from: Administration of Facebook [official-no.893@facebook.com]
subject: Facebook Support. Personal data has been changed! No81864
attachment: Facebook_Password_INM.152.zip (99k)

body:

Security service of FaceBook.

Your password is not secure!
To secure your account the password has been changed automatically!
Attached document contains a new password to your account and detailed information about new security measures.

Thank you for attention,
Your Facebook

He was astonished at the ease with which he twisted Deane upon his back and put the handcuffs about his wrists.The work was no sooner done than he understood. A rag was tied about Deanes head, and it was stained with blood. The mans arms and body were limp. He looked at Billy with dulled eyes, and as he slowly realized what had happened a groan broke from his lips. In an instant Billy was on his knees beside him. He had seen Deane twice before, over at Churchill, but this was the first time that he had ever looked closely into his face. It was a face worn by hardship and mental torture. The cheeks were thinned, and the steel-gray eyes that looked up into Billys were reddened by weeks and months of fighting against storm. It was the face, not of a criminal, but of a man whom Billy would have trusted– blonde-mustached, fearless, and filled with that clean-cut strength which associates itself with fairness and open fighting.

That’s kind of weird, isn’t it. I mean do they think this little piece of a story will make you lose all control and run the attached virus file? Maybe the author is looking for a book deal and wants to steal a publishers identification. Either way, do not open the attachment, it contains a virus/trojan. At the time of this writing, 25 of 42 antivirus programs detect it, according to VirusTotal

One final thought. Facebook has come under major attack lately. By now you should know better than to ever open an attachment from anyone you don’t expect to get one from. I would also go a step farther, and not click on any links that come in e-mails claiming to be from Facebook. Just go directly to Facebook, either by typing in the address yourself, or using a bookmark YOU created yourself.
Stay Safe

I’m going to make this short and sweet to get the word out there. I will delve further into what actual malware is being served and what the effects are at a further date.

The following image was taken from a screen shot I made. It shows the fake video player that shows a rotating “waiting” graphic and pretends that it can’t load the video because it needs to be updated.

I knew this was a threat because I’m also a video editor and I keep all my codecs up to date. However, I thought I would pursue this further so I could see what file was going to be installed. Then I could run analysis on it and report my findings here. But I was running ESET NOD32 and it recognized this page was a threat and also blocked whatever this page tried top send me. You can see the results below.

So just don’t update your video player through any website that claims your video player needs to be update to view an online video. I would imagine there will be variations of this soon. Like fake Quicktime Player or Windows Media Player updates. I will grab a copy of the file this site is trying to distribute, for further analysis, later and post my findings here. That’s going to take some time and I have seen this fake xvid update a couple times now and decided I should spread the word sooner rather than later.

Subject 4912-3337 Apple AppStore Confirmation
Sender Apple Up-To-Date Add contact

Apple Store
Call 1-800-MY-APPLE

#4368-66525
Order Details

You can also contact Apple Store Customer Service or visit online for more information.

Visit the Apple Online Store to purchase Apple hardware, software, and third-party accessories.
Copyright 2010 Apple Inc. All rights reserved.

This one wants you to click on the order details link, which I have removed, but if you look at the “Order Details” link more closely, you will see that it doesn’t go to the apple store but links to some place called goofbomb. I don’t feel like testing out my anti-virus or risk getting a 0-day virus or some malware, let’s just assume it’s a bad place. So keep your eyes out for this and other e-mails that claim you have purchased something, or missed a delivery, and gives you a link to your “order” or has an attachment for you to open. Quite a few of these going around these days.

Surf Safe

My next download was AdAware. Also one of my old standbys. After a couple of hours of scanning, it didn’t find anything. Even though it wasn’t finished I had hoped that after a couple hours it would have found something, anything. Then I thought there must be some other tools out there these days. There was one more on my old reliable but I’ll skip that for now since I didn’t get it. I figured I should find some malware related forums and update my knowledge on what’s out there these days. I don’t mind getting my hands dirty and digging through registry keys and directories. Which, I didn’t mention, but had already gone through the auto start and run registry keys and files that were created around the time my hijacking took place. In my search I came across the Malwarebytes users support forum. After reading a couple of posts I realized this was a good place for finding out about new malware and removal techniques as well as the program Malwarebytes. Since I haven’t tried it before and the forum, which is a forum that was created by users/fans of Malwarebytes, spoke so highly of it, I downloaded and installed it and started a complete scan. In a couple of minutes it had found 2 infections. I let it scan my system, which scanned 653800 objects and took 6 hours 28 minutes for the full scan. The scan just completed and found 35 infected objects. A quick view of the results shows me several registry files and the rest are files, non of which are cookies. Since I ran Spybot S&D earlier and deleted the cookies it found, I can’t say if cookies would have been part of the results. With the exception of a couple of false positives, some of my security tools, the results are looking very promising. One item I see right of the back is svchost.exe which is in my /Local Settings/Temp/ which is defiantly bad. This is something pretending to be a legit windows service but it doesn’t belong here. There are also a couple of registry keys listed as Trojan.BHO which, even though I forgot to mention I did run earlier, Hijackthis didn’t identify. Now I unchecked the couple of false positives, and told Malwarebytes to delete the rest and save a log file. After this I’m told it needs to reboot. No problem, I expected that. Windows is rebooting and I’m anxiously waiting to see if this fixed my problem. I haven’t played World of Warcraft or logged into any of my sites in case there was also a password stealer installed. In fact I’m writing this from my wife’s laptop which is on my network but doesn’t have any write permissions from network users.

Reboot has completed and now comes time to test this. I sure hope it works because I’m posting the results regardless of the outcome. First I will launch Firefox. This isn’t my main browser but I have a script blocking extension in it which has alerted me to some of the redirects and blocked them. My first search “malware forums” brings up plenty of results and the first result I click on, Majorgeeks.com, goes where it should. But this was what happened before. The first result I clicked on would work but all the results I clicked on after would be hijcked… Awww a new window just opened to www.searchfindsite.com which doesn’t look good. !@#$@#$ I just tried another result from google and was redirected to findservicesonline.com and I see that malwarebytes.com didn’t clean it this one up. It did find and remove some items that spybot s&d didn’t but I still have the hijacked search results. And my quest continues. When I do find a way to remove this, I will post about it.

If you know of some good malware removal tools, please leave me a comment. I’m going to try a couple of others I have and let you know what I find.

There are still a couple days before Adobe releases a patch, which will finally be released on Jan 12. Adobe suggests you disable Java support until then. This is not the first time this has happened. What I’m suggesting is that even after this is patched, just keep Java disabled. If you open a PDF file that requires Java support, you could always turn it back on. With so many exploits in the wild, and how long it takes for the anti virus vendors to discover them, this one won’t be fixed for almost a month since it was first disclosed publicly, it’s better safe than sorry. Just disable Java support for good. Here’s how to disable Java support in Adobe Acrobat Reader

quoted from Adobe.com

SOLUTION

Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote for more information.

Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Customers using Microsoft DEP (“Data Execution Prevention”) functionality available in certain versions of Microsoft Windows are at reduced risk in the following configurations:

All versions of Adobe Reader 9 running on Windows Vista SP1 or Windows 7
Acrobat 9.2 running on Windows Vista SP1 or Windows 7
Acrobat and Adobe Reader 9.2 running on Windows XP SP3
Acrobat and Adobe Reader 8.1.7 running on Windows XP SP3, Windows Vista SP1, or Windows 7
With the DEP mitigation in place, the impact of this exploit has been reduced to a Denial of Service during our testing.

Watch your docs and surf safe

__________ ESET NOD32 Antivirus warning, version of virus signature database 4693 (20091216) __________

Warning, ESET NOD32 Antivirus found the following threats in the message:

Postcard.zip – probably a variant of Win32/Merond.AA worm – deleted
Postcard.zip > ZIP > document.chm .exe – probably a variant of Win32/Merond.AA worm – was a part of the deleted object

This came from one of my works TV affiliates mailing list. So I am guessing it is one that goes through your address book and sends itself to everyone on there.

Figured this was also a good time to remind people to be careful with any “e-cards” they get. Watch out for infected attachments, as was the case with this one, and watch for links that send you to websites designed to infect you or steal your identity / information.

Over on a google forum is a link to my first post on removing Fast Browser Search from Firefox. So I subscribed to that thread and today when I checked my e-mail, I found this in it, how to remove Fast Browser Search from IE7 & IE8

Re: [Web Search Help] How do I remove “Fast Browser Search”?

Inbox X

Reply

|
Google Help
to me

show details Oct 14 (9 days ago)

from Google Help
to
date Wed, Oct 14, 2009 at 12:35 AM
subject Re: [Web Search Help] How do I remove “Fast Browser Search”?
mailed-by confucius.bounces.google.com
signed-by google.com

hide details Oct 14 (9 days ago)

Kundan555 has posted an answer to the question “How do I remove “Fast Browser Search”?”:

PLEASE FOLLOW THE INSTRUCTIONS AND RESOLVE THE ISSUE FOR IE8 AND IE7.

=================================================================

Please uninstall fast browser from the program and features in vista and, add and remove program in XP. Then

To fix the new tab issue you need to be comfortable using regedit. Run regedit and navigate to the following key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerAboutURLs

under Tabs, clear the fastwebsearch junk and input the following as value data:

res://ieframe.dll/tabswelcome.htm or any entry related with fastbrowser listed over there.

close and restart IE.

I have been unable to verify this, however my knowledge of the registry tells me this could fix it and would be worth trying. Just be CAREFUL any time you run regedit. Messing around in the registry could really bork your system.

Here’s the links to my other Fast Browser Search removal posts

http://www.pccybertek.com/2009/08/my-web-tattoo-fast-browser-search-search-gurad-plus-uninstall-removal/

http://www.pccybertek.com/2009/08/more-my-web-tatto-removal-information/

http://www.pccybertek.com/2009/07/removing-my-web-tattoo-phone-number/

http://www.pccybertek.com/2009/06/project-web-tattoo-fast-browser-search-removal-update/

http://www.pccybertek.com/2009/06/project-web-tattoo-fast-browser-search-remove-part-1/

http://www.pccybertek.com/2009/05/remove-fast-browser-search/

I found out that I was infected by this Fake Adobe Flash Player

While that website does tell you how to figure out if you have it or not, it doesn’t really tell you how to remove it, unless you buy their program. So I’m currently in the process of removing it. If you do have it, you’ll want to stop it right now! I’ve found that by going into Firefox’s extensions (Tools -> Addons -> extensions) you can disable Adobe Player 0.2 and restart Firefox. After doing this, I no longer got the warning for NOD 32 that it’s blocking the connection that msjupdate site, which I don’t know why it hasn’t been shut down yet.
I found socks.exe was running and when I looked for that file, I found it in my Windows/system folder with a creation date of 09-09-09, so I stopped socks.exe and renamed it socks.bak I would have deleted it but just in case it wasn’t installed by this Trojan, I figure it’s better to rename it. If some legit program I have starts complaining that socks.exe is missing, I can always rename it back to socks.exe

Once I’ve figured out how to completely remove it, I will update this post. In the meantime, disabling it will work. It’s after 3AM and I should have been in bed hours ago, but this was too important not to immediately warn you about it and give you at least a way of stopping it until I can post removal instructions.

Official Tattoodle Uninstall Page

It still doesn’t tell you how to fix the search redirection in Firefox so if that still plagues you, I have a guide for that here

If that still doesn’t fix it for you, and you have some basic computer skills, my next post may be the one to help you.