Please disable Autorun asap!

We see an increase in USB-Based Malware Attacks lately - See here and here for more info.
Unfortunately, in the last few weeks, I have seen many cases where the enabled autorun feature caused A LOT of problems afterwards. This means that many are not aware of the dangers yet.
For example.. Some scenarios I have seen in the last couple of weeks are:

* Computer gets infected with Win32/Sality.NAR (NOD32 detection). This is a polymorphic file infector which searches local and network drives for files with the .exe extension and infects them by adding a new section that contains the viruscode.
It also copies itself into the root folders of removable drives using a random filename and creates an autorun.inf file to make sure it runs whenever it is inserted into another computer. It also disables most AV scanners by terminating their services/processes, disables Taskmanager, disables Regedit and much more to prevent it being detected or disinfected.
In this case, the user had an USB flashdrive and used it to transfer removal tools etc in order to remove this infection, since no scanners would work. What happened was, since this virus also spreads via removable media, his USB flashdrive became infected > result > His other computer was infected as well!

* Computer gets infected with W32/AutoRun-OY - This one also spreads via removable drives. This computer is used at home and every user has its own account. Mom, dad, son and daughter. Son loves to play games, but also loves to download games + cracks via illegal resources.
And that's how the computer at home gets infected with W32/AutoRun-OY. No detection since the Antivirus application that was installed was only a trial and was already expired for more than a year. Dad works for a big company and he tranfers his database+files from the computer at work to an USB flashdrive so he can proceed with his work at home.
The usb flashdrive gets infected when he inserts it into the infected computer at home. Since no scanner (because it's outdated) gives an alert and blocks the malware, there's no sign that the computer + Flashdrive is infected.
Dad goes back to work, inserts the flashdrive into his computer at work and... it gets infected as well. No alert, nothing! It appears that the computer at work didn't even have an Antivirus installed !! And, worst part of all was... Virut was also present! See here for more info. This is imho a lost case, and especially for business owned computers, it is irresponsible to clean this up manually. Format and reinstall is the fastest and especially the safest solution here.
So, who is to blame here? Imho, everyone is. The son who is responsible for visiting illegal sites in order to download his games + cracks, plus the fact that the Antivirus was outdated, plus the fact that dad uses an USB flashdrive containing corporate information and inserts it into the personal computer (see here how to protect your data), plus the fact that the computers at work didn't even have any protection/AV installed.
Anyway, this is so irresponsible, especially when company owned computers are involved.

* And today, I have another case where someone gets infected with W32/AutoRun-OY, where mom uses an usb flashdrive to transfer files to use at work and is already complaining about the fact that there are "problems". This thread is still in progress and I really hope this isn't a lost case.

No wonder the Military bans disks and USB drives

This appears to be a common problem nowadays - that's why it is so important to prevent spreading similar infections by disabling Autorun.

To disable autorun, please read the following tutorials:

http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/ (applies for XP Pro since XP Home has no gpedit.msc present)
http://www.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/ (aplies for XP Home. Same can be used for XP Pro)
http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/ (applies for Vista)

Some malware removal tools already disable Autorun by default. Don't complain about this. This is an extra security measure and you should have it disabled. If you really want to enable this again - then it's your own responsibility. Don't complain afterwards if you get infected and are responsible for infecting a lot of other computers as well.

Update: Extra instructions to disable autorun (by US CERT) can be found here.

Read More

And another Paypal Phish...

This is a mail I received in my mailbox one hour ago:

For your protection, we have limited access to your account until additional security
measures can be completed. We apologize for any inconvenience this may cause.

To review your account and some or all of the information that Pay Pal
used to make its decision to limit your account access, please visit the Resolution Center.

We encourage you to log in and restore full access as soon as possible. Should access to your
account remain limited for an extended period of time, it may result in further limitations on
the use of your account or may result in eventual account closure.


----------------------------------------------------------------------------------------------

Click here to resolve the problem.

----------------------------------------------------------------------------------------------

Sincerely,
PayPal Account Review Team


Click to enlarge

After I clicked the link, I was presented with this fake page:


Click to enlarge

Ok, let's enter "my" Email Address and PayPal Password to Log In.


Click to enlarge

The usual Logging in screen, which then opened the following page:


Click to enlarge

They don't only want your Paypal Password, but as you see, A LOT of other information as well - Card number, Expiration date, Card verification number, Pin number and Bank name.

Anyway, if you became a victim of this Phish, contact Paypal and your Bank immediately and change your Paypal Password asap!

Read More

MSN Virus!! No scanners detect it!!!!

This is a common subject I see in forums lately.
People are complaining about an "MSN Virus" and no scanners can detect it.
This so called "MSN Virus" is responsible for sending links to their contacts list.
Yes, there are indeed some worms, spreading via messenger and infecting your computer, for example the IRCBOT-RB Trojan and many other variants.

However, this one is totally different... and is actually already going on for a while...

It appears that many aren't aware of this one yet, because I still see so many threads in forums where many AV scanners and other scanners were being used > result > no detections, no strange files, no strange loading points etc..
Long threads with no ending since they can't find the main cause.

Actually, the main cause is very simple - The login/password of the MSN account was gathered because they entered that info via the link they received once.
This is an example of a link they receive:



More detailed info from some older blogposts:
http://phatybomb.blogspot.com/2008/04/how-to-solve-this-pesky-msn-virus.html
http://blog.spywareguide.com/2008/06/another-site-asking-for-msn-lo.html

Links may be different, but the scenario is still the same.

If you click that link, your browser will open and you are presented with a webpage where it prompts you to enter your MSN Login and Password to proceed.
Ofcourse, the only purpose here is to gather your Login and password so they can (ab)use it to log in into your account and send the same link to your other contacts.
In this case, your computer isn't infected which explains why scanners won't find a thing.

Solution is simple: Change your MSN password.

As I said, this one is already going on for a while - but in the last couple of days, I see more and more threads in forums about this one - endless threads with several different logs which won't show anything.
That's why, if you think you're dealing with a similar "infection", change your password first and see if that solves your problem. If not, then make sure your Antivirus Scanner is up to date and perform a full scan with it.

Read More

Congrats Belsec!

For the people who don't know Belsec, check out the blog here: http://belsec.skynetblogs.be
Today, Belsec exists 1 year - Happy Birthday!!!

Some exclusive articles, free stuff and other goodies will be posted there this week, so make sure you don't miss it.

Read More

CCleaner

Download: http://www.ccleaner.com/download/builds

There are 3 builds available. Personally, I prefer the "Slim" version.

1. Standard Build also includes the Yahoo Toolbar but that can be UNcheckmarked during the installation if you so desire.
2. Portable does NOT include the Installer
3. Slim also does NOT include the Toolbar.

Suggested Settings For CCleaner

Options > Advanced >

• UNcheck "Only delete files in Windows Temp folder older than 48 hours".
• Check "Show prompt to back up Registry entries".
  

Options > Cookies

To retain logon cookies, review the cookies in the "Cookies to Delete" column on the left. Select any you wish to keep and click the arrow pointing to the right to add to the "Cookies to Keep" column.



Cleaner > Windows Tab

The settings shown below are based on my choices. In the event assistance is needed, I do not recommend using the Advanced section (not shown) nor checking the following:

• Windows Log Files
• Windows Error Reporting
  

Cleaner > Applications Tab

This is an example of a recent setting.


Registry

It is not recommended that you preform this step unless you are having problems after uninstalling a program or it is recommended at a reputable help site. Generally, registry cleaners have caused more problems than they have repaired.

The settings I have checked below should be sufficient to remove a bad uninstall. I do not recommend checking "Missing Shared DLLs" or "Unused File Extensions". They may not be used by a currently installed software but you may run into problems with a future program you attempt to run.

It is very important to back up the registry. Even though CCleaner has a registry backup, I would also suggest a manual backup. See this article on backing up the registry: Windows XP and Windows Server 2003.

Read More

Mrs. Claus' Cookbook

Just a tidbit based on the emails floating around with copy/pastes of the individual recipe URLs. They are from Mrs. Claus' Cookbook at the North Pole.com. Since someone put a lot of work into that site, I'd suggest visiting there directly. There's lots of fun things for the family at the North Pole.

For the recipes at the North Pole, follow the links below to the various kitchen categories.

Read More

Meet the Medion Family

A picture of my "Workplace"...

Read More

HitmanPro 3 - maybe better, but I still have my doubts..

Mainly dutch users will know this program/removal tool. There were many discussions about it in the past as you will read here.
However, the newest version is a bit different. Instead of installing many several different Antispyware and Antivirus removal tools, it now uses a "Scanwolk" or "ScanCloud". This means that potential malware related files are being uploaded there and are being scanned by a couple of different engines. These engines are Eset (NOD32), Avira, PrevX, Emsi Software - a-squared Anti-Spyware and Ikarus Anti-Virus. As far as I know, some of these "Scansoftware" are for free. Correct me if I am wrong.

This is a littlebit the same principle as Virustotal, but in this case, it happens automatically without users interference.
Previous versions of HitmanPro were for free, however, this time, the new version is different. Scanning stays for free, but to remove what it has found, you have to purchase a license. First you get a trial which is able to remove the found threats - but once that trial has expired, you have to purchase a license..

Before testing this application, I already had a few remarks....

* What about false positives the external scanners find. Will HitmanPro remove them as well or not?
* Automatically uploading files to the "ScanWolk" (as how they are calling it) - what about users interference? Is this automatically allowed? Most scanners ask this before users upload potential suspicious files to a server. HitmanPro goes for faster results and uploads automatically without users interference. Ethics???

Anyway, those were my main concerns, so I decided to give HitmanPro3 a try..

If I test software, I always try it in a Vmware Image first. In this case, it was Windows XP Pro Service Pack 2.
It was a clean install, only some analysis tools (tools which enumerate windows loading points) were installed.

I've downloaded HitmanPro 3 and executed it...
Once again, this is a clean Windows XP SP2 install with only some analysis tools present.

It started with the scan...



Ok, tracking cookies in the first place. You're kidding if people really have to purchase a license to remove these tracking cookies. Easy money..
Anyway.. the other detections..
Too bad to see it detected one of my favorite analysis tools (OtScanIt.exe) as Trojan.Dos.Win32....
I've uploaded it to Virustotal and came back with the following results: http://www.virustotal.com/nl/analisis/ab129671f0130d829a70e395ec5b64fa
HitmanPro uses the Prevx engine, and in this case, its detected as "Cloaked Malware". This is a heuristic detection and may be a false positive. Not sure where HitmanPro gets the "Trojan.Dos.Win32.." from..
Anyway.. during detection, there is NO WAY where you can deselect what it has found. The only option you get is the "next" button. (and the option to select what subscription you have).
Then, if you click the "next" button, it removes what it found, no matter if it was a false positive or not (after all, you could not deselect in from the main screen). Byebye OtScanIt - I couldn't save you.. :(
And even in my clean Vmware image, HitmanPro decided (without notice) to remove my desktop background and replace it with the 'plain blue standard background'. Is there any reason why? Without notice? So this means that everyone who runs HitmanPro3, no matter if you're infected or not, gets a "blank" desktop afterwards?

Once again, this was in a clean Windows XP SP2 image. Detections and removal of files that weren't even malicious and deleting valuedatas in keys (without notice) that weren't even malicious...
It also appears that some others were having problems as well with this newest version. For example:
http://www.techzine.nl/nieuws/18270/SurfRight-brengt-finalversie-Hitman-Pro-3-uit.html (First reaction present there).
To translate: "I've used it two times and deleted it immediately. The scripts crashed and deleted important files from my PC. BSOD, then a system restore (removed HitmanPro) and everything worked OK again."

I'm not suprised at all.....

So the only thing I can say here is... please remove the official version and give it more time to beta test. It's way too dangerous to use/release it in public.
Some important thoughts:

* Ask for confirmation before uploading potential dangerous files.
* Make sure people can select/deselect what files to remove.

EDIT: There's indeed an option to select/deselect what files to remove, but only if you rightclick the view and select the "Virus analist view". Many people won't know about that option (I didn't either), so it may be better to make checkboxes to select/deselect in the main view.

* I can't find a backup/quarantine option. Better to give the option to quarantine what it removed with the option to restore if needed.

... and some more thoughts that I will post later.

Extra note... I have NOT tested this on an infected system yet - I'll certainly do this later and see how it acts/reacts - and post the results. My main important point was how it acted/reacted on a NON infected system since many people just love to run tools and even purchase them if not needed.

Read More