Computer Security Information Center

Mission Statement

The Computer Security Information Center is one of the newer sections here on 5 Star Support. It is one of the ten major sections of the Web site. We are dedicated to assisting you with security threat concerns to your computer from various sources on the Internet. While we cannot say "Don't worry, we've got your back", nobody else can either. What we are all about here is trying to keep you as safe as possible by supplying concise security information organized in one place so you won't have to waste a lot of time looking all over the Internet for it yourself. We hope to improve your computer security and help you both avoid and solve problems by:

Raising your awareness to security risks through tutorials and news articles
Provide tutorials explaining how to fix problems related to security issues
Provide high-quality information regarding virus risks and solutions
Increase your knowledge of needed security related skills
Help you set up your computer to avoid major security related problems
Provide assistance in treating and removing virus issues you may encounter

If we can accomplish this, then we feel very good about the free security assistance we have provided for you. If you agree, please let us know we have helped - it's what keeps us going. Stay safe by visiting us often here at the 5 Star Support Security Center.

For Free Spyware scanners and other security related downloads, please visit our Free Anti-Virus and Anti-Spyware Software page.

Weekly Virus Article

Remove Spyware/Malware or ANY Virus - FOR FREE
Source: 5 Star Support

7.01.08
Spyware/Malware and computer viruses are a big problem that nearly all computer users face. The greatest defense against these parasites is awareness. If you visit web sites of questionable integrity or if you download files frivolously, you are taking huge risks. Many viruses these days are programmed with very harmful intent. They can log your keystrokes on your computer so that banking information is compromised. Granted, I have used probably the worst case scenario for my example, but this is a very real scenario that happens all the time.

If you need help, there are many Security Experts at your disposal that are willing to give you their free time to either coach you on how to keep your files safe or for safely removing threats from an infected machine. All of this we provide to you for free!

We are here for you when you need our help!

http://www.5starsupport.com/ipboard/index.php

Quick Links:

Weekly Security News
Dangerous Applications
Malware Spotlight
Phishing Scams

Weekly Security News

Posted by Dave
5 Star Support Security Specialist

Week of 07/20/08 –

General -

The big news this week is DNS cache poisoning, a term many have never heard of. The bottom line is that you simply need to be sure you have applied all of the patches released by Microsoft on July 8th. If not, you need to go to Windows Update or Microsoft Update and do it now!

Microsoft –

There are reports of an unpatched vulnerability in Microsoft Word. Only users of Word 2002 are affected. Microsoft is investigating the issue at this time

Other Software –

Firefox users need to be sure they are running the latest versions that have been released to address security concerns. Firefox 2 users (support ends later this year) should be running v 2.0.0.16 and Firefox 3 users should be running v 3.0.1

Thunderbird users should be sure they are running the latest version that has been released to address security concerns. Thunderbird users should be running v 2.0.0.16
New Viruses & Malware-

This section lists the new Viruses, Worms, Trojans etc. released into the wild during the past week. The discoveries come from SOPHOS, UK recognized as a world leader in computer security products, software and appliances.

W32/Autorun-GM copies itself to <Root>\CDBoot.exe and <System>\System32.exe.

W32/Autorun-GM creates the file autorun.inf which is also detected as W32/Autorun-GM.

W32/Autorun-GM edits the registry entry:
HKCR\exefile\Shell\open\command\
(Default)
<System>\System32.exe \"%1\" %*

*******************************************************************************************

Troj/Agent-HAI is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Agent-HAI includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Agent-HAI copies itself to:

<System>\<random_name1>.exe
<System>\<random_name2>.exe

The following registry entry is created to run mounaquek.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random_name3>
<System>\<random_name1>.exe

A copy of the Trojan is registered as a new system driver service, with a display name of "bcveServ" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\<random_name4>

*******************************************************************************************
Troj/Proxy-IO is a Trojan that injects a block of executable code into the process space of a newly created process svchost.exe. The injected code provides SOCKS proxy functionality for the attacker.

A randomly named batch file is also created. The batch file attempts to remove the Trojan installer and delete itself once the Trojan installer is successfully deleted.

*******************************************************************************************
Troj/Dload-CP is a Trojan for the Windows platform.

Troj/Dload-CP includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Dload-CP copies itself to the Program Files folder and creates the following files:

<User>\Start Menu\Antivirus2008y\Antivirus 2008.lnk
<User>\Start Menu\Antivirus2008y\Uninstall Antivirus 2008.lnk
<Program Files>\Mozilla Firefox\extensions\xxx@xxx.com\block.dat
<Program Files>\Mozilla Firefox\extensions\xxx@xxx.com\chrome.manifest
<Program Files>\Mozilla Firefox\extensions\xxx@xxx.com\chrome\content\main.js
<Program Files>\Mozilla Firefox\extensions\xxx@xxx.com\chrome\content\main.xul
<Program Files>\Mozilla Firefox\extensions\xxx@xxx.com\components\module.js
<Program Files>\Mozilla Firefox\extensions\xxx@xxx.com\install.rdf
<Program Files>\Mozilla Firefox\extensions\xxx@xxx.com\nonblock.dat
<Program Files>\Mozilla Firefox\extensions\xxx@xxx.com\page.html
<Program Files>\Mozilla Firefox\extensions\xxx@xxx.com\refresh.bat
<System>\winlogon.dll - Also detected as Troj/Dload-CP

The folder "<Program Files>\Mozilla Firefox\extensions\xxx@xxx.com" may be safely deleted.

The following registry entry is created to run Troj/Dload-CP on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Antivirus2008y
<Program Files>\Antivirus2008y\<original Trojan filename>

*******************************************************************************************
When Troj/Agent-HFZ is installed the following files are created:

<System>\ntos.exe - copy of Troj/Agent-HFZ
<System>\wsnpoem\audio.dll - empty file, can be safely deleted
<System>\wsnpoem\video.dll - empty file, can be safely deleted

The following registry entry is changed to run ntos.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\ntos.exe,

*******************************************************************************************
Mal/EncPk-CZ is a program packed with a protection system typically used by malware authors.

Files detected as Mal/EncPk-CZ are frequently fraudulent security programs.

*******************************************************************************************
Troj/Invo-Zip is a family of zip files that contain malware.

Members of Troj/Invo-Zip are usually sent in spam pretending to relate to an invoice or receipt for an online transaction, often one related to UPS.

*******************************************************************************************
Troj/Rech-Rar is a family of rar files that contain malware.

Members of Troj/Rech-Zip are usually sent in German spam pretending to relate to a receipt calculation for an online transation.

*******************************************************************************************
Mal/Behav-119 is a family of malicious downloaders for the Windows platform.

Members of Mal/Behav-119 typically include functionality to download and execute software from a remote website. To bypass firewall restrictions they may inject code into a process such as internet explorer.

*******************************************************************************************
Troj/Banker-EMK is a Trojan for the Windows platform.

Troj/Banker-EMK includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Banker-EMK copies itself to <Windows>\PeerNet\update.exe and creates the following files:

<Windows>\explo.bat

The following registry entry is created to run update.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
update.exe
<Windows>\PeerNet\update.exe

*******************************************************************************************
Troj/BHO-GF is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\{ba6fd309-5936-8a4d-c47e-0b1874472763}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ba6fd309-5936-8a4d-c47e-0b1874472763}

The following registry entry is created to run code exported by the Trojan DLL on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
{d136286e-bb98-a38b-4b6b-5433c152de92}
<System>\Rundll32.exe "<pathname of the Trojan DLL>" DllStart

*******************************************************************************************
Troj/FakeAV-AA is a Trojan for the Windows platform.

Troj/FakeAV-AA fraudulently reports a users system as infected and will not clean up these fraudulent reports until the users pays and registers the application.

The Trojan may claim to detect a number of files. These files are not malicious and may be deleted.

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
XP SecurityCenter
"<path to Trojan> /hide"

[Top]

Dangerous Applications
Unwanted Freeware

03/16/08

Posted by Dave
5 Star Support Security Specialist

There are always new free add-ons for your browser and free applications for your computer coming out, almost on a daily basis anymore. Trouble is, most of them cause a host of other problems because many contain Adware and/or Spyware of some sort. Sophos UK maintains a list of these and refers to them as Potentially Unwanted Applications or PUA's. Below is a list of the most recent ones released that you need to avoid:

1. Spyware Remover is a an application for the Windows platform. Spyware Remover is known to produce bogus warning to ask user to register.

When Spyware Remover is installed the following files are created:

<Start Menu\Programs>\SpywareRemover\SpywareRemover on the Web.lnk
<Start Menu\Programs>\SpywareRemover\SpywareRemover.lnk
<Start Menu\Programs>\SpywareRemover\Uninstall SpywareRemover.lnk
<Desktop>\SpywareRemover.lnk
<Program Files>\SpywareRemover\DataBase.ref
<Program Files>\SpywareRemover\Launcher.exe
<Program Files>\SpywareRemover\SpyCleaner.dll
<Program Files>\SpywareRemover\SpywareRemover.exe
<Program Files>\SpywareRemover\SpywareRemover.url
<Program Files>\SpywareRemover\license.rtf
<Program Files>\SpywareRemover\tcl.dll
<Program Files>\SpywareRemover\unins000.dat
<Program Files>\SpywareRemover\unins000.exe
<Program Files>\SpywareRemover\zlib.dll
<Windows>\Tasks\SpywareRemover Scheduled Scan.job

2. FakeShareaza is an unwanted program. Adware

3. FakeShareaza MediaBar is a potentially unwanted application for the Windows platform.

When Fake Shareaza MediaBar is installed the following files are created:

<Program Files>\Shareaza Applications\Shareaza MediaBar\Shareaza.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\ShareazaIEHelper.dll
<Program Files>\Shareaza Applications\Shareaza MediaBar\ShareazaMediaBar.dll
<Program Files>\Shareaza Applications\Shareaza MediaBar\Shareaza_icons.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\Shareaza_logo.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\Uninstall.exe
<Program Files>\Shareaza Applications\Shareaza MediaBar\Updater.exe
<Program Files>\Shareaza Applications\Shareaza MediaBar\basis.xml
<Program Files>\Shareaza Applications\Shareaza MediaBar\button_arrow.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\historyCombo.html
<Program Files>\Shareaza Applications\Shareaza MediaBar\resizer.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search.html
<Program Files>\Shareaza Applications\Shareaza MediaBar\search.js
<Program Files>\Shareaza Applications\Shareaza MediaBar\search_images.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search_maps.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search_news.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\showSettings.js
<Program Files>\Shareaza Applications\Shareaza MediaBar\storesearchcriteria.js
<Program Files>\Shareaza Applications\Shareaza MediaBar\version.txt
<Program Files>\Shareaza Applications\Shareaza MediaBar\web.bmp

4. ForceLibrary is an unwanted program – Adware.

5. SpySheriff is a anti-spyware application for the Windows platform.

Known trial versions of this software use excessive amounts of virtual memory, leading to a reduction in system performance.

6. SpySheriff Downloader is a potentially unwanted application.

SpySheriff Downloader downloads the application SpySheriff Installer from a pre-defined site.

7. Soso AddressBar Search Downloader is a potentially unwanted application – Adware

8. Shutdown Timer is a potentially unwanted application.

Shutdown Timer allows the following actions to occur on the computer:

Log off
Hibernate
Standby
Restart
Shutdown

9. Vapsup is an unwanted program – Adware

10. Mal/Dial-U is a dialer.

When first run Mal/Dial-U copies itself to the Windows system folder.

The following registry entry is created to run Mal/Dial-U on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
OpenMstart
<System>\<original dialer filename>

11. Passware Password Recovery is a potentially unwanted application for the Windows platform.

Passware Password Recovery includes functionality to steal passwords saved in Internet Explorer.

12. IRCFast Downloader is a Potentially Unwanted Application for the Windows platform.

IRCFast Downloader attempts to persuade the user to download otherwise free software from the author's servers for an extremely high price. This site has been associated with malware.

13. OneStepSearch is an unwanted program – Adware

[Top]

New Malware spotlight-

This new section of the Security Center is designed to help raise awareness of new malware threats that are often not publicized and often found in places where you do not expect them. We will update it as new threats are released.

Week of 02/10/08
Posted by Dave
5 Star Support Security Specialist

1. This year has begun with alarming data: in addition to Trojans, the use of worms to steal users’ confidential data is also on the increase. According to data collected by the Panda ActiveScan online anti-malware solution, while Trojans caused 24.41 percent of infections, worms accounted for 15.01 percent. This data contrasts with the 2007 data, in which attacks caused by worms were responsible for less than 10 percent of infections.

According to PandaLabs, the malware analysis and detection laboratory at Panda Security, this is due to the increasing activity of Nuwar-type worms, also known as Storm Worms. Computer worms can spread rapidly on their own. However, unlike those that caused epidemics massively covered by the media, they do not seek to collapse data traffic or damage computers. Instead, their objective is to steal confidential data for online fraud or identity-theft crimes.

To do so, these worms usually arrive in messages that use social engineering techniques which refer to current affairs. They also include links redirected to pages that have been modified to automatically install other malware which steals the data, or to spoof pages similar to those used for phishing attacks.
Although we suspected this would occur, we didn’t think cyber-crooks would focus on these types of worms so soon. It is a very dangerous threat, since even though its effects are more visible than Trojans’ and they can be neutralized more easily, these worms can carry out indiscriminate ‘storm’ attacks to collect large amounts of confidential data very quickly. For further efficiency, hackers are putting numerous samples of these worms in circulation in very little time, so the probability of being infected is higher.
Other types of malware that caused damage in January included; adware (21.21%), backdoor Trojans (4.03%), spyware (3.13%) and bots (2.65%).

The most active malware in January was the Downloader.MDW Trojan, designed to download other malicious codes onto the system. Bagle.HX and Perlovga.A come second and third. Next come the Puce.E worm, the Spammer.ADX Trojan and the Brontok.H email worm. The last four in the table are the QV variant of the Bagle worm, the Downloader.RWJ Trojan, the VideoAddon adware and the Lineage.GYE worm, whose objective is to steal passwords of the Lineage online game.

2. Percoban.A reaches computers disguised as a Word file. When run, it makes a copy of itself with names such as Rahasiamu.exe or Jangan Dibuka.exe. It also creates a Windows registry key to ensure that it is run on every session startup. In addition, it disables the Registry editor and the task manager and hides the search function in the Start menu.

Manclick.A is a worm that installs on computers under the guise of a Windows folder. When this worm is run, it passes itself off as the web page of the Google search engine. The appearance of this page is very similar to the original one and the results, if a user were to click them, could lead to malicious websites that download malware or take other malicious action.

The worm creates several copies of itself on the system and it also creates two registry keys to ensure it is run every time the system is started up. Similarly, it deletes certain Windows registry keys to prevent the computer from starting up in any of the available save modes.

Dung.A is a worm that also enters computers using the icon of a Windows folder. This malicious code opens a random system port and waits to receive commands, sending requests to a certain web page.

This worm makes several copies of itself on the system and edits two Windows registry keys to be able to run every time a session is started.

By Dave
5 Star Support Security Specialist

02/04/07

What to Watch Out for This Month
As of this writing, there were over 185 reported phishing alerts during the month of January. Don't take the bait! Before you respond to any
email requests for personal information, call your bank, credit union or other institution. In general, reputable financial institutions do
not request personal information via email. Listed below are some institutions whose account holders were the object of many of the
phishing scams this past month. Information for this report was gathered from various sites including:
http://www.trendmicro.com/en/security/phishing/overview.htm &
http://www.millersmiles.co.uk

Chase Bank
Egg Bank
Halifax Bank
Lloyds TSB Bank
Regions Bank

Are the phishers working your bank or credit union? Check the list at
http://www.millersmiles.co.uk/

More Phishing
Subject: "Internal Revenue ... Please read this"
Bait: As tax time nears you may receive an email, allegedly from the IRS, which states you are eligible for a tax refund if you'll just click
on the embedded link and fill out a form. But don't. This is a perennial phishing scheme with many variations. The IRS never offers refunds byemail or sends out unsolicited email to taxpayers.
More information: http://www.ksl.com/?nid=172&sid=780389 &
http://www.irs.gov/newsroom/article/0,,id=154848,00.html

Subject: Lottery Scam Meets AOL/Microsoft Hoax
Bait: An email addressed to "Lucky winner," trumpeting that the "prestigious Microsoft and AOL" have "rolled out over 100,000.000.00L
(One Hundred Million English Pounds) for our 2006 Anniversary Draws." What's the scam? Respondents will be instructed to send processing fees to cover certain costs before the check can be released (draining you slowly), or respondents will be sent a big but forged check for a sum even larger than the supposed winnings. You then write a personal check to "repay" the overage, and soon after their check bounces (draining you quickly).
More information: http://antivirus.about.com/od/emailscams/a/msaolscam.htm

Subject: Paypal: "Get Verified and Remove Your Spending Limit"
Bait: A spoofed email, allegedly sent from service@paypal.com, suggesting that you "Get Verified" so you can send PayPal large payments
by clicking on the embedded link. The link takes you to a bogus website where you are asked to enter your personal information.
More information: http://www.millersmiles.co.uk/report/4219