UPS Email Infected - High Risk Threat

There is an email apparently from UPS going around with an attachment: invoice_8712.zip#670639117 which contains the Win32:Zbot Trojan.

Email reads:

‘Unfortunately we were not able to deliver postal package you sent on July (date varies) in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS’

The invoice ‘copy’ is in a .zip file. Please do NOT open this attachment as you will be infected with the Zbot Trojan. If you receive one of these emails simply delete it.

Full details and free removal tools Click Here

Safer Surfing in 'Virtual' Environment

With normal surfing information is loaded from your hard drive and then through your browser where information is then written back to your computer, if it’s a malicious site then you will also have malware written to your drive.

What if you could use a ‘virtual area’ in which you can run your browser, email reader, instant messengers and programs in complete safety. The information is loaded from your hard drive into the 'virtual' environment, from there the read/write operations are carried out within the 'virtual' environment and never back to your computer.

Well..........you can........Full details Click Here

A-Squared Free plus Tutorial

The free version is the little brother of a-squared Anti-Malware and contains only the scanner to clean infected computers. It does not come with the following features: background guard, Auto-Update, scheduled scans or HiJackFree.

The disk scan checks all files on your system disks for Malware. The scanner scans for Spyware Traces. Currently there are more than 1.2 million different types of Malware that can be detected and removed.

Full Details Click Here.

Web of Trust Is Your Community

Now there is a new tool for all users which is community driven. Web of Trust rates sites on standards of trustworthiness, vendor reliability, privacy and child safety. Once installed as a small BHO, it will place a safety rating on search engine searches and also checks links in emails. This takes it further up the ladder aimed at improving online safety for all users.

Click Here For Full Details

Uninstall Programs Easily With RevoUninstaller

The Windows Add/Remove programs applet is slow and does not list all of the programs that you can uninstall. This neat little tool overcomes this and runs much faster than the Add/Remove applet.

Full Details Click Here

MSN Messenger Spreads Viral Attack Through Users

Please read the complete article before following the steps given.

Once again more MSN Messenger Viruses are spreading around the Internet. This time the virus sends the following message to all your contacts:

cute.pif - W32.Kelvir.A

omg this is funny!
[Followed by a link to download the cute.pif from jose.rivera4.home.att.net]
The user then downloads the file which sends the link to all of their contacts and then downloads a W32.Spybot worm onto the infected machine.

If your are lucky the program will just run on your machine, send to your contacts and end without downloading the Worm.

The first thing you should do therefore is delete the downloaded cute.pif making sure you do not run it again! Then check to see if a Worm has been downloaded as well.

1) Press Ctrl+Alt+Delete and look for hotkeysvc. If it’s there select it and press “End Task”.

2) Use the Windows Find feature to look for a file called “hotkeysvc.exe”. Which if their should be in the %System% directory. If you find the file delete it.

3) Go to ‘Start’ then ‘Run’ and type ‘msconfig’. A new window should appear.

4) Click on the tab at the top right that says ‘Startup’.

5) Look for, and if it exists, untick the box next to “hotkeysvc.exe” or similar name.

The http://jose.rivera4.home.att.net/cute.pif has now been fully removed!

IM-Names virus

1) Close Messenger.

2) Go to ‘Start’ then ‘Run’ and type ‘msconfig’. A new window should appear.

3) Click on the tab at the top right that says ‘Startup’.

4) Untick the box next to ‘IM-Names’. (If you cannot find it skip this task)

5) Click ‘ok’ and when it asks if you want to restart your computer say no.

6) Press ‘Ctr’ + ‘Alt’ + ‘Del’. Find the process that says ‘IM-Names’ and click End Task.

The virus has now been deactivated!

To remove it fully follow these instructions:

1) Search your computer for all files called “IM-Names” (without quotes)

2) Delete all files that it finds.

3) Empty your Recycle Bin.

The virus has now been fully removed!

PIC1234(1)(1)(1)(1)(1).exe

To remove the virus is simple to do. Simply follow these instructions:

1) Close Messenger. This will simply stop any of your contacts getting the virus.

2) Go to ‘Start’ then ‘Run’ and type ‘msconfig’. A new window should appear.

3) Click on the tab at the top right that says ‘Startup’.

4) Untick the box next to ‘MSN Messenger’.

5) Click ‘ok’ and when it asks if you want to restart your computer say no.

6) Press ‘Ctr’ + ‘Alt’ + ‘Del’. Find the file that says ‘MsgSpread‘ and click End Task.

The virus has now been deactivated!

To remove it fully follow these instructions:

1) Go to the Desktop and open My Documents.

2) Double click on Messenger Service Received Files’. If you don’t see a folder called that then go to ‘My Computer’ double left click on ’C’ then ‘Program Files’ and finally ‘Messenger Service Received Files’.

3) You should now see a file called ‘PIC1234(1)(1)(1)(1)(1)(1)(1)(1).exe’.

4) Click on it ONCE and left click and select ’Delete’. This should delete the file.

5) Empty your Recycle Bin.

The virus has now been fully removed!

Choke.exe aka I-Worm.Choke

Even if the user accepts the download he or she will not be infected. The user must download and run the files they received. The file name can differ every time. It can be ‘ShootPresidentBUSH.exe’, ‘Choke.exe’ or ‘%The user name%.exe’ where the user name is a nickname from dalist.txt.

To remove the virus is simple to do. Simply follow these instructions:

1) Press Ctrl+Alt+Delete and select Choke.exe, and press “End Task”.

2) Close Messenger. This will simply stop any of your contacts getting the virus.

3) Go to ‘Start’ then ‘Run’ and type ‘msconfig’. A new window should appear.

4) Click on the tab at the top right that says ‘Startup’.

5) Untick the box next to “Choke.exe” or similar name.

The virus has now been deactivated!

To remove it fully follow these instructions:

1) Go to ‘Start’, then ‘Find’ or ‘Search’ and enter “Choke.exe”, then press OK.

2) Click on the file and press ‘Delete’.

3) Empty your recycle bin.

The virus has now been fully removed!

W32.Aplore@mm

W32.Aplore@mm is a MSN Messenger Virus which spreads by sending links to an infected web page. When a user is infected with this virus they send a message do their online contacts. The message may be as follows where ZZZ is the contacts name, the A’s represent an IP address and the B’s represent a port number.

ZZZ says: this is cool, http://AAA.AAA.AA.AA:BBBB

OR ZZZ says: btw, download this, http://AA.AA.AAA.AAA:BBBB

To remove the virus is simple to do. Simply follow these instructions:

1) Close Messenger. This will simply stop any more of your contacts getting the virus.

2) Go to ‘Start’ then ‘Run’ and type ‘msconfig’. A new window should appear.

3) Click on the tab at the top right that says ‘Startup’.

4) Untick the box next to “Explorer”.

5) Restart you Computer.

The virus has now been deactivated!

W32.Annoying.Worm

The delightful author of this worm, who comes “in piece” (pity it’s not “in pieces”), has even included a readme.txt file with uninstall instructions:

How to remove the Annoying.Worm:
1) Click Start, select Run. The Run dialog box pops up.

2) Type: msconfig The System Configuration Utility pops up.

3) Click the Startup tab at the top. In the list, find MsgSprd, Messenger, or pic1324, uncheck, press Apply, then press Ok.

4) Restart your computer Or press Ctrl - Alt - Del, select MsgSprd from the list, then press End Task.

You may freely delete the files or the ‘C:\Messenger1324′ directory.

You may need to uninstall/reinstall Messenger after removing this one from your system.

As you may have passed the MSN Messenger virus on to some of your contacts it is suggested you warn your friends about the MSN Messenger Virus.

Many of these viruses will continue to resend themselves to your contacts and then their contacts, so the vicious circle continues. If you are infected you are in a position to do something about it.

In future if someone tries to send you a file on MSN Messenger and it ends with ‘.exe’ do NOT download it unless you are really sure you know what it is. Ask the person that is sending you it what it is!

Ensure that your pc is fully up-to-date with the latest patches, also ensure that your anti-virus protection is regularly updated.

If you use a file shredder it is better than using the recycle bin to empty files.

I also recommend using CCleaner (formerly CrapCleaner) to rid your system of unwanted garbage that collects on a daily basis.

Virus Alert

Some 30% of computers with a security solution installed scanned last week were infected with some kind of malware. In the case of computers without any kind of protection, the figure goes up to 44%. Source:http://www.infectedornot.com

Malware creators are trying to put a large number of threats in circulation and install them silently to prevent security companies from detecting them and generating the necessary vaccines.

Therefore, traditional security solutions must be complemented with other types of online solutions like BitDefender, which uses the ICSA Labs certified scanning engines, so you can feel secure about their virus protection.

As for the malicious code that has appeared in the past week, highlighted are the Bindo.A and Nuwar.HU worms.

Bindo.A aka autoply.exe is a worm designed to spread and infect as many computers as possible by copying itself under names like autoply.exe or MSshare.exe to the shared folders of any P2P programs that the targeted user might have installed.

It also creates a file called AUTORUN.INF in all drives it copies itself to, in order to be run every time that the drive is accessed It is very easy to detect the presence of this worm on the system, as it increases the number of shared files in the P2P shared folders on the computer.

Bindo.A also changes certain shortcuts in the desktop so that they have two execution paths: the original one and one that runs when the original program is launched.

BitDefender is a FREE online virus scanner, which takes a while to run and it is advisable to run this when you have no other programs using resources. When opened, you will have to click the ‘I Agree’ user license after which you will be taken to the Options page.

Click image for larger view.

The default setting is to scan all of your computer, which is the safest option. Under the ‘Settings’ the default option is for BitDefender to try and clean the infected files. There is a warning that if disinfection fails, the files will be deleted. You can change this option where it says ‘click here’ and a pop-up window opens (ensure you do not have pop-up blockers turned on).

Click image for larger view

Under the heading ‘Action options’ select ‘Prompt user for action’ and under ‘Second action’ again select ‘Prompt user for action’ then click OK, then click where it says ‘Click here to scan’. BitDefender will then load the anti-virus engine and virus signatures.

If it fails to update, select ‘Yes’ to continue and scanning will start.

Click image for larger view

When scanning, if an infection is found you will be prompted for an action and you will see the location of the infected file. You can select ignore, disinfect or delete. If disinfection fails however, the file will be deleted so use this with caution and ensure that it is not an important file.

Nuwar.HU is a new variant of the infamous “Storm Worm” which takes advantage of Halloween to spread. It ends processes of certain security tools that might be installed on the computer.

Nuwar.HU drops a rootkit called noskrnl.sys on the system and sets it as a service so that it is run automatically when the computer is started. Nuwar.HU spreads in email messages with subjects like “Have a Happy Halloween everyone” or “Party on this Halloween” among many others.

These messages include links to certain web pages that show a ‘dancing skeleton’ animation. If the user downloads and runs the animation offered on the website, the worms infects the computer and turns it into a zombie system at the service of a malicious user.

Rootkit detection

Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.

There is an article about rootkits here and advice on searching your hard drive for the presence of rootkits and tools to remove them which you can get more information by clicking here.

Secunia Personal Software Inspector (Beta)

Make your PC safer with this utility from Secunia, a company that tracks known vulnerabilities in software and operating systems.

This is one of the most useful and important free tools that you can have running on Windows XP SP2, Windows 2000 and Windows 2003.

This tool examines all of the program files on your PC for information on specific software builds installed and can identify missing Windows patches and outdated, insecure applications on your PC.

After examination, the data collected is sent to Secunia’s secure servers (https://psi.secunia.com/) and matched matched against their Signature Files which then determines the precise applications installed on your system.

Secunia state that they have more than 4,700 different programs in their File Signatures engine.

Once the scan is complete, which only takes a few minutes, Secunia PSI will categorize each program as “Up-To-Date”, “Insecure” or “End-of-Life”.

Click images for larger view

The results table presents the name and version number of your installed application. Clicking on the file name or the green information button will take you to a summary page with further information. If there is a blue button this will link directly to the file that will update or patch your software, if available.

On the summary page you will also receive a link to Secunia’s advisory about why your version is not safe, and explanations of the multiple versions of a program that you may see listed, as well as available updates and download locations.

Although Secunia PSI is not perfect, and it is still in Beta version, it is fairly useful at keeping your computer programs up-to-date, which also aids in your system security.

Secunia’s privacy statement states that they store information about your software for up to 12 months, but it does not collect any personal data beyond version numbers.

Download Secunia PSI here.

Note: The free Secunia PSI is available for Private/Home Users ONLY

As with any program installation, Backup or create a Restore Point before making any changes.

FreeFixer for Windows

FreeFixer is a general purpose removal tool which will help you to delete potentially unwanted software, such as adware, spyware, trojans, viruses, and rootkits.

FreeFixer works by scanning a large number of locations where unwanted software has a known record of appearing or leaving traces.

The scan locations include the programs that run on your computer, the programs that start when you reboot your computer, your browser’s plug-ins, and your home page setting.

FreeFixer does not know which the bad files and settings are, so the scan result will contain items you want to keep and perhaps some that you want to remove.

To assist you when determining if anything should be removed you can find more information at FreeFixer’s Web site for each item in the scan result.

You can also save log file of your scan result and consult the FreeFixer helper forums.

There is also an in-depth user manual online here

FreeFixer is freeware and Windows 2000/XP/2003 compatible.

Click here to download

FreeFixer for Windows

FreeFixer is a general purpose removal tool which will help you to delete potentially unwanted software, such as adware, spyware, trojans, viruses, and rootkits.

FreeFixer works by scanning a large number of locations where unwanted software has a known record of appearing or leaving traces.

The scan locations include the programs that run on your computer, the programs that start when you reboot your computer, your browser’s plug-ins, and your home page setting.

FreeFixer does not know which the bad files and settings are, so the scan result will contain items you want to keep and perhaps some that you want to remove.

To assist you when determining if anything should be removed you can find more information at FreeFixer’s Web site for each item in the scan result.

You can also save log file of your scan result and consult the FreeFixer helper forums.

There is also an in-depth user manual online here

FreeFixer is freeware and Windows 2000/XP/2003 compatible.

Click here to download