Spybot Search and Destroy Definitions Updated on June 24, 2009
If you use Spybot Search and Destroy to protect your computer against spyware and malware, it is time again to run your manual updates. Malware writers are constantly modifying their programs to evade detection, so anti-malware vendors have to issue regular updates to keep up with the bad guys. New definitions and false positive fixes for Spybot Search and Destroy are usually released every Wednesday. This week's updates were released on schedule on June 24, 2009, as listed below. Lots of new and altered fake security programs were added to the detections, plus several new Virtumonde Trojans and new or modified spam bots.
Updating Spybot Search and Destroy
Before you update Spybot Search and Destroy make sure you have the latest official version. Older versions are no longer supported and will cause you a lot of grief when you immunize and scan for problems. Only download Spybot S&D from the official website, at: spybot.info, or from its alternate domain: Safer-Networking.org. Fake versions with similar names will rip you off for payment to remove threats, whereas the real Spybot S&D is free (donations gladly accepted).
In case you are new to Spybot S&D, there are two ways to update the program and malware definitions. The preferred method (For Windows PCs) is to go to Start > (All) Programs > Spybot - Search & Destroy > Update Spybot - S&D. The independent update box will open. Leave the default options as is, unless you need all languages or want beta definitions, and click on "Search." Another box will open with "mirror" locations around the world where you can download updates. Select a location nearest to you from the list and click on "Continue." Make sure all updates are checked, then click on "Download." If all definitions are verified as being correct the check marks will disappear from the check boxes and be replaced with green arrow graphics. However, sometimes one or more mirror locations have not updated all of the definitions and you will get a red X for those definitions. Click on Go Back, select a different mirror, and try again. I have consistent success using Giganet or the Safer-Networking servers. When all updates have succeeded, click on "Exit."
Download links and more instructions about using Spybot Search and Destroy are in my article titled "How to use Spybot Search & Destroy to fight malware".
The description of the latest definition updates and false positive fixes are in my extended comments below.
Additions to malware definitions made on June 24, 2009:
Hijackers
++ Win32.AdAgent.q
Malware (Includes rogue or fake anti-virus and anti-spyware programs and fake registry cleaners and fake security alerts, plus other nasty programs)
+ AdDestination
++ Fraud.AdwareProfessional
+ Fraud.AntivirusPlus
+ Fraud.AVAntiSpyware
+ Fraud.MSAntispyware2009
+ Fraud.SystemGuard2009
+ Kalmarte
++ Win32.Agent.Bbzv
++ Win32.Agent.fkb
++ Win32.Agent.uek
+ Win32.FraudLoad.edt
+ Worldsecurityonline.FakeAlert
Trojans (Trojans come to you disguised as something useful, or as a missing codec required to view a spammed video, but, like the Trojan Horse of antiquity, they hold dangerous contents that cause great harm! Many of these Trojans are Botnet infections, backdoors and Rootkits.)
+ Virtumonde.sci
+ Virtumonde.sdn
++ Win32.Agent.atta
++ Win32.Agent.cfnb
+ Win32.BHO.sx
++ Win32.BHO.ulc
+ Win32.Delf.uv
+ Win32.FraudLoad
++ Win32.IRCBot.kow
++ Win32.LoadAdv.ABA
++ Win32.SharaQQ.30
+ Win32.TDSS.clt
++ Win32.Vbinder.k
+ Win32.VB.ksl
++ Win32.XShadow.b
+ Win32.ZBot
Total: 1435417 fingerprints in 491152 rules for 4706 products.
False positive detections reported or fixed this week:
Four (possible or confirmed) false positives were reported and are being/were discussed and investigated since last week. The are as follows...
A confirmed false positive detection of Virtumonde.sdn in files used in laptops, by the Lojack program was fixed in today's updates. Until the fix is applied you can exclude Lojack's repnet.dll and rpcnet.exe from the scan result by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"
A couple of users reported that hundreds of temporary Windows (Vista) Service Pack 2 files were being flagged as Virtumonde.sdn. The definitions released on June 24 fixed these false positives. Nonetheless, deleting those files caused no harm as they were temporary files left over after upgrading to the new service pack and are safe to delete ater rebooting from the upgrade.
One user has reported a possible False Positive detection of Win32.SharaQQ.30 in C:\WINDOWS\system32\SVKP.sys. Anti virus scans showed no problem with that file. Team Spybot has not responded as of the time of this posting.
A possible false positive of Win32.IRCBot.kow is under investigation as of tonight.
False Positives are reported and discussed in the Spybot S&D False Positives Forum.
As mentioned earlier, links and more instructions about using the program, or reporting suspected false positives, are found in my article titled How to use Spybot Search & Destroy to fight malware.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.