Tag Archives: Malware

Four short links – Monday 18th March 2013

Good Morning all.

Here are todays Four short links.

First up is From the Nasa Image of the day gallery. Showing the crew of expedition 34 on the International Space Station on terra firma. Its amazing to think these guys spent 142 days in Zero Gravity and you can see Cmdr Ford standing without any help already after only a few days back in full gravity.

http://www.nasa.gov/multimedia/imagegallery/image_feature_2471.html

Next up is a little note from the TrendLabs website. They tell of the popularity of Candy Crush for those of you that dont know its a very addictive game on the iphone and Andriod. The popularity of the game has made it target number one for Dodgy developers….

http://blog.trendmicro.com/trendlabs-security-intelligence/dubious-developers-cash-in-on-candy-crush/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29

I read this next one and it was about the Downfall Parody and I could do nothing more but share it with everyone. I’m a sucker for a good Downfall parody.

http://www.guardian.co.uk/technology/2013/mar/17/john-naughton-google-reader-hitler

Next up is an article from Wired.co.uk about an amazing feat of keeping a liver alive outside of the body in a liver transplant first. A must read. I find all this stuff fascinating as a registered Donor myself and as someone listed with the Anthony Nolan Trust.

http://www.wired.co.uk/news/archive/2013-03/15/liver-transplant-breakthrough

Did you like this? Share it:


Silence of the Scams Pt 2

{EAV_BLOG_VER:969897d8ecc3ea85}

Morning all,

Just a riminder to you all about the scammers out there pertaining to be Microsoft.

Cybercriminals often use the names of well-known companies, like Microsoft, in their scams. They think it will convince you to give them money or your personal information. While they usually use email to trick you, they sometimes use the telephone, instead.

Common scams that use the Microsoft name

- Someone from “Microsoft Tech Support” calls to fix your computer

- “You have won the Microsoft Lottery”

- “Microsoft” requires credit card information to validate your copy of Windows”

- “Microsoft” sends unsolicited email messages with attached security updates

Avoid these dangerous hoaxes

Microsoft do not send unsolicited email messages or make unsolicited phone calls to request personal or financial information or fix your computer.

If you receive an unsolicited email message or phone call that purports to be from Microsoft and requests that you send personal information or click links, delete the message or hang up the phone.

Microsoft does not make unsolicited phone calls to help you fix your computer

In this scam cybercriminals call you and claim to be from Microsoft Tech Support. They offer to help solve your computer problems. Once the crooks have gained your trust, they attempt to steal from you and damage your computer with malicious software including viruses and spyware.

Although law enforcement can trace phone numbers, perpetrators often use pay phones, disposable cellular phones, or stolen cellular phone numbers. It’s better to avoid being conned rather than try to repair the damage afterwards.

Treat all unsolicited phone calls with skepticism. Do not provide any personal information.

If you receive an unsolicited call from someone claiming to be from Microsoft Tech Support, hang up. Microsoft do not make these kinds of calls.

If you think you might be a victim of fraud, you can report it. For more information, see: What to do if you think you have been a victim of a scam.

You have not won the “Microsoft Lottery”

Microsoft customers are often targets of a scam that uses email messages to falsely promise money. Victims receive messages claiming “You have won the Microsoft Lottery!” There is no Microsoft Lottery. Delete the message.

If you have lost money to this scam, report it. You can also send the police report to Microsoft and they will use it to help law enforcement catch the criminals who send out these e-mail messages.

To help protect yourself from these e-mail hoaxes, you can use the same general guidance that you use to protect yourself from phishing scams.

Microsoft does not request credit card information to validate your copy of Windows

Microsoft requires that your copy of Windows is legitimate before you can obtain programs from the Microsoft Download Center or receive software updates from Microsoft Update. Our online process that performs this validation is called the Genuine Advantage Program. At no time during the validation process do Microsoft request your credit card information.

In fact, Microsoft do not collect information that can be used to identify you such as your name, email address, or other personal details.

To learn more, read the Genuine Microsoft software program privacy statement.

To learn more about the program in general, see Genuine Windows: frequently asked questions.

Microsoft does not send unsolicited communication about security updates

When Microsoft release information about a security software update or a security incident, they send email messages only to subscribers of thier security communications program.

Unfortunately, cybercriminals have exploited this program by sending fake security communications that appear to be from Microsoft. Some messages lure recipients to websites to download spyware or other malicious software. Others include a file attachment that contains a virus. Delete the message. Do not open the attachment.

Legitimate security communications from Microsoft

Legitimate communications do not include software updates as attachments. Microsoft never attach software updates to their security communications. Rather, Microsoft refer customers to their website for complete information about the software update or security incident.

Legitimate communications are also on their websites. If Microsoft provide any information about a security update, you can also find that information on their websites.

Did you like this? Share it:


How to Remove My Security Shield

Today i had the pleasure of removing this infection from a computer. As a rule i remove these types of infections using instructions from the www.bleepingcomputer.com website.

This removal guide is provided by them on their website here….

What this infection does:

My Security Shield is a rogue anti-spyware program from the same family as Virus Doctor. This infection is promoted through web sites that show advertisements that pretend to be online anti-malware scanners. These scanners will then pretend to scan your computer, and when finished, will state that your computer is infected and that you need to download and install My Security Shield to protect yourself. The truth is that these online scanners are all fake and are only an advertisement. They have no way of knowing what is running on your computer.

Once My Security Shield is installed on your computer it will be configured to start automatically. It will also create numerous files that will be detected by the program as malware. Some of the files that are created are:

%UserProfile%\Recent\cid.drv
%UserProfile%\Recent\CLSV.tmp
%UserProfile%\Recent\DBOLE.exe
%UserProfile%\Recent\delfile.sys
%UserProfile%\Recent\fan.dll
%UserProfile%\Recent\grid.sys
%UserProfile%\Recent\kernel32.exe
%UserProfile%\Recent\kernel32.sys
%UserProfile%\Recent\PE.dll
%UserProfile%\Recent\PE.tmp
%UserProfile%\Recent\runddlkey.drv
%UserProfile%\Recent\SICKBOY.drv
%UserProfile%\Recent\std.dll
%UserProfile%\Recent\tempdoc.tmp
%UserProfile%\Recent\tjd.sys

When the program scans your computer it will detect the files it created and state that they are infections. It will then prompt you to remove the files, but will not allow you to do so until you first purchase the program. This is a scam as the files are all harmless and are created by the My Security Shield program in the first place. Therefore, please ignore any of the scan results this program displays.

While My Security Shield is running it will also display fake security warnings that are designed to make you think that your computer has a severe computer security problem. The text of some of the alerts you will see are:

Warning! Access conflict detected!
An unidentified program is trying to access system process address space.
Process Name: AllowedForm
Location: C:\Windows\…\notepad.exe

Warning! Identity theft attempt detected

Memory access problem
WindowsErrorForm has encountered a problem at address 0x1FC408.
We are sorry for the inconvenience.
If you see this error again, operational information can be irrevocably lost.

Warning! Virus detected
Threat Detected: Trojan-PSW.VBS.Half
Description: This is a VBScript-virus. It steals user’s passwords.

As all of these security alerts are fake, they should be ignored.

As you can see, My Security Shield is a scam and was only created to trick you into purchasing it. You should not purchase it, and if you have, you should contact your credit card company and dispute the charge. To remove My Security Shield and any related malware, please follow the steps in the removal guide below.

Automated Removal Instructions for My Security Shield using Malwarebytes’ Anti-Malware:

1. Print out these instructions as we may need to close every window that is open later in the fix.

2. It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

3. Before we can do anything we must first end the processes that belong to My Security Shield so that it does not interfere with the cleaning procedure. To do this, download the following file to your desktop.

rkill.com Download Link

4. Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with My Security Shield and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by My Security Shield when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate My Security Shield . So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Do not reboot your computer after running rkill as the malware programs will start again.

5. Now you should download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop:

Malwarebytes’ Anti-Malware Download Link (Download page will open in a new window)

6. Once downloaded, close all programs and Windows on your computer, including this one.

7. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.

8. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button. If MalwareBytes’ prompts you to reboot, please do not do so.

9. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.

10. On the Scanner tab, make sure the the Perform full scan option is selected and then click on the Scan button to start scanning your computer for My Security Shield related files.

11. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.

12. When the scan is finished a message box will appear as shown in the image below.

You should click on the OK button to close the message box and continue with the My Security Shield removal process.

13. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

14. A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

15. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.

16. You can now exit the MBAM program.

17. As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, My Security Shield changes the permissions of the HOSTS file so you can’t edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:

Hostsperm.bat Download Link

When the file has finished downloading, double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.

18. We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As…, if in Internet Explorer, or Save Link As.., if in Firefox, to download the file.

Windows XP HOSTS File Download Link
Windows Vista HOSTS File Download Link
Windows 2003 Server HOSTS File Download Link
Windows 2008 Server HOSTS File Download Link
Windows 7 HOSTS File Download Link

Your Windows HOSTS file should now be back to the default one from when Windows was first installed.

19. Now reboot your computer.

20. As many rogues and other malware are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:

How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the My Security Shield program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes’ Anti-Malware to protect against these types of threats in the future.

Well that’s the end of the guide. If you have followed this guide and still get issues feel free to get in touch in the comments or via email.

Did you like this? Share it:


Play World of Warcraft? – beware the Phishing scam….

Straight from this mornings Trend Micro Trendlabs Blog there appears to be a phishing scam is doing the rounds. An obligatory link back to the original article. Thanks to Menard Osena who originally wrote the following article.

Blizzard’s World of Warcraft (more popularly known as WoW) is one of the most popular massively multiplayer online role-playing games (MMORPGs) in the world. With more than 11.5 million subscribers as of 2008, WoW is plagued by a thriving underground online gaming economy.

The most common scam in WoW that Trend Micro has seen uses the in-game chat/whisper system.

An unsuspecting player will receive an in-game chat/whisper from an unknown player offering free gifts (usually in-game pets, riding mounts, and vehicles) that they can avail of by registering at the website that is included in the chat message.

The website included is, of course, a phishing site that will gather the user’s Battle.net account name and password.

However, we have seen a new approach recently—the use of WoW’s postal system, more commonly known as the in-game mail system. In this new trickery, the phishing URLs are sent via WoW in-game mail and is received by players in their in-game mailboxes.

The mail message is full of a mix of surprises. It combines several elements from other Blizzard games. Wings of Liberty refers to Starcraft 2, which was launched in July 2010. “Deathy” refers to “Black Dragon Aspect Deathwing,” the major antagonist in the upcoming WoW expansion game, Cataclysm.

To add to its credibility, the phishing URL contains the string worldofwarcraft and an abbreviation of Cataclysm. It is also interesting to mention that the website domain is registered and hosted in China.

We also noted that WoW online scammers have raised the bar by pretending to be figures of authority, something seen in spam attacks outside the online gaming industry.

The scam perpetrator poses as a Blizzard employee with a name that contains a string similar to Blizzard. The attacker threatens to suspend the player’s account if he/she does not register at the website included in the chat message.

As in the attack mentioned earlier, the link goes to a phishing site that tries to steal the user’s Battle.net credentials. The phishing site very closely resembles the actual site in terms of layout. At first glance, the user may be led to believe that the URL is related to the WoW Armory, an official site containing information on in-game characters, guilds, and items

To protect its customers, Blizzard has intensified its information campaign on Battle.net’s security page. It also provided very accessible means within the game to report users who are abusing its chat and mail systems.

Trend Micro users are protected from these World of Warcraft phishing attacks via the Trend Micro™ Smart Protection Network™, which blocks access to the phishing websites.

For a more in-depth analysis of an online gaming Trojan kit (including World of Warcraft) and the underground online gaming economy, I highly recommend reading Trend Micro’s research paper entitled, “Dissecting the XWM Trojan Kit: A Peek at China’s Growing Underground Online Gaming Economy,” by Lion Gu.

Did you like this? Share it:


Use LinkedIn Beware the email

On Monday morning, cybercriminals began sending massive volumes of spam email messages targeting LinkedIn users. Starting at approximately 10am GMT, users of the popular business-focused social networking site began receiving emails with a fake contact request containing a malicious link. According to Cisco Security Intelligence, these messages accounted for as much as 24% of all spam sent within a 15-minute interval today. If users click, they are taken to a web page that says ‘PLEASE WAITING…. 4 SECONDS..’ and then redirected to Google, appearing as if nothing has happened. During those four seconds, the site attempted to infect the victim’s PC with the ZeuS Malware via a ‘drive-by download’ – something that requires little or no user interaction to infect a system.

Did you like this? Share it:
Categories: Uncategorized Tags: , , ,


How to remove Anti-Virus Live

The first thing you’ll want to do is reboot your computer, and hit the F8 key right before Windows starts loading (you can hit it a bunch of times). Then select the Safe Mode with Networking option.

Before you do anything else, you’re going to need to fix the internet connection to work, because Antivirus Live changes IE to use a fake proxy server that prevents you from getting to anything else—and will also prevent you from installing and updating a real anti-malware software.

So go to start then click on control panel. Then click on Internet Options this should bring up a box with some tabs across the top.  Click on Local Area Settings. You should see something similar to the image below.

Now Where you see a tick in the proxy server boxes untick both of them.

Now you’ll want to download and install SuperAntiSpyware, Follow this link to get it here,

Once you load it up, it’s going to do some analysis… let it do that and then you should see this.

Click on Scan your computer and select your C drive when asked what to scan. Do a complete scan of your computer.

This then will after a while return the results to you something like this.

Click ok and the click next and follow the on screen instructions for removing the problems detected.

Once this is all done restart your computer and go back into safe mode with networking by pressing the f8 key again and selecting safemode with networking.

Now go here and download the free version MalwareBytes. Follow the on screen instructions to install it. Once installed you should see something like below.

Now click on Perform Full Scan.

Allow this to complete and you should see something like the below…

Now Click on Remove Selected.

This will then ask you to restart your computer in order to complete the removal process.

Job done restart and carry on as normal :-)

Did you like this? Share it:


AVG thinks itunes is malware…

Word on the street is that the latest update from AVGs definitions has found that it thinks iTunes is MALWARE and has been disabling iTunes on folks machines. The latest update flags iTunes.dll and iTunesRegistry.dll as “Trojan horse Small.BOG”. There isn’t a listing for “Trojan horse Small.BOG” on AVG’s website so the flag is somewhat strange.

Advice at the moment is to disable AVG or Another work around is to add “C:\Program Files (x86)\ipod” as an exception under Resident Shield>Manage Exceptions>Add Path.

Did you like this? Share it: