Spybot Search and Destroy Definitions Updated on 12/17/2008
If you are using "Spybot Search and Destroy" to protect your PC against spyware infections and haven't updated it this week, be aware that updates to the definition files were released on schedule, on Wednesday this week, as listed below. Spyware and other classes of malicious programs are altered constantly to avoid detection by anti-spyware programs. Since Spybot S&D updates are only released on a weekly schedule (on Wednesdays) it is imperative that you make it a point to check for and download updates every week, preferably on Wednesday evenings. After downloading all available updates (from the best responding download server in the list of server locations), immunize*, then scan for and remove any detected malware. If Spybot is unable to remove an active threat it will ask for permission to run before Windows starts during the next reboot. Spybot will then run a complete scan before your Windows desktop loads, removing malware that has not yet loaded into memory.
If you arrived here by searching for the name of some malware that may be on your computer and you are not currently using Spybot Search and Destroy, you can download the latest version from the Spybot Search and Destroy Multi-Lingual Landing Page. Choose your language, then use the link in the left sidebar to go to the downloads page. Download the program from your closest mirror server, install it, update it (Updates button), then follow the instructions below to detect and remove any malware that is on your PC.
If you see a program listed in the detections below, by name, you should assume that is is malware (with the possible exception of the PUP group, which is up to user discretion). All of the programs listed with a single + sign are updated detections, while a double ++ in front of it's name indicates a brand new detection. A number in parenthesis, following a malware name, indicates the number of variants included in that detection. These programs are dangerous to your computer, and/or personal security or privacy.
* After updating your Spybot S&D definitions, if they include new "immunization" definitions you need to click on the "Immunize" button, then, if the status line tells you that additional immunizations are possible, click on the Immunize link, near the top of the program. It has a green + sign in a button. If you don't do this the new immunizations against hostile ActiveX programs will not be applied. After immunizing with any new detections, run a scan for malware by clicking on the "Spybot Search & Destroy" button, on the left panel, then on the button with the magnifying glass icon, labeled: "Check For Problems."
Spybot Updates - published every Wednesday
Spybot Search and Destroy 1.6 was released on July 8, 2008. It scans for threats about 4 times faster than previous versions and has an redesigned spyware removal engine. Upgrade now to Spybot S&D 1.6. The newest Virtumonde threats require the anti malware engine in Spybot 1.6 to effectively remove them.
Work is progressing rapidly on the upcoming version 2.0, of Spybot Search and Destroy. Stay tuned for more details as they are announced. Version updates are discussed in my extended comments.
Additions made on December 17, 2008:
Hijackers
+ ISearchToolbar
Keyloggers (Keyloggers steal your typed logins and passwords)
+ ActMon-Pro
+ Ardamax
Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AntiSpywareMaster
+ Fraud.PCProtectionCenter2008
+ FakeAlert.CC
+ Fraud.AntiVirusLab2009
+ Win32.PoisonIvy.j
Security
+ Microsoft.Windows.AppFirewallBypass
+ Microsoft.Windows.RedirectedHosts
Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
++ PartnerBHO
++ RKdrv.rtk
+ Smitfraud-C.gp
+ Virtumonde
+ Virtumonde.sci
+ Virtumonde.sdn
+ Win32.Agent.amwr
+ Win32.Agent.bxh
+ Win32.Agent.pz
+ Win32.Agent.sd
++ Win32.Banload.ihm
++ Win32.CeeInject.Ik
++ Win32.Ciadoor.cj
++ Win32.Delf.oko
++ Win32.Poison.cpb
+ Win32.RAdmin
+ Zlob.Downloader
+ Zlob.Downloader.apl
Worm
++ VBS.LoveLetter.aq2 (2)
Total: 1212991 fingerprints in 347101 rules for 4491 products.
In case you have noticed a slowdown in the scan times over the past few months, it's because the number of detection patterns used to detect malware has doubled since the release of Spybot S&D v1.6, in July this year, to 347101 detection patterns in this weeks update!
False positive detections reported or fixed this week:
There was a false positive report "WMDrive.sys" with Smitfraud-C, in c:\windows\system32\drivers\WMDrive.sys (189,952 bytes). This was fixed in today's F/P update.
There was a false positive detection of Smitfraud.C confirmed in a Zoom Modem file named "country.exe." This was fixed in today's F/P update.
There is a confirmed False Positive "Heuristic" detection of "Accoona" in several unwise.exe uninstaller files. It was fixed with today's F/P update.
If you wish to report or discuss a possible false positive detection by Spybot S&D, please read this first.
Extended Comments
Malware Removal Guides
The good folks at Spybot S&D have started a new segment of their official forums, titled "Malware Removal Guides." Each week they intend to write a short self-help article to help you remove various common malware threats manually, or in conjunction with Spybot S&D. This should prove to be a very useful addition to the Spybot forums.
If you are still using Spybot S&D 1.3, or 1.4, update support is about to end and your computer will be at greater risk because of having out-dated definitions. Furthermore, older versions of Spybot are known to report lots of false positives, due to the advanced heuristic rules now found in the newer definition files.
If you are using any version older than 1.6 please upgrade to the current version of Spybot S&D, which is now 1.6.0.30, as soon as possible. New definitions for malware like the Virtumonde family of Trojans need the newer processing technologies introduced in version 1.6.0. Also, the number of malware definitions has more than doubled between July and December, 2008.
Virtumonde (also known as the Vundo Trojan) is a Trojan horse that is known to cause pop-ups and advertising for rogue anti-spyware programs. It also causes other problems, including performance degradation and denial of service with some websites including Google. It attaches itself to the operating system using phony Browser Helper Objects (BHOs) and .dll files attached to the Winlogon process and Windows Explorer.
With the release of Spybot-S&D 1.6, Team Spybot has spent a lot of energy and man-hours implementing some new technologies to improve Virtumonde detections, increasing their detection range to more than 347,000 detection patterns to identify more than one million malware "fingerprints."
Work is progressing at a steady pace on Spybot S&D version 2.0, thanks to an army of volunteer beta testers. The upcoming version will be modularized, with separate executables carrying out different detection and immunization tasks now performed by the main program file. This is expected to speed up the scanning times, which is becoming more strenuous with the rapid increase in the number of detections being developed by Team Spybot.
To benefit from these improvements, I recommend that you update to Spybot Search & Destroy 1.6, which is available through the update function integrated into the application as well as from the Spybot S&D download page. When version 2.0 is finally released you should follow the to-be-posted instructions and upgrade to that version.
If your computer gets stuck in a logon/logoff loop, after updating and scanning with the older versions of Spybot, visit this forum page for a solution, from Team Spybot.
Of continued concern to people who operate as Limited or Power Users for their daily browsing and email, Spybot Search and Destroy is still corrupting your less privileged accounts after you update it, immunize and scan from an Administrator level account. If, after doing these things, you log off the Administrator account and try to log into your Limited/Power User account, it may be corrupted and a generic desktop and start menu may appear. Don't panic! Your account and desktop can be restored by simply rebooting the computer. When you login after the reboot your previous settings will reappear. I don't know why this happens, but, stuff happens! It may be related to the relatively new rootkit detection added last year.
If you want to get direct assistance from Team Spybot, or their talented volunteers, visit the Spybot support forums, sign up for a user account and post your request for assistance. Be sure to read the rules before posting a question or reply.
If your computer is infected and you need help removing the threats, go to the Malware Removal Forums, at Safer Networking/Spybot.info. Again, read the rules before posting your request or logs! Do NOT inject your problem into somebody else's thread! Start a new topic.
Some people are confused by detections of Wild Tangent on their computers. Wild Tangent is detected as a PUP, meaning Potentially Unwanted Program, because it does send home some identifiable information about you and your computer. It ships with various games and screen savers and is a means of funding those programs. If you knowingly installed Wild Tangent and aren't worried about it, and don't wish to have Spybot repeatedly display it in scan results, do the following: Right click the WildTangent Product in the Scan result and select to "Ignore the product from further searches."
If Spybot flags a file on your computer that you believe is a false positive detection, use caution and check with the Spybot False Positives Forum before allowing it to be deleted. You can submit a report to the Spybot False Positives forum, after signing up for an account and reading about how to report false positives before submitting your report and request for analysis.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.