This is a phishing scam looking to steal active Hotmail accounts for use as spam sending zombies, using Hotmail's good reputation to avoid email sender blockades. The phished date of birth information can be crosschecked against other stolen or looked up details about you, or they can read your personal details saved in your Hotmail account profile, to perform identity theft. This information would then be sold to more advanced cyber criminals.

The scam email I received today was sent from the IP address 62.173.55.107 which is part of the CIDR 62.173.32.0/19, which covers all IPs between 62.173.32.0 and 62.173.63.255. This CIDR is registered to ipNX Nigeria Limited, in Lagos, NG.

I discuss methods of preventing these Nigerian scam emails from reaching your desktop email clients, or forum members, in my extended comments.

If you run a web server and have administrator (root) privileges, you can block all email coming from known Nigerian and other African IP addresses by applying my Nigerian Iptables Blocklist to the mail server (mail blockade), or Linux APF Firewall rules (total blockade). By applying the Nigerian Iptables Blocklist to your Linux/Apache Server firewall you will block all access to all websites hosted on it. This includes databases, email, ftp and http services. It will appear as though there is no server, or websites, at the URL they request or send mail to.

If you don't have root access to the Linux OS you can still block Nigerian 419 scammers from accessing your web pages and forums via HTTP, by applying my .htaccess Nigerian Blocklist to your public web root directory .htaccess file. This requires that your website be hosted on the common Apache Web Server, running on a Linux or Unix OS.

I provide other IP blocklists in both iptables and .htaccess formats. If you lease a dedicated server your server administrator can install the iptables blocklist rules for you. I am available for hire to install .htaccess blocklists, or to customize a blocklist for your individual websites, as long as they are hosted on Apache web servers. Use my Webmaster contact page to request a quote or to arrange for ongoing website security maintenance.

Most commercial web hosting companies offer an mail server for incoming (POP3) and outgoing (SMTP) email for their hosting customers. Most of these mail servers have the free option of turning on an email spam filter of one kind or another. Most spam filters recognize subjects with all capital letters and will flag those messages as "{SPAM}." You can then have your email client* filter messages marked as SPAM to be deleted, or sent to a folder you create for questionable messages.

If you do not have your own web server for receiving your POP3 email, but still use a desktop email client (e.g. Microsoft Outlook, Outlook Express, Windows Live Mail, etc), you still have an option available to block this Nigerian crap email. I use and recommend a spam filtering email screening program called MailWasher Pro. MailWasher Pro sits on your Windows Desktop as an application between your POP3 email servers and your desktop email client. It receives email at an interval you select and screens it to identify spam and either flag it or automatically delete it. I set my Windows Live Mail client to manually download messages only when I press the Send/Receive button, which I do to download desirable messages that have been cleared by MailWasher Pro. I report any spam or scam messages that make it through my automatic deletion filters to SpamCop, through MailWasher Pro itself.

MailWasher Pro uses a combination of learning filters, a blacklist, a friends list, known spam blocklists (like SpamCop) and custom user written filters, to identify and deal with spam. I happen to write custom filters for use with the program and which can identify and either manually or automatically delete about 95% of all incoming spam and scam messages. You can learn about, or download Wizcrafts' Custom MailWasher Filters here. There are 3 sets available, the details of which are explained on the aforementioned web page. My "Subject All Caps" filter flagged the scam message that started this article.

MailWasher Pro is a commercial program that you pay for once and receive free program updates for life. I've been using it for about 8 years now and have only paid once. The current version, as of July 2, 2009, is 6.51. It is fully compatible with all versions of Windows, including the soon to be released Windows 7. The current price is $39.95, for a lifetime registration.

If you use a web browser to obtain your email you are at the mercy of your email service provider to supply their users with spam protection. Check your email options to see what level of Spam blocking is available to you and apply it. You may have to white list your friends and contacts to avoid having some of their messages accidentally deleted as Spam, but it is worth the effort.

If you are one of the intended targets of this phishing scam, a Hotmail user, login to your Hotmail account (in your browser), click on: Options (upper right area), then Junk Mail > Filters and Reporting > Choose a junk e-mail filter. Select either Low, Standard, or Exclusive and Save your choice. Next, choose when to delete junk e-mail. Last, choose whether to report junk mail to Hotmail, to help finetune their spam filters. Note, that your Hotmail login can also be your Windows Live ID, should you need one.

Always be suspicious of any email that tries to panic you into taking an action that is against common sense. Phishing scams are designed to cause panic and make victims respond before they have a chance to think about the claims made in that email scam. This is the same tactic used by high-pressure salesmen and telephone solicitors and scamsters. Always check with the website in question to see if they really did send such an email to their users. Always type the URL manually, or use a link saved in your bookmarks, from a previous successful login. Watch for HTTPS at the beginning of any URL leading to a bank or other secure login location (like Hotmail).

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Mirar
+ Win32.FraudLoad.edt
++ Win32.Perlovga.a

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ GameVance
+ OriginalSolitaire

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Win32.Agent.ext
+ Win32.Agent.fbx
++ Win32.AutoRun.wqh
++ Win32.Buzus.aspx
++ Win32.Dontovo
+ Win32.FraudLoad.pd
+ Win32.Seneka.rtk
+ Win32.TDSS.clt
+ Win32.TDSS.dt
++ Win32.TDSS.reg
+ Win32.TDSS.rtk
+ Win32.ZBot

Total: 1436805 fingerprints in 491598 rules for 4715 products.

False positive detections reported or fixed this week:

Two confirmed false positives were reported and fixed since last week. They are as follows...

A confirmed false positive detection of "Win32.Agent.Bbzv" in the file: C:\Program Files\erunt\autoback.exe, has been fixed with the July 1 updates.

A confirmed false positive detection of "Win32.Agent.Bbzv" in both WordWeb Free and Pro (Wweb32.exe) versions was fixed today.

After you update definitions to fix false positives a restart of either TeaTimer or the Computer is required.

When TeaTimer blocks the file you can also allow the file to be executed (also remove the check mark for deletion). You can exclude any file from further detections during a scan by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

The volume of spam coming to my various honeypots and user accounts has increased slightly this week. This indicates to me that some of the Botnets that lost their Control and Command servers following the forced shutdown of colocation host Pricewert have found other server hosts that allow illegal activities. Thus, sleeping zombie bots are awakening and spamming again.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Most of the spam this week was for various fake pharmacies, which sell illicit and counterfeit pharmaceuticals like Viagra, weight loss scams and phishing scams.

See my extended comments for this week's breakdown of spam by category, for June 22 - 28, 2009 and the latest additions to my custom MailWasher Pro filters

Download MailWasher Pro Here

The latest weekly additions to my custom MailWasher Pro filters include updates to the Known Spam (in Body or From) and splitting it into two separate filters, Known Spam Domains, Known Spam Subjects #3, Male Enhancement [S], Viagra.com, Fake MSN Newsletters (Canadian Pharmacy), Canadian Pharmacy, Phishing and Weight Loss spam filters. Most of the known spam domains, Known Spam Subjects and Known Spam From/Body emails lead to bogus male enhancement solutions, like the fake Canadian Pharmacy sites, now hosted on Chinese domains and servers.

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Total: 1435417 fingerprints in 491152 rules for 4706 products.

False positive detections reported or fixed this week:

Four (possible or confirmed) false positives were reported and are being/were discussed and investigated since last week. The are as follows...

A confirmed false positive detection of Virtumonde.sdn in files used in laptops, by the Lojack program was fixed in today's updates. Until the fix is applied you can exclude Lojack's repnet.dll and rpcnet.exe from the scan result by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

A couple of users reported that hundreds of temporary Windows (Vista) Service Pack 2 files were being flagged as Virtumonde.sdn. The definitions released on June 24 fixed these false positives. Nonetheless, deleting those files caused no harm as they were temporary files left over after upgrading to the new service pack and are safe to delete ater rebooting from the upgrade.

One user has reported a possible False Positive detection of Win32.SharaQQ.30 in C:\WINDOWS\system32\SVKP.sys. Anti virus scans showed no problem with that file. Team Spybot has not responded as of the time of this posting.

A possible false positive of Win32.IRCBot.kow is under investigation as of tonight.

False Positives are reported and discussed in the Spybot S&D False Positives Forum.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
+ Fraud.AntivirusDoktor
+ Fraud.AntivirusPlus
+ Fraud.MalwareDefender2009
+ Fraud.MSAntispyware2009
+ Fraud.PCCenter
+ Fraud.PersonalAntivirus
+ Fraud.ProAntispyware2009
+ Fraud.Sysguard
+ Fraud.SystemGuard2009
+ MalwareProtector2008

PUPS (Possibly UnPopular Software or Potentially Unwanted Program)
+ DAEMONToolsPro.Crack

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.jjv
+ Win32.FraudLoad.ie
+ Win32.Hidrag.a
+ Win32.Rbot.gen
+ Win32.TDSS.pe
+ Win32.TDSS.rtk
+ Win32.VB.mqz
+ Win32.ZBot

Total: 1433053 fingerprints in 490325 rules for 4696 products.

False positive detections reported or fixed this week:

No false positives were reported since last week. This means that the Spybot S&D detections are becoming much more accurate! Just be sure you are always using the most recent version of the program.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Spam, spam, spam, spam, spam, spam, spam (from the old Monty Python routine)! The volume of spam coming to my various honeypots and user accounts has held steady this week, still at a relatively low volume (some spammers do prune honeypot accounts from their lists). Some of this is also attributable to the forced closure of Pricewert, a spam-friendly hosting company, where Botnet command and control servers and malware hosting was carried out by its customers, with no action taken by the company to halt those activities.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake pharmacies, which sell illicit and counterfeit pharmaceuticals, Nigerian 419 scams, fake Cialis and Viagra. Also, the volume of phishing scams targeting customers of various Australian banks and credit card holders remained in the running this week.

See my extended comments for this week's breakdown of spam by category, for June 8 - 14, 2009 and the latest additions to my custom MailWasher Pro filters

Download MailWasher Pro Here

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Spybot Search & Destroy (S&D), a product of Safer Networking Ltd., is a free ("donation-ware") security program that is used by millions of people to fight off spyware, keyloggers, Trojans, Botnet executables, adware, hostile domains, unwanted cookies and other types of malware in the wild. Being freeware it lacks some functions that are commonly implemented in commercial security programs. It has only manual updates, which are usually released once a week, on Wednesdays (see my regular weekly articles about new updates), and limited scanning presets. Most functions must be carried out manually, but hey, it's free! Despite these limitations Spybot S&D is a well respected and effective anti-malware tool to add to your arsenal.

Spybot Search and Destroy can be downloaded for free from either www.spybot.info, or from www.safer-networking.org, or several official mirror sites. Don't fall for fake versions distributed by rogue anti spyware websites. Approved download mirror sites are listed on the Spybot S&D downloads page.

Once downloaded you should install the program onto your hard drive. There are installation options to watch for and the options you select will affect the normal operation of the program, when launched. One of the installation options is for the "TeaTimer" module. This is a realtime monitoring component that sits in your System Tray and launches itself into action whenever a change is about to be made to the system, the Registry, or your browser's home or search page. The program pops up little balloon alerts asking if you want to allow or deny the changes, or even notifying you that a suspicious program file was terminated automatically. These balloon popups can be annoying at times, although you can tell TeaTimer to remember your decisions. Unfortunately, there have been several serious false positives reported in the Spybot forums concerning the TeaTimer module deleting harmless files necessary for the operation of other programs or Windows itself. Lately, these false positives are becoming fewer and further between. It is your choice whether you want to use the TeaTimer module. I would keep Windows System Restore turned ON in case TeaTimer renders an important program, or part of Windows itself unusable (use the "Last known good configuration" startup option).

No matter which options you choose to install the program with, always select the option to update the program immediately. You can select or deselect all options later on, using the Advanced Mode. Once installed and updated it is time to Immunize, then scan for threats. These steps are described in my extended comments, along with download and forum links and more instructions about using Spybot Search and Destroy.

Spybot S&D is updated once a week, on Wednesdays and you must download the updates manually. In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again.

The reason I recommend launching the Updater first and separately, is because sometimes it downloads program updates to the main Spybot interface. The program needs to be closed and restarted for those changes to take affect.

The other method is to launch Spybot S&D from a desktop icon and use the "Search For Updates" button on the main interface. This launches the separate Updater box described above, where you can choose your downlaod mirror and get the latest updates.

When all updates have completed successfully and have a green check mark next to them, click Exit to close the Updater. If you used the Update link from the program you can go on to the Immunize and Check for Problems steps. If you launched the Updater by itself, use your desktop link to launch the main program.

Immunizing and scanning with Spybot S&D

With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

There is a button labeled "Undo" in the Immunization screen. It is used to remove Immunization from the selected items. It is also possible to undo the "fixing" of items during a scan for problems by using the "Recovery" button, in the left sidebar of the program interface. The Undo functions sometimes come in handy when a mistake has been made by the program (false positive or wanted item). Some programs are labeled as PUPS (Potentially Unpopular Programs), during a scan, but they may be useful to you. Uncheck them before Fixing Problems. You can highlight any entry in the Problems Found list and right click on it, then choose to Ignore it, or even exclude it from further detections.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

Sometimes Spybot S&D cannot delete "problems" that are active in memory, or which are protected by rootkits. In these instances the program will ask you if you would like to have the program run automatically when you restart Windows. If you select Yes, then restart, Spybot will launch as you log into your user account in Windows and will perform a complete scan before allowing the desktop icons to load. During this time you cannot use the computer.

You can also reboot into Safe Mode, by restarting and tapping the F8 key, until a startup options menu appears. Choose Safe Mode, or Safe Mode With Networking if you need to download updates from there. Log into your user account, or the Administrator account, then scan for problems. Many types of malware will not startup in Safe Mode and many a good fight is won there.

Additional Information about Spybot S&D and links

Spybot Search and Destroy has always been and continues to be free (although they do accept donations from grateful users!). If you clicked on a download link that claimed to be for Spybot S&D and found that you were required to pay to use the program, you have been tricked. Get out of there right now and go to the real Spybot S&D website, then download the authentic version. If you installed a fake version you may be infected, so update the real one and scan for malware.

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them. If you are using any version older than 1.6.2 you are strongly advised to uninstall it and install the newest version. It is advisable to undo all immunizations before uninstalling Spybot S&D, then redo them after updating signatures for the new version.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

About False Positives

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Finally, if you have opted to use the Spybot "Tea Timer" realtime monitor, you need to know that it has been subject to a lot of false positives recently. Most have occurred since the Tea Timer module was recently updated to version 1.6.6, a few months ago. Check with the Spybot S&D False Positives Forum before allowing Tea Timer to permanently delete any files. Further, just in case, tell it to save the deleted files so you can restore them after obtaining definition updates. If you cannot wait for updates to be released tell Tea Timer to ignore the problem files, if they are known to be falsely flagged.

If you want to learn more about using the program, the complete Spybot S&D FAQ's are found here.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".

The description of the latest definition updates and false positive fixes are in my extended comments below.

Keyloggers
+ HellzLittleSpy

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.AntivirusPlus
+ Fraud.MSAntispyware2009
+ Fraud.WinPCDefender
+ Win32.Agent.pn
+ Win32.OnLineGames.bklm
+ WinWebSecurity

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Delf.ma
++ Win32.Delf.pii
++ Win32.FraudLoad.pd
+ Win32.Rootkit.gen
+ Win32.TDSS.rtk

Total: 1423725 fingerprints in 486472 rules for 4688 products.

False positive detections reported or fixed this week:

The www.bit-world.eu Bookmark in Firefox was recognized as the "BitWorld" malware link. However, in this case it is an innocent German online shopping website that was flagged by mistake. The false positive was fixed with today's updates.

As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.

Spam, spam, spam, spam, spam, spam, spam (from the old Monty Python routine)! The volume of spam coming to my various honeypots and user accounts has held steady this week, still at a relatively low volume (some spammers do prune honeypot accounts from their lists). The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake pharmacies, which sell illicit and counterfeit pharmaceuticals, Nigerian 419 and lottery scams, Cialis and Viagra. Also, the volume of phishing scams targeting customers of various Australian banks and credit card holders remained steady this week.

See my extended comments for this week's breakdown of spam by category, for June 1 - 7, 2009 and the latest additions to my custom MailWasher Pro filters

Download MailWasher Pro Here

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Updating Spybot Search and Destroy

Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

If you want to learn more about using the program, the complete Spybot S&D FAQ's are found here.

Additions to malware definitions made on June 3, 2009:

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ Fraud.PCCenter
+ Fraud.WinPCDefender
++ Win32.DsBot.ua
++ Win32.Kolab.cpx

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Bifrost.LA
++ SysM.wsk
+ Vanbot
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.BHO.ext
++ Win32.Delf.ajg
++ Win32.FraudLoad.ie
++ Win32.fx.wta
++ Win32.Inpl.sr
+ Win32.Joleee.K
++ Win32.Kolab.cqe
++ Win32.Machbot
++ Win32.Renos.ik
+ Win32.Rootkit.gen
+ Win32.TDSS.rtk
++ Win32.TLoaderBHO
+ Win32.ZBot

Total: 1422161 fingerprints in 486171 rules for 4690 products.

False positive detections reported or fixed this week:

Over the course of the last month or so several users of Spybot S&D reported that scan results were showing all of their Firefox Bookmarks as threats, with check marks to delete them when Fix Problems is clicked. Some of these users allowed this to happen, only to find that their bookmarks were gone and that these turned out to be false positives (already fixed). If this happened to you there is a way you can recover your lost Firefox Bookmarks. Proceed as follows...

Check your Firefox profile folder by using the Run command (Windows Key + R) to navigate to: %AppData%\Mozilla\Firefox\Profiles\

This Mozilla article may help you with importing them back into Firefox.

Additional Information about Spybot S&D and links

Spybot Search and Destroy has always been and continues to be free (although they do accept donations from grateful users!). If you clicked on a download link that claimed to be for Spybot S&D and found that you were required to pay to use the program, you have been tricked. Get out of there right now and go to the real Spybot S&D website, then download the authentic version. If you installed a fake version you may be infected, so update the real one and scan for malware.

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them. If you are using any version older than 1.6.2 you are strongly advised to uninstall it and install the newest version. It is advisable to undo all immunizations before uninstalling Spybot S&D, then redo them after updating signatures for the new version.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

About False Positives

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Finally, if you have opted to use the Spybot "Tea Timer" realtime monitor, you need to know that it has been subject to a lot of false positives recently. Most have occurred since the Tea Timer module was recently updated to version 1.6.6, a few months ago. Check with the Spybot S&D False Positives Forum before allowing Tea Timer to permanently delete any files. Further, just in case, tell it to save the deleted files so you can restore them after obtaining definition updates. If you cannot wait for updates to be released tell Tea Timer to ignore the problem files, if they are known to be falsely flagged.

The volume of spam coming to my various honeypots and user accounts has been steadily increasing over the past month. This is due to the activity of various wounded spam Botnets coming back to life (after the takedown of McColo), or new ones like the Russian Cutwail Botnet, being pressed into service. The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. Much of the spam this week was for the fake Canadian Pharmacy, which sells illicit and counterfeit pharmaceuticals, Nigerian 419 scams, fake watches and Viagra, "stud" tips and male enhancement scams (same websites). I also saw an increase in Australian banking phishing scams this week.

See my extended comments for this week's breakdown of spam by category, for May 25 - 31, 2009 and the latest additions to my custom MailWasher Pro filters

Download MailWasher Pro Here

MailWasher Pro intercepts POP3 and IMAP email before you download it to your desktop email client (e.g: Microsoft Outlook, Outlook Express, Windows Live Mail) and scans it for threats or spam content, then either manually or automatically deletes any messages matching your pre-determined criteria and custom filters. It is my primary line of defense against incoming spam, scams, phishing and exploit attacks. If you are not already using this fine anti-spam tool I invite to to read about it on my MailWasher Pro web page. You can download the latest version and try it for free for a month. Registration is only required once, for the life of the program.

To protect your computer from web pages rigged with exploit codes, malware in email attachments, dangerous links to hostile web pages, JavaScript redirects, Phishing scams, or router DNS attack codes, I recommend Trend Micro Internet Security. It has strong realtime monitoring modules that stop rootkits and spam Trojans from installing themselves into your operating system. Also known as PC-cillin, it is very frequently updated as new and altered malware definitions become available and it checks for web based threats and new malware definitions by searching secure online servers owned by Trend Micro. This is referred to as "in-the-cloud" security.

All of the spam and scams targeting my accounts were either automatically deleted by my custom MailWasher Pro spam filters, or if they made it through, was reported to SpamCop, of which I am a reporting member, and manually deleted. MailWasher Pro is able to forward messages marked as spam to SpamCop, which then sends a confirmation email to you, containing a link. You must click on the enclosed reporting link and open it in your browser, then manually submit your report. This is how SpamCop wants it done.

Updating Spybot Search and Destroy

In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."

Download links and more instructions about using Spybot Search and Destroy are in my extended comments, along with the description of the latest definition updates and false positive fixes.

With the program updated it is time to open the main program interface, using either the Start Menu link, or a desktop icon, to launch Spybot Search and Destroy. The next item to take care of is to apply Immunization. Click on the Immunize button in the left sidebar, select everything you want, or uncheck things like cookies, or Hosts, or Domains, as you see fit, then click on Immunize button over the right panel, that has a green cross. Sometimes, Spybot immunizes against cookies and domains that you may actually want to visit. If you suddenly find you cannot login, or cookies are missing, you can undo the most recent Immunizations, then uncheck the desired items and re-immunize. Websites added to your Windows HOSTS file during immunization will be blocked completely, so you may need to edit that file in Notepad, saving as HOSTS, without any extension, or uncheck it from immunization if your preferred websites are blocked by Spybot S&D.

After immunizing against unwanted items you should click on the Search & Destroy icon, on the left, then click "Check for problems," on the right side. It will take several minutes, or longer to scan all your files for known threats, and possible threats, using heuristics, unless you disable heuristics in the program's main Advanced Mode > Settings. When the scan completes anything listed in the definition databases will be listed in the results window, with check boxes in front of each main item group. If you find the program has listed some cookies or other programs you use and trust, uncheck them, click on the item name and the right click and select "Exclude this product from further searches." Finally, click on "Fix (selected) Problems."

If you want to learn more about using the program, the complete Spybot S&D FAQ's are found here.

Additions to malware definitions made on May 27, 2009:

Adware
+ Netpumper
+ WhenU.Search.BrowserToolbar

Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ SpywareCease (fake anti spyware scanner)

Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
++ MSMcr.cn
++ PanWeiIPR.cn
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.bleh
++ Win32.AutoRun.aho
+ Win32.Poison.pg
+ Win32.Rootkit.gen
++ Win32.Small.fpc
+ Win32.TDSS.clt
+ Win32.TDSS.gen
+ Win32.TDSS.rtk

Total: 1420974 fingerprints in 485874 rules for 4676 products.

False positive detections reported or fixed this week:

PerfectUninstaller was detected as PUPS, but was supposed to be removed from detection with the update 2009-05-20 after the vendor removed the changes PerfectUninstaller made to the visibility of hidden files. It was removed from detection with the May 27 detection update.

Additional Information about Spybot S&D and links

Spybot Search and Destroy has always been and continues to be free (although they do accept donations from grateful users!). If you clicked on a download link that claimed to be for Spybot S&D and found that you were required to pay to use the program, you have been tricked. Get out of there right now and go to the real Spybot S&D website, then download the authentic version. If you installed a fake version you may be infected, so update the real one and scan for malware.

Spybot Search and Destroy 1.6.2 was released on January 26, 2009. This is probably going to be the last "maintenance release" before version 2.0 is released. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6.2. The newest Virtumonde and Zlob threats require the anti malware engine in Spybot 1.6+ to effectively remove them. If you are using any version older than 1.6.2 you are strongly advised to uninstall it and install the newest version. It is advisable to undo all immunizations before uninstalling Spybot S&D, then redo them after updating signatures for the new version.

If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.

If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.

If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.

Finally, if you have opted to use the Spybot "Tea Timer" realtime monitor, you need to know that it has been subject to a lot of false positives recently. Most have occurred since the Tea Timer module was recently updated to version 1.6.6, a few months ago. Check with the Spybot S&D False Positives Forum before allowing Tea Timer to permanently delete any files. Further, just in case, tell it to save the deleted files so you can restore them after obtaining definition updates. If you cannot wait for updates to be released tell Tea Timer to ignore the problem files, if they are known to be falsely flagged.