PC CyberTekThe cyberspace visitor’s information center

Just a quick warning about a couple of e-mails that had a virus attachment. They are both pretending to be from U.S. Shipping companies.

First we have this one from “UPS”

From: UPS Manager Romeo Law [delivery@ups.com]

Subject:  UPS Delivery Problem NR 08488.

Dear customer!

We failed to deliver the package sent on the 6th of January in time because the recipient’s address is incorrect.

Please print out the invoice copy attached and collect the package at our office.

United Parcel Service of America.

Dear customer!
We failed to deliver the package sent on the 6th of January in time
Read the rest of this entry »

Just got an e-mail that says it’s from e-cards@hallmark.com with the subject: You have received A Hallmark E-Card! It had an attachment called Postcard.zip which was identified by my antivirus, I use NOD32 by E-Set

__________ ESET NOD32 Antivirus warning, version of virus signature database 4693 (20091216) __________

Warning, ESET NOD32 Antivirus found the following threats in the message:

Postcard.zip – probably a variant of Win32/Merond.AA worm – deleted
Postcard.zip > ZIP > document.chm .exe – probably a variant of Win32/Merond.AA worm – was a part of the deleted object

This came from one of my works TV affiliates mailing list. So I am guessing it is one that goes through your address book and sends itself to everyone on there.

Figured this was also a good time to remind people to be careful with any “e-cards” they get. Watch out for infected attachments, as was the case with this one, and watch for links that send you to websites designed to infect you or steal your identity / information.

As you may know, I was never able to get Web Tattoo to install into IE7. Something I have done during the removal of it and Fast Browser Search from Firefox somehow causes the install file to crash when I tried to install it in IE7. This is fine for me, but because I never could get MakeTheWebBetter installed in IE7 or IE8, I couldn’t figure out how to uninstall it and tell you how.

Over on a google forum is a link to my first post on removing Fast Browser Search from Firefox. So I subscribed to that thread and today when I checked my e-mail, I found this in it, how to remove Fast Browser Search from IE7 & IE8

Re: [Web Search Help] How do I remove “Fast Browser Search”?

Inbox X

Reply

|
Google Help
to me

show details Oct 14 (9 days ago)

from Google Help
to
date Wed, Oct 14, 2009 at 12:35 AM
subject Re: [Web Search Help] How do I remove “Fast Browser Search”?
mailed-by confucius.bounces.google.com
signed-by google.com

hide details Oct 14 (9 days ago)

Kundan555 has posted an answer to the question “How do I remove “Fast Browser Search”?”:

PLEASE FOLLOW THE INSTRUCTIONS AND RESOLVE THE ISSUE FOR IE8 AND IE7.

=================================================================

Please uninstall fast browser from the program and features in vista and, add and remove program in XP. Then

To fix the new tab issue you need to be comfortable using regedit. Run regedit and navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs

under Tabs, clear the fastwebsearch junk and input the following as value data:

res://ieframe.dll/tabswelcome.htm or any entry related with fastbrowser listed over there.

close and restart IE.

I have been unable to verify this, however my knowledge of the registry tells me this could fix it and would be worth trying. Just be CAREFUL any time you run regedit. Messing around in the registry could really bork your system.

Here’s the links to my other Fast Browser Search removal posts

http://www.pccybertek.com/2009/08/my-web-tattoo-fast-browser-search-search-gurad-plus-uninstall-removal/

http://www.pccybertek.com/2009/08/more-my-web-tatto-removal-information/

http://www.pccybertek.com/2009/07/removing-my-web-tattoo-phone-number/

http://www.pccybertek.com/2009/06/project-web-tattoo-fast-browser-search-removal-update/

http://www.pccybertek.com/2009/06/project-web-tattoo-fast-browser-search-remove-part-1/

http://www.pccybertek.com/2009/05/remove-fast-browser-search/

There is a fake adobe flash player updater that monitors your google searches. It looks just like the adobe flash installer. I’m not sure where I picked it up, but luckily I found this fake adobe flash player on a computer running firefox. Good thing I run NOD 32. I have been getting a notice that NOD 32 was blocking an outbound connection

I found out that I was infected by this Fake Adobe Flash Player

While that website does tell you how to figure out if you have it or not, it doesn’t really tell you how to remove it, unless you buy their program. So I’m currently in the process of removing it. If you do have it, you’ll want to stop it right now! I’ve found that by going into Firefox’s extensions (Tools -> Addons -> extensions) you can disable Adobe Player 0.2 and restart Firefox. After doing this, I no longer got the warning for NOD 32 that it’s blocking the connection that msjupdate site, which I don’t know why it hasn’t been shut down yet.
I found socks.exe was running and when I looked for that file, I found it in my Windows/system folder with a creation date of 09-09-09, so I stopped socks.exe and renamed it socks.bak I would have deleted it but just in case it wasn’t installed by this Trojan, I figure it’s better to rename it. If some legit program I have starts complaining that socks.exe is missing, I can always rename it back to socks.exe

Once I’ve figured out how to completely remove it, I will update this post. In the meantime, disabling it will work. It’s after 3AM and I should have been in bed hours ago, but this was too important not to immediately warn you about it and give you at least a way of stopping it until I can post removal instructions.

Looks like there is another ActiveX vulnerability. If you are unfamiliar with ActiveX, basically, a web page can do stuff like read and write files when you use Internet Explorer and allow ActiveX options. This nice for the Microsoft Update site to see which files it needs to update, but that’s about it in my opinion. Sure, there is a pop-up that asks you if you want to allow a website to use ActiveX but history shows that too many people allow ActiveX when the shouldn’t. There is an unbelievable amount of attacks that use ActiveX. That’s one of the main reasons I use Firefox instead of Internet Explorer, it doesn’t have ActiveX so you don’t have to worry. Google’s Chrome is another web browsers that doesn’t have ActiveX.

Our friends over at the Internet Storm Center are keeping an active eye on this new vulnerability. You can read all about it and follow their updates here. So do your Microsoft Updates, several just came out, and if you really want to be safe, stop using Internet Explorer or use it as little as possible and switch to Firefox, Chrome or even Opera. Stay Safe.

I’m sure you have all seen this before. Your surfing along, when all of a sudden, you get a pop-up that alerts you that your computer is infected! YIKES! What to do!??! Ah, you can just download a “free” program that will fix it for you. I’d hope you already know, this is a scam. It’s one of two things. You can either download a legit program that will scan your computer, tell you how badly infected it is and you can purchase a full version of the program to remove all your “infections.” Just in case your not really infected, these programs will increase your infection count by adding your cookies to the list. Pretty good way to jack up the numbers, but I wouldn’t call cookies an infection. And I sure don’t have to buy any program to remove them. The other thing that could happen, and probably will is, you will download a program that will then install it’s own addware. Turns out they have a name for this stuff now, and that name is Scareware.

Turns out many people are still falling for this scam. I had to clean my parents computer up, from one of these. Try doing it over VNC, and you may have your patience tested like I did. Anyways, the old folks aren’t the only ones falling for this, and now their is a new variation. Spware Protect 2009, is the new breed of scareware. Not only does it con you by getting you to install it, it actually does damage to get you to “purchase” it for $49.99 and install a trojan downloader. Meanwhile it increases the pop ups telling you how infected your computer is. So you order the program with your credit card and guess what, you just gave them your credit card number, no hacking needed. A local electronics store, with the initials RS, got hit by it and from what I could get out of them, sounds like the whole corp has been infected through their network.

Since I first found out about this last week, I’ve found out that it’s now also being installed by the conficker virus. At first I was thinking, wouldn’t people be suspicious if there was a new piece of software, on their computer? I sure as hell would. Then I started thinking about it, in a corporate situation. Some poor schmuck, in accounting or where ever, could think it was installed by their IT Dept. So the keylogger installed would run until the computer crashed. The one good thing is, the domain that was selling Spyware Protect 2009 is gone. Keep an eye out for variations with new names and the same or slightly modified interface.

-Your friendly neighborhood PC Cybertek

With all the media hype about conficker, I thought you might like a good collection of trustworthy resources. Beware of websites that have recently registered as “conficker help.” In fact, just avoid them all together. There’s also reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers, as well as spam offering the same.

There’s no need to try and figure out what’s safe or real and what has more sinister plans in mind. The good folks at dshield.org have been keeping an updated list of third party information on conficker. Here you can find plenty of free conficker detection and removal tools, general information and the microsoft patch. That should help keep you updated, safe and informed.

I’ve also found out about one other real neat way of detecting it, but it’s for more advanced users, so I’m going to make a seperate post about it.

You may have noticed when you go to certain websites, you’ll get a signed certificate that is supposed to prove that you are at that actual website. I say supposed to because there was demonstration at the Chaos Computer Congress on how to spoof (fake) a MD5 certificate of authentication. There are a couple kinds of certificates and it appears that only the MD5 CA has been spoofed. This is an older type of certificate but is still used by many websites. There has been a warning about this concept for sometime, however, it was just demonstrated . So it’s no longer a concept because there is proof it can be, and has been done.

You can read all about it here http://www.win.tue.nl/hashclash/rogue-ca/

Microsoft has also issued a security bulletin about it here http://www.microsoft.com/technet/security/advisory/961509.mspx

The guys who figured out how to do this will not release all the details of how it was done for a couple of months, to give time for a fix to be developed.

I’ll post more details as they become available.

In case you’ve missed it on the news, there is a big security hole in Internet Explorer. Usually Microsoft puts out updates on the first Tuesday of the month and for them to release a security update at any other time, indicates how bad it is. If you haven’t already run Windows Update today, I highly recommend you do so ASAP. Be sure to reboot your computer after the update so it finishes the install. You can also head over to Microsoft and read more about it by clicking here.

Looks like the phishermen are at it again. There must be plenty of phish in the internet sea. However, you don’t have to be one of the phish attracted by their lures.

Phishing is what they call those e-mails that attempt to trick you into giving up personal information, usually financial, which is then used to steal your identity and rape your bank account and or credit cards.

The latest one, I have seen, is using some old tricks but with new bait. The e-mail appears to come from Google’s Adsense program. It warns you that you will not receive any more payments, unless you update your information. Which you can do with the link provided in said e-mail.

To the average user, everything might look ok at first glance. However, if you try to reply to the e-mail, it will bounce back. If you click on the Google AdSense link that is provided, you will most likely end up at a domain that has google and adsense in it. But on closer inspection you will see there is more to the domain, like a .tw or other domain. Don’t be fooled by how the page looks like the real thing.

So if you get one of these e-mails, don’t click on it. And if you do have a Google Adsense or any other account, that you have received an e-mail informing you that it needs updating, never click on the link in the e-mail. It’s very easy to forge a link in any e-mail and is common in phishing scams. Type the address directly into your browser, or use google or some other search engine to find it for you.

Stay tuned for an article on how to spot phishing scams.