Security news and information

The makers of VirusBurst have released their latest rogue anti-spyware program and called it VirusBursters.  As anyone can see, this is obviously the successor to VirusBurst as the logo is the same, the program is downloaded from the same URL, the help file in the program contains references to VirusBurst, and the program itself is still named VirusBurst as seen below.

On the other hand, they have changed the Add or Remove Programs entry to VirusBursters 6.2, changed the name of the Registry Run entry to VirusBursters,  the path to C:\Program Files\VirusBursters\, and changed the Trojan installer a bit to use different functions to install and load the rogue anti-spyware program.

Currently the known infectors, and I am sure many more will be coming soon, are:

C:\Windows\System32\veklo.dll
C:\Windows\System32\rrtcany.dll

Overall, this is the same program but with a different name.  I expect in the coming weeks they will change the program itself to get rid of all references to VirusBurst.  The guide will be updated to reflect this when it occurs.

I have created a VirusBursters remove guide in order to keep track of the DLLs associated with this specific infection.  The guide can be found below:

How To Remove Virusbursters (removal Instructions)

Tags: No Tags

It’s official.  Windows Defender is no longer in beta, and was released yesterday by Microsoft. For those who do not know what Defender is, it is Microsoft’s free antispyware product, formerly known as Microsoft Antispyware.  This product is originally based on the code for the antispyware product Giant Antispyware which Microsoft purchased in 2004.

Windows Defender is a quality product, and as it is free, we recommend it as an additional program that should be installed on your computer to keep it free of spyware and other malware. Even better, it comes with two free support incidents with Microsoft where they will help you remove an infection. Wouldn’t be surprised, as it has happened in the past, if they send you back here for some of the harder to remove infections

A tutorial on how to use Defender is in the works and should be released shortly.  You can download Windows Defender here.

Tags: Windows Defender, Security, Spyware

Apple, yesterday, released a support notice stating that a small amount of Video iPods that were available for purchase after September 12, 2006 had a worm called RavMonE.exe.  If you had one of these iPods you would get infected simply by plugging the iPod into your computer.  This is because this particular worm propagates itself through mass-storage devices which the iPod is seen as in Windows.

When infected this worm will attempt to transfer itself to other mass-storage devices such as USB flash drives, external hard drives, digital cameras, etc.  It will also notify a remote computer of the IP address of your infected computer so that the worm writer can access your computer remotely and execute commands on it. Finally, this worm will also lower security on your computer and open up browser windows to other sites.

The problem here is that there is no way of determining if your iPod is one of the infected ones without first plugging it in which will infect you.  One way to remove the virus, is to restore the software on the iPod with iTunes, but that requires you to plug in the iPod and get infected first (your safe if you restore it from a mac).  So where does that leave you?  Nowhere really.  The only thing you can do is first plug in the iPod, hope your antivirus software can recognize the worm if it is there, and then use iTunes to restore the software. At the bottom of this article I have a quick guide on the steps you should take to be safe in the case your iPod has this worm.

What really pisses me off about this whole situation is a remark in Apple’s support notice.  If you read their support notice you may see this at the end of the first paragraph:

As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.

Now do not get me wrong…Microsoft needs to do better on their security.  We all know this, it is nothing new, and I am the first to jump down MS’s throat when security issues pop up. It is, though, extremely arrogant on Apple’s side to blame this on Microsoft at all.  The only people they have a right to blame are themselves for having crappy quality assurance and distribution teams for the iPod.  iPods being distributed with a Windows worm on it should never have been allowed to enter distribution channels. Period!

Here is a quick guide to make sure your iPod is clean and your computer is safe from RavMonE.exe worm if you only have a Windows machine available.  If you have access to a Mac, just reset the software on the Mac to avoid any risk of infection.

1. Update your antivirus software so it is using the latest definitions.  This will allow it to detect the worm as it tries to install and stop it.  If you do not have an antivirus software you can download and use any of these either as free personal versions or trials
1. Avast Free
2. Kaspersky Trial
3. Nod32 Trial
4. Sophos Trial
2. Plug in the iPod.  If you have done the first step, and the iPod has the worm, your antivirus software should stop it from installing.
3. Download and install iTunes.
4. Follow the steps here to restore the iPod software from within iTunes.

Your computer should now be safe and the iPod should have been reset to a state that does not have the worm.

Tags: No Tags

In order to simplify the use of the File Submitter, I have created a new version that supports a graphical interface that will allow you to configure the program how you like and then save these settings in the registry.  This new version is the recommended version.  You should only use the previous version if you wish to submit files via a script or batch file.  The original guide and Command line version can be found here. This new version also gives you the option to choose the specific services you want to use.

The current scanning services supported by the File Submitter are:

• Jotti
• VirusTotal
• Kaspersky
• Fortinet
• Norman Sandbox
• Dr. Web

The current file submission services supported are:

• BleepingComputer.com
• UploadMalware.com

 
File Submitter Configuration Screen

Usage Instructions:

1. Download the program and save it somewhere in your path such as the %WinDir%  (C:\Windows, C:\Winnt, etc) folder.
2. Click on Start, then Run, and type submitter.exe and press the OK button.
3. When the configuration screen appears you will be presented with a list of configuration options.  Select the settings you would like to use based on the matrix below.
4. When done, click on the Save button to save your settings in the registry.  The settings are saved in the registry at this key:

   HKEY_CURRENT_USER\Software\BC-FS\Settings

5. To submit a file you can use it as a command line program with the filename as the argument, or add it to your Send To (More info here) context menu so that you can right click on a file and send it directly to the submitter.  Once a file is submitted the program will automatically open Internet Explorer windows and submit the files to the various services you have selected.

To uninstall the program, simply click on the Uninstall button and delete the executable when the program closes.

Setting Descriptions:

Download Location:

You can download the submission program here:

File Submitter Download Link 

As always let us know if you have any suggestions or new services I should add.

Tags: No Tags

If you clean malware from your computer, or other computers, you invariably run into a file that you do not know whether it is malware or legitimate, and need to submit the file somewhere for analysis. An easy, and free, way to determine if it is malware is to submit the file to an online file scanning site like Jotti or VirusTotal. These sites then scan the file using many different commercial and non-commercial anti-malware scanners and display what each scanner responded with.

Sometimes, though, the scanning engines do not know the malware as it is to new. You can then submit these files to sites like the Bleeping Computer Malware Submission system or UploadMalware.com where these malware samples are analysed by the anti-malware community. Their findings and samples are then passed along to all the anti-virus vendors.

With that in mind I have put together a small program that allows you to submit a file for analysis to each of the sites or all of the sites at the same time in an easy manner. When you submit the file, depending on the flags you give to the program, it will launch instances of Internet Explorer to each service, automatically submit the file, and then display the results in IE. For those who hate IE, I wish I could add Firefox support but I could only figure out how to do it with IE.

This program is currently only a command-line program. What that means is there is no graphical interface. The nice thing about command-line programs, though, is that we can use them with the Windows Send To menu which is described below.

The syntax for the program is: submitter.exe

The available flags are:

To run the program simply download it and save it somewhere in your path. Then you can run it on the command-line. An example of its use where we send a file to all of the supported services would be:

submitter -all C:\Windows\System32\ficqv.dll

The true power of this tool, IMHO, is when you add it to the Windows Send To context menu. The Windows Send To context menu allows you to right click on a file and send it to an application. So if you right-clicked on a file and sent it to the submitter, the submitter will automatically submit the file to the service(s) you have it configured for.

In order for this to work, you would need to open the SendTo folder which is located in your user profile like below:

C:\Documents and Settings\username\SendTo

Once that folder is open, simply right-click in the folder and create a new shortcut. When the wizard opens, browse to the submitter.exe file and select the Next button. Then give the shortcut a title and click on the Finish button. You will now see the new shortcut. You now need to add a flag to the Target line to tell the program what services it should submit to. Go into the shortcut’s properties and add one of the flags listed above. For new users I recommend using the -jv flag to submit to both Jotti and VirusTotal. To do this change the Target to:

submitter.exe -jv

The program can be downloaded from the following link:

File Multi-Submitter Download Link

Let me know if there are any problems or suggestions. If you know of any other single-file scanning services, please let me know, and I will add them to the submitter.

Tags: Jotti, VirusTotal, Security

Three new infectors for VirusBurst were released today. They are:

C:\WINDOWS\System32\tazth.dll
C:\WINDOWS\system32\dpfwu.dll
C:\WINDOWS\System32\ficqv.dll

As always the removal guide has been updated to include these new infectors.

Tags: Security, VirusBurst, Windows

The Microsoft MVP Program consists of people who were awarded by Microsoft for to their participation in the various communities that cover and support Microsoft products.  Whether this be making free Windows tools, helping with spyware removal, or answering questions on the forums or newsgroups, these people get awarded an MVP as a sign of recognition for the free help they provide. 

Unfortunately, though, this October when the latest batch of renewals and new awardees were admitted we found a new MVP who leaves a bad taste in our mouths.  This awardee is Cyril Paciullo, otherwise known as Patchou, and is well know as the creator of Messenger Plus.  As a program, Messenger Plus actually has some slick features, but our problem is that this program also comes with a known adware and Trojan called LOP.

What is funny is when Microsoft Security MVP Derek Knight scanned the main executable for Messenger Plus, at the free scanning site VirusTotal, Microsoft was the only vendor that stated that the installer was a threat. 

When you install Messenger Plus you are given an option to install their “sponsored” application, otherwise known as LOP, as shown below.  They do not force you to install the sponsor and it is entirely your option.  As a matter of fact they offer the sponsor program quite politely. Once installed, though, this program will add a bunch of icons to your desktop for online gambling, ringtones, and watching television and will display popup ads on your computer when you are browsing the Internet. To uninstall the program you need to run the Messenger Plus uninstall program where you can specify to remove the sponsor.  Sunbelt Blog has a good writeup, with more pictures, on the effects of LOP.

Our main problem with this awardee is not he wants to make some money through his software, as everyone is entitled to make money off of their hard work, but that he is using this program to distribute a known Trojan and Adware that in the past was notoriously difficult to remove.  This becomes even more of a problem as Messenger Plus is targetted at a younger audience who may not even bother to read the EULA. 

What we find so confusing is why Microsoft would want to have someone who distributes this type of malware as part of their program, regardless of whether or not it is optional.  As a Microsoft MVP, though you are not an employee you are someone who represents Microsoft and their products.  To me, this latest awardee only tarnishes the image and program that Microsoft is attempting to foster.

If you do not think that LOP is too bad, as Messenger Plus has a league of fanatics who think there is nothing wrong with this sponsor program, then why would so many Anti-virus vendors flag it as malware?

C2.Lop
http://www.pestpatrol.com/spywarecenter/pest.aspx?id=453094362
http://vil.nai.com/vil/content/v_134945.htm
http://www.xblock.com/product_show.php?id=405
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453094362
http://research.sunbelt-software.com/threatdisplay.aspx?name=C2.Lop&threatid=8144

Swizzor (Another name for LOP)
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=14461
http://www.bitdefender.com/VIRUS-143019-en–Trojan.Swizzor.DH.html
http://www.viruslist.com/en/viruses/encyclopedia?virusid=65694
http://www.sophos.com/virusinfo/analyses/trojswizzorbq.html
http://www.f-secure.com/v-descs/swizzor.shtml
http://vil.nai.com/vil/content/v_134088.htm

Tags: Security, Microsoft, LOP, Messenger Plus

Two hackers, Mischa Spiegelmock and Andrew Wbeelsoi, stated at the ToorCon hacker conference that there is a Firefox vulnerability in it’s JavaScript implementation.  This exploit affects versions for Windows, Apple, and Linux and may allow a hacker to execute code on the affected computers.

The two hackers showed how the exploit works using various slides which may have given Mozilla enough information to fix this vulnerability. Unfortunately, though, it also gave all the other hackers or malware writers that may have been attending enough information to exploit it for more malicious reasons.  These hackers also state that they know of 30 other undisclosed  vulnerabilities in Firefox that they will not share with Mozilla.

Jesse Ruderman, a employee of Mozilla who attended the conference, tried to persuade the hackers to release information about these vulnerabilities.  The hackers refused and stated that they will use the vulnerabilities to “We’re setting up communication networks for black hats“.  Unfortunately, this will most likely be at the expense of the hacked computers.

Tags: Firefox, Security, Hackers