Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule, as listed below. 11 new or modified fake security programs (fraudulent anti virus/spyware) were added to the "Malware" detections, plus 29 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. These include 2 variants of the infamous Zbot, a.k.a Zeus, banking Trojan.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Definition updates made on 03/17/2010

Adware
++ Ulineguide

Malware
++ Fraud.Antivirus7
++ Fraud.CleanUpAntivirus
++ Fraud.ContentCleaner
++ Fraud.ErrorWiz
++ Fraud.MyComGuard
+ Fraud.MySecurityWall
+ Fraud.PCSecurity2009
++ Fraud.PrivacyOn
++ Fraud.SmartSecurity
+ Fraud.Sysguard
++ Fraud.XPInternetSecurity2010
+ Lop
++ Win32.Downloader.aafm
+ Win32.FraudLoad.edt

Spyware
+ AdRotator
+ Win32.Spynet.a

Trojans
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.ddod
++ Win32.Agent.fla
++ Win32.Agent.shi
+ Win32.Allaple.ab
+ Win32.Ambler
++ Win32.AutoRun.fw
++ Win32.Banker.ju
+ Win32.Banload.up
++ Win32.Clicker.ad
+ Win32.FakeAlert.ttam
+ Win32.FraudPack
++ Win32.IRCBot.sys
+ Win32.Koobface
+ Win32.OnLineGames.down
++ Win32.OnLineGames.mfbh
++ Win32.OnLineGames.mfeg
++ Win32.OnLineGames.mffa
++ Win32.OnLineGames.mffh
++ Win32.OnLineGames.mfgr
++ Win32.Rbot.mum
++ Win32.SdBot.wch
+ Win32.Swisyn
+ Win32.TDSS.rtk (rootkit)
+ Win32.ZBot (a.k.a.: Zeus)
+ Win32.ZBot.rtk (Zeus rootkit)
++ XPInternetSecurity2010.FakeAlert
+ Zlob.PornPassManager

Worm
+ Win32.Amburadul

Total: 2161084 checksums in 812212 rules for 5267 products.

I like Twitter because of its limitations. One is only allowed to post messages, known as Tweets, of no more than 140 characters. This includes spaces and punctuation marks. You really have to be able to think small to say anything meaningful in no more than 140 keystrokes. Try to add a hyperlink and you can easily go over the limit. Twitter just cuts off anything past the 140th character and posts the first 140 key strokes.

Twitter Tweets can be placed from computers, or cellphones equipped with web access plans and mobile web browsers, or email readers. Tweets are done in text only, with no graphics other than the author's uploaded photo (for now). They post fast and display fast, on computer monitors and cellphones alike. Some cellphones let their users set a special ringtone for incoming text messages, or email notices about new Twitter messages and followers.

I have taken a liking to Tweeting, because it makes me think small. I tend to ramble on in some of my blog postings, giving you all as much information as possible, as though I'm getting paid for my thoughts. I wish! I make squat from this blog! Still, I publish my alerts, reports and updates about spam and malware issues and solutions, in the hopes that they will help some of you avoid falling victim to the scams and attacks launched against you in spam emails, browser and plug-in vulnerability attacks and attacks on your shared hosting websites or dedicated servers.

While my blog articles are like short novels in some cases, Twitter Tweets are like news bulletins over a wire service. They're like telegrams, START using few wrds to imprt important msgs, w/abbreviations everywhere STOP. After joining Twitter I discovered that they offer website "widgets" to display one's public Tweets on a web page. If you look at the right sidebar of this blog you will find my Twitter Widget. It contains a lot of my Tweets and a scrollbar on the right edge, to scroll through them. I am using this widget and my 140 maximum character posts to get information out to you, in the most concise and reduced fashion. Please take a few minutes to read these Tweets before you move on to other places. You may find something of great importance to you.

Many of my Tweets contain links to full articles; some posted here, some elsewhere. I shorten the links using TinyUrl, or place them in plain text. There are no hostile links in my Tweets. Some lead to articles I have previously posted on my blog over the past several years. Using a link in a Tweet to a blog article I posted three years ago will save you a lot of time searching for it by keywords (in my blog's search box).

Most of my Tweets are currently dealing with malware threats, vulnerability alerts, Botnet activity, spam issues and some SEO matters. I hope you find them useful. If you are a member of Twitter you can "follow" me and get my Tweets in your Twitter account, in the "Home" section. Twitter members can also reply to my posts, or re-tweet them. All I ask is if you quote me, do it accurately, not out of context.

You will also see me replying to, or referring to others in the security or SEO fields. Use the links in my posts to their Twitter profiles to see their posts and follow them also. There are some major players in these groups and more coming in all the time. It's helps us all to coordinate our findings and research, on a small scale per Tweet.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 5% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, led by counterfeit Viagra and other illicit prescription drugs, sold unlawfully without a real prescription. Other measurable categories of spam included counterfeit watches and other goods, fake diplomas, pirated software, and Russian dating scams.

My updated blacklisted senders list proved effective this week, auto-deleting almost 10% of all incoming spam (see my extended content for details). I saw another increase in the number of emails forging my own accounts as the senders. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 8 - 14, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on March 10, 2010, as listed below. 12 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 25 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Additions made on 03/10/2010

Adware
++ CNNIC.Searchbar

Dialer
++ Microflat

Malware
++ Fraud.ControlManager
++ Fraud.DrGuard
+ Fraud.MalwareDefender2009
++ Fraud.MySecurityWall
+ Fraud.PersonalSecurity
++ Fraud.PrivacyControl
++ Fraud.SpyTechSpyAgent
++ Fraud.WindowsAntivirus
++ Fraud.WindowsSecurityCenter
++ Fraud.XPMicroAntivirus
++ Win32.Agent.be
+ Win32.FraudLoad

Security Vulnerabilities
+ Microsoft.Windows.RedirectedHosts

Trojan
+ Fraud.avi
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.exp
++ Win32.Agent.jar
++ Win32.Agent.wio
++ Win32.Agent.wss
++ Win32.AutoRun.wu
++ Win32.Banload.up
++ Win32.Clicker.afo
++ Win32.Clicker.nqe
++ Win32.FakeAV.cn
+ Win32.FraudLoad.edt
+ Win32.FraudPack
+ Win32.Koobface
+ Win32.OnLineGames.mffm
++ Win32.OnLineGames.uedm
++ Win32.OnLineGames.uhbq
++ Win32.OnLineGames.uhgi
++ Win32.OnLineGames.uhmm
++ Win32.OnLineGames.uhvx
++ Win32.OnLineGames.uiwu
++ Win32.OnLineGames.uvmc
++ Win32.Swisyn
+ Win32.ZBot

Worm
+ Win32.Amburadul
++ Win32.Bzub.buz

Spybot S&D currently has 2153272 fingerprints in 809913 rules for 5228 products.

False Positives Reported This Past Week

One possible false positive was reported for this week, as of the time this article was published.

1: Possible false positive detection of "AzeSearch" in Microsoft Security Essentials. This is being investigated, in German. I will translate the results next week.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknownst to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches and phones, illicit prescription drugs, fake Viagra, Canadian Pharmacy scams, pirated software, dating scams, and fake diplomas.

My updated blacklisted senders list proved less effective this week, auto-deleting only 4% of all incoming spam (see my extended content for details). The decline in blacklisted matches is the result of spammers changing their tactics from previous weeks. In fact, I saw a giant increase in the number of emails forging my own accounts as the senders. This illegal practice is known as a "Joe Job" and it is used to slip spam past our filters. Joe Jobs depend on people whitelisting their own accounts and domains.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job." Fortunately, MailWasher Pro has a custom filter option that overrides the "Friends" list (a Whitelist of approved senders), allowing user created spam filters to read the content and flag or auto delete spam that's using one's own accounts as the forged sender.

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for March 1 - 7, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on March 3, 2010, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 19 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Additions made on 03/03/2010

Adware
++ WebPerform

Malware
+ Fraud.AntivirusPro2010
+ Fraud.VolcanoSecuritySuite
+ Lop
++ Municheventos
+ Win32.Bifrost
+ Win32.FraudLoad.edt
++ Win32.Philis

Pups (Potentially Unwanted Software)
+ Live-Player

Security Vulnerabilities
+ Microsoft.Windows.RedirectedHosts

Spyware
+ AdRotator
+ Win32.Spynet.a

Trojan
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.mpc
+ Win32.Agent.sys
+ Win32.Allaple.ab
+ Win32.Autorun.mbzt
++ Win32.OnLineGames.mfen
++ Win32.OnLineGames.mfes
++ Win32.OnLineGames.mffd
+ Win32.OnLineGames.mffm
++ Win32.OnLineGames.mfjj
++ Win32.OnLineGames.mfqj
++ Win32.OnLineGames.utza
++ Win32.OnLineGames.uvij
++ Win32.OnLineGames.uxkq
+ Win32.TDSS.vot
+ Win32.ZBot
+ Zlob.Downloader

Spybot S&D currently has 2128838 fingerprints in 801788 rules for 5266 products.

False Positives Reported This Past Week

Thus-far, no false positives were confirmed for this week, as of the time this article was published.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 5% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches, illicit drugs, fake Viagra, Canadian Pharmacy scams, pirated software, casinos and fake diplomas. My updated blacklisted senders list proved effective again this week, auto-deleting over 9% of all incoming spam (see my extended content for details).

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb Feb 22 - 28, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 24, 2010, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 20 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list.

Note: one + sign before a detection indicates an update to an existing malware family for which previous definitions have been released. Two ++ signs indicate a completely new detection of a new or rewritten malware type.

Additions made on 02/24/2010

Adware
+ MeMedia.AdVantage
++ YourSiteBar

Malware
++ Fraud.AntimalwareDoctor
++ Fraud.PCDefender
++ Fraud.PersonalAntiMalwareCenter
++ Fraud.SecureEssentials2010
+ Fraud.Sysguard
+ Lop
+ Win32.Virut.ag

Security Vulnerabilities
+ Microsoft.Windows.RedirectedHosts

Spyware
+ Win32.Spynet.a

Trojan
++ Bredolab.fb
++ Fraud.avi
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.nb
+ Win32.Agent.xwr
+ Win32.Autorun.mbzt
+ Win32.Bifrost
+ Win32.CeeInject
+ Win32.FakeAlert.ttam
++ Win32.OnLineGames.bkrn
++ Win32.OnLineGames.uiwr
++ Win32.OnLineGames.ussu
++ Win32.Prolaco.p
+ Win32.TDSS.reg
+ Win32.TDSS.rtk
++ Win32.vbs
+ Win32.ZBot
+ Win32.ZBot.rtk

Spybot S&D currently has 2111918 fingerprints in 796159 rules for 5250 products.

False Positives Reported This Past Week

Thus-far, no false positives were confirmed for this week, as of the time this article was published.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 5% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a typical variety of categories of spam, including a lot of spam for counterfeit watches and phones, illicit drugs, fake Viagra, Russian dating scams, pirated software, casinos and fake diplomas. My updated blacklisted senders list proved extremely effective again this week, auto-deleting over 16% of all incoming spam (see my extended content for details).

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 15 - 21, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 17, 2010, as listed below. 16 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 18 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. One updated Internet Worm detection was also added this week.

Additions made on 02/17/2010

Adware
++ DonkeyToolbar

Malware
+ AdRotator
+ Fake.SpywareRemover
++ Fraud.AdvancedDefender
++ Fraud.GuardWWW
+ Fraud.MalwareDefense
++ Fraud.PaladinAntivirus
++ Fraud.SavePcAv
++ Fraud.SecurePcAv
+ Fraud.Sysguard
+ Fraud.SystemSecurity
+ Fraud.VolcanoSecuritySuite
++ Fraud.YourPCProtector
+ Lop
+ Mirar
+ Win32.FraudLoad
+ Win32.TDSS.reg

PUPS (Possibly Unwanted Programs)
++ GameVance.PlaySushi
+ Live-Player

Spyware
++ Win32.Spynet.a

Trojan
+ Supsav.Smss32
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.ado
++ Win32.Agent.svv
++ Win32.Agent.wi
+ Win32.Agent.wu
+ Win32.Autorun.mbzt
+ Win32.FakeAlert.ttam
++ Win32.HareBot.a
++ Win32.OnLineGames.ujug
++ Win32.Rbot.wu
++ Win32.ScreenBlaze
++ Win32.Stinx.h
+ Win32.TDSS.rtk
++ Win32.Virut.w
+ Win32.ZBot

Worm
+ Win32.Allaple.ab

Spybot S&D currently has 2033341 fingerprints in 769409 rules for 5235 products.

False Positives Reported This Past Week

TeaTimer mistakenly detected the "Morpheus Toolbar" in C:\WINDOWS\system32\WBEM\WMIADAP.EXE, during an upgrade of a user's Intel Wireless 3945ABG software from version 10.x to 11.5.x, using the DELL proprietary driver upgrade. Team Spybot offered this solution to the affected user, or others similarly affected by false positives in Teatimer:

If you are running several security software, make sure that only one active protection feature runs at a time. In case you want to deactivate the TeaTimer you can do this in Spybot S&D advanced mode in Tools - Resident.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have decreased 4% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including a lot of spam for counterfeit diplomas, watches and Viagra, the totally fake "Canadian Pharmacy," Russian dating scams, Nigerian 419 and lottery scams and various identity phishing scams. My updated blacklisted senders list proved extremely effective again this week, auto-deleting over 24% of all incoming spam (see my extended content for details).

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 8 - 14, 2010, and the latest additions to my custom MailWasher Pro filters and Blacklist.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 10, 2010, as listed below. 7 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 8 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. Two Internet Worm detections were also added this week and another long distance modem dialer.

Additions made on 02/10/2010

Dialer
+ Coulomb Ltd.Content Access Plugin

Malware
++ Fraud.AntimalwareDefender
++ Fraud.KasperskiyAntivir
+ Fraud.PCAntispyware2010
+ Fraud.Sysguard
+ Fraud.XPAntivirus
+ Win32.FraudLoad.edt
++ Win32.Wace.a

PUPS (Possibly Unwanted Programs)
+ Live-Player

Trojan
++ FakeAlert.gx
++ FakeAlert.lv
++ FakeBill.UPS
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Joleee.egx
+ Win32.ZBot

Worm
+ Win32.Allaple.ab
+ Win32.Socks.T

Spybot S&D currently has 1976598 fingerprints in 751278 rules for 5212 products.

False Positives Reported This Past Week

Teatimer had a false positive detection of "DoubleD.DesktopSmiley" in C:\WINDOWS\system32\msiexec.exe. Install the latest definition updates, then stop Teatimer, close it, wait a minute, then restart it. Instructions for restarting Teatimer are in my extended content.

This isn't a false positive, but a business decision that has been reversed. After reviewing the business email practices of VistaPrint, it was removed from HOSTS file IP blocking immunization with the update from the 2010-02-10. People who want to do business with VistaPrint and still use Spybot S&D's full immunization regime can now do so, without manually editing their HOSTS file.

The use of the Windows HOSTS file to block potentially bad IPs and URLS is getting carried to extremes lately. Since Spybot does not alert you when it is responsible for blocking a website via HOSTS entries (to 127.0.0.1), many users are unaware that the program is blocking websites they may wish to visit. If you used to be able to go to some website and after updating Spybot's definitions you find that the page cannot be displayed, it may have been added to the HOSTS blocklist by Spybot updates. You can edit the file manually, in Notepad, or in a HOSTS editor program, or uncheck the option for HOSTS in the Immunization list and reimmunize. That will remove all entries from HOSTS that were added by Spybot S&D.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including Russian dating spam, fake diplomas and counterfeit brand name watches, pirated software, male enhancement scams, counterfeit Viagra, the fake Canadian Pharmacy, Nigerian 419 scams, DHL and UPS Courier scams and other phishing scams. My updated blacklisted senders list proved extremely effective again this week, auto-deleting ~19% of all incoming spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Feb 1 - 7, 2010, and the latest additions to my custom MailWasher Pro filters.

Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. The last two week's updates were released on schedule on February 3, 2010, as listed below. 9 new or modified fake security programs (fraudulent anti virus/spyware), and other malware downloads, were added to the "Malware" detections, plus 14 new or modified Trojans, rootkits and spam bots were added to the "Trojan" list. An Internet Worm detection was also added this week.

Additions made on 02/03/2010

Dialer
+ eGroup.InstantAccess

Malware
+ FakeAlert.gen
++ Fraud.MyPcSecure
++ Fraud.PcSecureNet
++ Fraud.PcsSecure
+ Fraud.WinPCDefender
+ Lop
+ SuperEasySearch
+ Win32.FraudLoad
+ Win32.FraudLoad.edt

Trojan
++ FakeAlert.be
+ FakeAlert.BraveSentry
++ FakeAlert.is
+ Virtumonde.dll
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.wu
++ Win32.DownloaderX.HAV
+ Win32.FakeAlert.ttam
+ Win32.FraudPack
+ Win32.TDSS.clt
+ Win32.Turkojan
++ Win32.Virut.ag
+ Win32.ZBot

Worm
+ Win32.Allaple.ab

Spybot S&D currently has 1948083 fingerprints in 743598 rules for 5207 products.

False Positives Reported This Past Week

No false positives were reported or discussed this past week.

For details about how to apply updates correctly and download links for Spybot Search & Destroy, please read my extended content.

MailWasher Pro is a POP3 and IMAP email spam screener that checks email before it is downloaded to your desktop email client. It can be set to delete recognized spam either manually or automatically when a user-defined filter, or the built-in learning filter, or a blacklist entry, or known spam source is matched, or an attached virus is detected.

Spam levels have increased 2% this week from last week's level. Fluctuations in spam levels sometimes are seasonal, or may be due to problems or successes Bot-masters have with maintaining the command and control (C&C) servers used to reactivate sleeping zombie computers in their spam Botnets. Or, these changes in spam levels may be caused when large numbers of zombie computers are disinfected, or taken offline by the ISPs who provide Internet connectivity to them. In case you didn't already know this, almost all spam is now sent from "zombie" computers in spam Botnets, unbeknown to the owners of those infected PCs.

The classifications of spam in my analysis can help you adjust your email filters according to what is most common, on a weekly basis. This past week again saw a large variety of categories of spam, including Russian dating spam, fake diplomas and counterfeit brand name watches, pirated software, male enhancement scams, counterfeit Viagra, the fake Canadian Pharmacy and DHL Courier scams. My updated blacklisted senders list proved extremely effective again this week, auto-deleting ~25% of all incoming spam.

Since virtually all spam is now sent from and hosted on hijacked PCs that are zombie members of various spam Botnets and all email sender addresses are forged, there is no point in complaining to the listed From or Reply To address. These accounts are inserted by the same script that composes the spam on the compromised PCs. These are innocent spam victims themselves, whose harvested names are reused in forged From addresses. This practice is known as a "Joe Job."

You can take preventative measures to secure your computers from becoming members of Botnets, by installing Trend Micro Internet Security and MalwareBytes Anti-Malware (see pages for details).

See my extended comments for this week's breakdown of spam by category, for Jan 25 - 31, 2010, and the latest additions to my custom MailWasher Pro filters.