist entries were able to block over 4% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@mail.com
+@*.hinet.net
+@*ukrtel.net
+@chinamobile.com
+@webmail.register.com
noreply@singlesnet.com
networks@facebook.com
notification*@googlemail.com
notification@facebookmail.com
noreply@message.myspace.com
Job@DunHill.com (NEW)
*@loan.co.uk (NEW)

About MailWasher Pro

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Spybot Search & Destroy updates for March 3, 2010

2010-03-04T06:45:19Z

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on March 3, 2010, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 19 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Additions made on 03/03/2010

Adware
++ WebPerform

Malware
+ Fraud.AntivirusPro2010
+ Fraud.VolcanoSecuritySuite
+ Lop
++ Municheventos
+ Win32.Bifrost
+ Win32.FraudLoad.edt
++ Win32.Philis

Pups (Potentially Unwanted Software)
+ Live-Player

Security Vulnerabilities
+ Microsoft.Windows.RedirectedHosts

Spyware
+ AdRotator
+ Win32.Spynet.a

Trojan
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.mpc
+ Win32.Agent.sys
+ Win32.Allaple.ab
+ Win32.Autorun.mbzt
++ Win32.OnLineGames.mfen
++ Win32.OnLineGames.mfes
++ Win32.OnLineGames.mffd
+ Win32.OnLineGames.mffm
++ Win32.OnLineGames.mfjj
++ Win32.OnLineGames.mfqj
++ Win32.OnLineGames.utza
++ Win32.OnLineGames.uvij
++ Win32.OnLineGames.uxkq
+ Win32.TDSS.vot
+ Win32.ZBot
+ Zlob.Downloader

Spybot S&D currently has 2128838 fingerprints in 801788 rules for 5266 products.

False Positives Reported This Past Week

Thus-far, no false positives were confirmed for this week, as of the time this article was published.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

]]> Installing or uninstalling and Immunizing Spybot S&D

Updating Spybot Search and Destroy

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

My Spam analysis for the week of Feb 22 - 28, 2010

2010-02-28T18:21:14Z

Spam levels have decreased 5% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches, illicit drugs, fake Viagra, Canadian Pharmacy scams, pirated software, casinos and fake diplomas. My updated blacklisted senders list proved effective again this week, auto-deleting over 9% of all incoming spam (see my extended content for details).

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb Feb 22 - 28, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

]]> MailWasher Pro spam category breakdown for Feb 22 - 28, 2010. Spam amounted to 47% of my incoming email this week. This represents a -5% change from last week.

Pharmaceutical Spam:	20.34%
Viagra:	19.31%
Known Spam Domains:	12.41%
Counterfeit Watches:	10.69%
Other Filters (misc filters):	10.00%
Blacklisted Senders (dating scams & Viagra, etc):	9.31%
Casino Spam:	3.79%
Canadian Pharmacy:	3.10%
Phishing Scam:	3.10%
Diploma Scams:	3.10%
Exploit Link:	2.41%
Software (Pirated) Spam:	2.07%
DNS Blacklisted Servers:	0.34%

This was a busy week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

African Sender
Casino Spam
Male Enhancement [B]
Nigerian 419 Scam #3 [S F R]
Nigerian 419 Scam #5 [B]
RIPE
Russian Sender
PayPal Phishing Scam #1
Pharmaceuticals [S]
Phishing Scam [S or F]
Phishing Scam [B]
Software Spam
Unlicensed Prescription Drugs
Viagra.com Spam

(New Filters Added This Week)
(New) Blogger Exploit Link
Split Nigerian 419 Scams into 6 filters & disabled original

The following recent MailWasher Pro Email Blacklist entries were able to block over 9% of this week's spam. Some weeks will have higher percentages of blacklisted senders, depending on which Botnets are used to send those messages, with forged sender names and email addresses. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@mail.com
+@*.hinet.net
+@*ukrtel.net
+@chinamobile.com
+@webmail.register.com
noreply@singlesnet.com
networks@facebook.com
notification*@googlemail.com
notification@facebookmail.com
noreply@message.myspace.com

About MailWasher Pro

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Spybot Search & Destroy updates for Feb 24, 2010

2010-02-24T21:12:05Z

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 24, 2010, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 20 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Additions made on 02/24/2010

Adware
+ MeMedia.AdVantage
++ YourSiteBar

Malware
++ Fraud.AntimalwareDoctor
++ Fraud.PCDefender
++ Fraud.PersonalAntiMalwareCenter
++ Fraud.SecureEssentials2010
+ Fraud.Sysguard
+ Lop
+ Win32.Virut.ag

Security Vulnerabilities
+ Microsoft.Windows.RedirectedHosts

Spyware
+ Win32.Spynet.a

Trojan
++ Bredolab.fb
++ Fraud.avi
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.nb
+ Win32.Agent.xwr
+ Win32.Autorun.mbzt
+ Win32.Bifrost
+ Win32.CeeInject
+ Win32.FakeAlert.ttam
++ Win32.OnLineGames.bkrn
++ Win32.OnLineGames.uiwr
++ Win32.OnLineGames.ussu
++ Win32.Prolaco.p
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
++ Win32.vbs
+ Win32.ZBot
+ Win32.ZBot.rtk

Spybot S&D currently has 2111918 fingerprints in 796159 rules for 5250 products.

False Positives Reported This Past Week

Thus-far, no false positives were confirmed for this week, as of the time this article was published.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

]]> Installing or uninstalling and Immunizing Spybot S&D

Updating Spybot Search and Destroy

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

My Spam analysis for the week of Feb 15 - 21, 2010

2010-02-21T16:03:20Z

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches and phones, illicit drugs, fake Viagra, Russian dating scams, pirated software, casinos and fake diplomas. My updated blacklisted senders list proved extremely effective again this week, auto-deleting over 16% of all incoming spam (see my extended content for details).

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 15 - 21, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

]]> MailWasher Pro spam category breakdown for Feb 8 - 14, 2010. Spam amounted to 52% of my incoming email this week. This represents a +5% change from last week.

Viagra:	32.26%
Blacklisted Senders (dating scams & Viagra, etc):	16.85%
Other Filters (misc filters):	12.19%
Counterfeit Watches:	9.68%
Pharmaceutical Spam:	7.17%
Known Spam Domains:	6.45%
Diploma Scams:	3.58%
Casino Spam:	3.58%
Russian Sender:	2.15%
Software (Pirated) Spam:	1.79%
Dating Scams:	1.43%
Known Spam TO:	1.43%
DNS Blacklisted Servers:	1.43%

This was a busy week for updates to my custom spam filters. The latest updates to my custom MailWasher Pro filters were to these filters:

APNIC
Canadian Pharmacy
Counterfeit Goods
Dating
(DHL) Courier Phishing Scam
Exploit Link Only (to malware infection)
Hidden ISO Subject
Known Spam Domains
Known User-Agent Spam
Loans
Nigerian 419 scams
Phishing Scam [Subject or From]
Russian Sender
Software Spam
Unlicensed Prescription Drugs
UPS Phishing Scam #1

(New Filters Added This Week)
Flagged by Spam Assassin
Live.com Spam Link
Subject contains < * + ' >

The following recent MailWasher Pro Email Blacklist entries were able to block almost 17% of this week's spam. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.cn
+@+.de
+@+.hk
+@+.jp
+@+.kr
+@+.ru
+@+.tw
+@mail.com
+@*.hinet.net
+@*ukrtel.net
+@chinamobile.com
+@webmail.register.com
noreply@singlesnet.com
networks@facebook.com
notification*@googlemail.com
notification@facebookmail.com
noreply@message.myspace.com

About MailWasher Pro

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Spybot Search & Destroy updates for Feb 17, 2010

2010-02-17T21:01:35Z

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 17, 2010, as listed below. 16 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 18 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. One updated Internet Worm detection was also added this week.

Additions made on 02/17/2010

Adware
++ DonkeyToolbar

Malware
+ AdRotator
+ Fake.SpywareRemover
++ Fraud.AdvancedDefender
++ Fraud.GuardWWW
+ Fraud.MalwareDefense
++ Fraud.PaladinAntivirus
++ Fraud.SavePcAv
++ Fraud.SecurePcAv
+ Fraud.Sysguard
+ Fraud.SystemSecurity
+ Fraud.VolcanoSecuritySuite
++ Fraud.YourPCProtector
+ Lop
+ Mirar
+ Win32.FraudLoad
+ Win32.TDSS.reg

PUPS (Possibly Unwanted Programs)
++ GameVance.PlaySushi
+ Live-Player

Spyware
++ Win32.Spynet.a

Trojan
+ Supsav.Smss32
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.ado
++ Win32.Agent.svv
++ Win32.Agent.wi
+ Win32.Agent.wu
+ Win32.Autorun.mbzt
+ Win32.FakeAlert.ttam
++ Win32.HareBot.a
++ Win32.OnLineGames.ujug
++ Win32.Rbot.wu
++ Win32.ScreenBlaze
++ Win32.Stinx.h
+ Win32.TDSS.rtk
++ Win32.Virut.w
+ Win32.ZBot

Worm
+ Win32.Allaple.ab

Spybot S&D currently has 2033341 fingerprints in 769409 rules for 5235 products.

False Positives Reported This Past Week

TeaTimer mistakenly detected the "Morpheus Toolbar" in C:\WINDOWS\system32\WBEM\WMIADAP.EXE, during an upgrade of a user's Intel Wireless 3945ABG software from version 10.x to 11.5.x, using the DELL proprietary driver upgrade. Team Spybot offered this solution to the affected user, or others similarly affected by false positives in Teatimer:

If you are running several security software, make sure that only one active protection feature runs at a time. In case you want to deactivate the TeaTimer you can do this in Spybot S&D advanced mode in Tools - Resident.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

]]> Installing or uninstalling and Immunizing Spybot S&D

Updating Spybot Search and Destroy

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

My Spam analysis for the week of Feb 8 - 14, 2010

2010-02-14T19:27:56Z

Spam levels have decreased 4% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including a lot of spam for counterfeit diplomas, watches and Viagra, the totally fake "Canadian Pharmacy," Russian dating scams, Nigerian 419 and lottery scams and various identity phishing scams. My updated blacklisted senders list proved extremely effective again this week, auto-deleting over 24% of all incoming spam (see my extended content for details).

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 8 - 14, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

]]> MailWasher Pro spam category breakdown for Feb 8 - 14, 2010. Spam amounted to 47% of my incoming email this week. This represents a -4% change from last week.

Viagra:	36.71%
Blacklisted Senders (dating scams & Viagra, etc):	24.47%
Other Filters (misc filters):	11.81%
Counterfeit Watches:	5.49%
Canadian Pharmacy Scams:	5.06%
Pharmaceutical Spam:	4.64%
Diploma Scams:	2.11%
Known Spam Domains:	2.11%
Nigerian 419 and Lottery Scams:	1.69%
Subject all CAPS (mostly 419 scams):	1.69%
DNS Blacklisted Servers:	1.69%
Phishing Scams:	1.27%
PDF Attachment exploit threats:	1.27%

The latest weekly updates to my custom MailWasher Pro filters were to the Viagra Spam [S], Phishing Scam [S or F], UPS Phishing Scam #1, Unlicensed Prescription Drugs, Exploit Link, Known Spam Domains, Facebook Phish (New), Western Union Scam, Herbal Spam and African Sender (419) filters. Everything else is working as it should. If you're not already using MailWasher Pro to filter out spam you should consider doing so! Read the next three paragraphs for more details about it.

The following recent MailWasher Pro Email Blacklist entries were able to block almost 25% of this week's spam. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.
+@+.de
+@+.hk
+@+.tw
+@+.jp
+@+.kr
+@+.ru
+@mail.com
+@*.hinet.net
+@*ukrtel.net
+@chinamobile.com
+@webmail.register.com
noreply@singlesnet.com
noreply@message.myspace.com
notification@facebookmail.com

About MailWasher Pro

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Spybot Search & Destroy updates for Feb 10, 2010

2010-02-11T06:36:25Z

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 10, 2010, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 8 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. Two Internet Worm detections were also added this week and another long distance modem dialer.

Additions made on 02/10/2010

Dialer
+ Coulomb Ltd.Content Access Plugin

Malware
++ Fraud.AntimalwareDefender
++ Fraud.KasperskiyAntivir
+ Fraud.PCAntispyware2010
+ Fraud.Sysguard
+ Fraud.XPAntivirus
+ Win32.FraudLoad.edt
++ Win32.Wace.a

PUPS (Possibly Unwanted Programs)
+ Live-Player

Trojan
++ FakeAlert.gx
++ FakeAlert.lv
++ FakeBill.UPS
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Joleee.egx
+ Win32.ZBot

Worm
+ Win32.Allaple.ab
+ Win32.Socks.T

Spybot S&D currently has 1976598 fingerprints in 751278 rules for 5212 products.

False Positives Reported This Past Week

Teatimer had a false positive detection of "DoubleD.DesktopSmiley" in C:\WINDOWS\system32\msiexec.exe. Install the latest definition updates, then stop Teatimer, close it, wait a minute, then restart it. Instructions for restarting Teatimer are in my extended content.

This isn't a false positive, but a business decision that has been reversed. After reviewing the business email practices of VistaPrint, it was removed from HOSTS file IP blocking immunization with the update from the 2010-02-10. People who want to do business with VistaPrint and still use Spybot S&D's full immunization regime can now do so, without manually editing their HOSTS file.

The use of the Windows HOSTS file to block potentially bad IPs and URLS is getting carried to extremes lately. Since Spybot does not alert you when it is responsible for blocking a website via HOSTS entries (to 127.0.0.1), many users are unaware that the program is blocking websites they may wish to visit. If you used to be able to go to some website and after updating Spybot's definitions you find that the page cannot be displayed, it may have been added to the HOSTS blocklist by Spybot updates. You can edit the file manually, in Notepad, or in a HOSTS editor program, or uncheck the option for HOSTS in the Immunization list and reimmunize. That will remove all entries from HOSTS that were added by Spybot S&D.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

]]> Installing or uninstalling and Immunizing Spybot S&D

Updating Spybot Search and Destroy

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.

My Spam analysis for the week of Feb 1 - 7, 2010

2010-02-07T17:55:52Z

Spam levels have increased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including Russian dating spam, fake diplomas and counterfeit brand name watches, pirated software, male enhancement scams, counterfeit Viagra, the fake Canadian Pharmacy, Nigerian 419 scams, DHL and UPS Courier scams and other phishing scams. My updated blacklisted senders list proved extremely effective again this week, auto-deleting ~19% of all incoming spam.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 1 - 7, 2010, and the latest additions to my custom MailWasher Pro filters.

]]> MailWasher Pro spam category breakdown for Feb 1 - 7, 2010. Spam amounted to 51% of my incoming email this week. This represents a +2% change from last week.

Viagra:	32.13%
Blacklisted Senders (mostly dating scams this week):	18.69%
Other Filters (misc filters):	13.11%
Counterfeit Watches:	5.90%
Male Enhancement Scams:	5.25%
Dating Spam:	5.25%
Diploma Scams:	4.92%
Phishing Scams:	4.26%
Pirated Software (like "Eurosoft"):	3.28%
Canadian Pharmacy Scams:	2.30%
Known Spam Domains:	1.97%
Nigerian 419 Scams:	1.97%
DNS Blacklisted Servers:	0.98%

The latest weekly updates to my custom MailWasher Pro filters were to the (DHL) Courier Phishing Scam, Dating Spam, Software Spam, Unlicensed Prescription Drugs, Viagra Spam [B], Herbal Spam, Male Enhancement [S], Nigerian 419 Scams, PayPal Scams #2, Pharmaceuticals [S], Phishing Scam [S] and [B], and Stud Tips filters. Everything else is working as it should. If you're not already using MailWasher Pro to filter out spam you should consider doing so! Read the next three paragraphs for more details about it.

The following recent MailWasher Pro Email Blacklist entries were able to block almost 19% of this week's spam.
+@+.de
+@+.hk
+@+.tw
+@+.jp
+@+.kr
+@+.ru
+@mail.com
+@*.hinet.net
+@*ukrtel.net
+@chinamobile.com
+@webmail.register.com
noreply@singlesnet.com
noreply@message.myspace.com
notification@facebookmail.com

These expressions instantly delete any messages with a "From" email address ending with one of those domains. These expressions resulted in 18.69% of spam being captured by the MWP Blacklist. Since the Blacklist is processed before the custom filters, the processing time and cpu load is greatly reduced.

See you all next week, same time, same station! Keep the sunny side up and don't take no wooden nickles!

Wiz - out

Spybot Search & Destroy updates for Feb 3, 2010

2010-02-05T03:50:46Z

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 3, 2010, as listed below. 9 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 14 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. An Internet Worm detection was also added this week.

Additions made on 02/03/2010

Dialer
+ eGroup.InstantAccess

Malware
+ FakeAlert.gen
++ Fraud.MyPcSecure
++ Fraud.PcSecureNet
++ Fraud.PcsSecure
+ Fraud.WinPCDefender
+ Lop
+ SuperEasySearch
+ Win32.FraudLoad
+ Win32.FraudLoad.edt

Trojan
++ FakeAlert.be
+ FakeAlert.BraveSentry
++ FakeAlert.is
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.wu
++ Win32.DownloaderX.HAV
+ Win32.FakeAlert.ttam
+ Win32.FraudPack
+ Win32.TDSS.clt
+ Win32.Turkojan
++ Win32.Virut.ag
+ Win32.ZBot

Worm
+ Win32.Allaple.ab

Spybot S&D currently has 1948083 fingerprints in 743598 rules for 5207 products.

False Positives Reported This Past Week

No false positives were reported or discussed this past week.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

]]> Installing or uninstalling and Immunizing Spybot S&D

Updating Spybot Search and Destroy

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

TeaTimer false positives

Right click the (TeaTimer) Resident tray icon
Select "Reset lists"

Alternately, close and restart TeaTimer using this method:

If that fails also, please read the rest of the things to try on this forum page, in replies #2 and #4.