Friday, April 28, 2006

SpywareQuake\SpyFalcon Variants Found

There have been two new variants of SpywareQuake and SpyFalcon found this week. Files have been collected and analysed and the removal tool has been updated already.

Read More: Latest Malware Threats

Tuesday, April 25, 2006

New SpyFalcon Variant Found

Researchers at Bleeping Computer came upon a new variant today:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\system32\twain32.dll"


The Bleeping Computer self-help guide has been updated along with the reg file.

Tuesday, April 18, 2006

New Spyware Quake Variant Found

Another variant has been uncovered: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}"="XenaDot Software"

[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CD5E2AC9-25CE-A1C5-D1E2-DC6B28A6ED5A}\InProcServer32] @="C:\WINDOWS\system32\xenadot.dll"<<<--Bad File

Monday, April 17, 2006

180Solutions & Kiddie Porn

Well, once again an affiliate of 180Solutions has gone rogue. Of course, we all knew this would happen yet again. Especially since all it takes is one line of code to break their bulletproof software. You know, the software they said would stop all the rogue activity, yeah that software.
I can hear the the clowns over there now rummaging thru the Official 180Colusions Pile Of Excuses For Affiliates file cabinet.

Wanna bet they come out with something interesting? At the very least, they are good for that.

Read More:
180Solutions Affiliate Installs Kiddie Porn

Saturday, April 15, 2006

New SpywareQuake Variant Found

OK, we have a new variant of SpywareQuake, just found today. Here are the references to it: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}"="USB Mouse Driver"[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}\InProcServer32]@="C:\WINDOWS\system32\suprox.dll" <---new file

Tools at Bleeping computing and a new site have already been updated.
New site: http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Wednesday, April 12, 2006

New Winfixer Clone, w\Vundo

There is a new Winfixer clone out, called SysProtect. It does not install Vundo, but in many cases is bundled with it. Some files to look for:
syp.exe
SysProtectScannerInstall.exe

Atribune's Vundo Fix has already been updated to deal with a new variant, tho I'm not 100% sure it's from SysProtect or not.

Read more: New WinFixer Clone

Sunday, April 09, 2006

New SpyAxe\SmithFraud Variant

A couple of new sites have been found using the same tactics as previous versions, pop ups which claim you are infected with something and homepage re-directs. The new sites are:
BestsecurityguideDOTcom securityfeatureDOTcom

New files and a BHO:
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpAD57.tmp

The file names are not quite entirely new, Vundo infections use similar names, with the 'hp' followed by a random number and .tmp extention.

Users can still use the fix as previously recommended at Bleeping Computer

Friday, April 07, 2006

MessengerPlus: Now Includes Rogue & Adult Content

Just found this posted by one of the MS MVPs. Pretty amazing stuff, just goes to show you how greedy this scumbag is. It would appear as tho Patchou has tweaked his sponsor program yet again, but this time he has added some links and things to Adult Friend finder, which is not something any right minded coder would do, unless of course they were just a greedy bastard.

And btw, due to the fact that so many young people use this app, how is it that a guy could add something like this? Does this clown any sense of morality? Young kids may be subjected to some adult type of popup or dating services?

Come on, I'm amazed anyone can use this program with or wothout the sponsor program and support the person behind it. Oh yeah, and now they are also pushing a anti-spyware app that, guess what? It's on Eric Howe's rogue list!!! This guy has really done it this time.
Sandi Hardmeier MS MVP-Security Blog

Thursday, April 06, 2006

NY AG Targets Direct Revenue

A lawsuit filed in Supreme Court of the State of New York seeks an order barring Direct Revenue from secretly installing spyware or sending ads through existing spyware programs. Reuters

Direct Revenue Rebuts New York Attorney General's Charges April 05, 2006

Direct Revenue has recently come under fire from Spitzer's office for a wide range of questionable practices. See Chris Boyd's write up. Now the company is going on the offensive and rebuts the charges.

Quote:
"This lawsuit is a baseless attempt by the Office of the Attorney General to rewrite the rules of the adware business. It focuses exclusively on the company's past practices - practices we and other industry leaders changed long ago - and says not a word about what we're doing today," said a company spokesperson. "We are proud of our products and the value they bring to both advertisers and consumers?the former by delivering positive, measurable results for their ad dollars, and the latter by offering free content and applications in exchange for viewing a few targeted advertisements per day.
ReveNews

80 Nails And Counting
Everyday brings with it an even more tightening coffin lid. Well it would seem that the clowns over at Direct Revenue have really gotten themselves into a pickle. Not only is NY AG Spitzer on their collective asses, which is bad enough, Ben Edelman has created a detailed and very damaging list of documents which outline the case. So if you want to read some extremely damaging accounts of how they:

1. Joked about user complaints
2. Conceded they don't much worry about if users get their software legitimately
3. Discuss the use of installing a Control Panel to ease removal, but worry more about the success rate of said removals.

Click this link to Ben Edelman's write up You won't believe your eyes....no joke.

Tuesday, April 04, 2006

I'm An MS MVP

My nomination to MS MVPs has been accepted. I'm proud to be part of this prestigious group. Read more:
TeMerc Gets Certified MS MVP!!!!

Monday, April 03, 2006

Phishing Analysis

U.S. academic group deeply studies the reasons behind successful phishng ploys. The findings are rather astounding, especially for those who were 'very experienced' in computing and security. Read more at:
The secret of phishers' success

ASC Releases 'Tip Sheets'

The coalition offers both home and corporate users advice on how to recognize unwanted software. Read more at:
ASC Releases Two 'Tip Sheets' To Consumers

Claria Starts Up New Adware.....errr Business Model

Seems Claria has begun its transformation, from an alleged adware company to one that pushes something they call 'PersonalWeb'. Of course this is what it does, and I quote:
Claria is expected to then use the software to offer users personalized content, as well as to target ads based on users' Web-surfing habits.

Uh-huh...Call it what you want, it's still adware. Read more at:
Claria Leaving Adware Biz............Kinda