MalWare

Viruses, trojans, spyware, worms. They go by lots of different names but they are all "MalWare", code indented to damage, break into, or control computer equipment. MalWare is used to create Botnets or networks of infected computers, which are in turn used to launch Denial of Service Attacks. A recent virus has been specifically used to target anti-abuse sites like CastleCops and SpamCop. The Storm Worm also contains code that will insert messages onto blogs and forums from infected machines.

Recent Events

How the Malware Marketplace Works
Vista attacked by 13-year-old virus
Apple Macintoshes Targeted by Porn-Based Computer Virus
Feds: Fake Harassment Complaint E-Mail Contains Virus Decade old virus infects Vista
Online Videos Could Infect Computers With Viruses, Study Finds

Viruses

This page provides an overview of some specific virus cases, what they are and how to stop them.

Sober    Blaster     MyDoom    Gone     Lovsan    

If you are just looking for virus removal instructions or general information, try these links:
What are viruses, how do they work?(howstuffworks.com)
Protection and Detection
Research Viruses(ca.com)
Commentary on Windows and Viruses
Viruses Hoaxes(HoaxBustersHome.com)

Dissecting a Virus Attack

This is not so much about the virus itself, but a discussion of how service providers or hosting companies address the issue. The quality of handling a virus attack and company policy varies greatly. For information about the virus and how to get rid of it, click here

adelphia.net
No direct link for abuse on the home page. Information about reporting abuse is found on the FAQ link. When you forward headers to abuse@adelphia.net they auto-reply quickly but there are no assurances in the reply that they will address the problem and recommend that you buy antispam software. However, they do provide an incident number. There have been no follow-ups to complaints other than the original auto-reply. There is no way on their site to lodge a formal complaint or report unless you are a customer with an ID and password.

alltel.net
Policy and contact email(abuse@alltel.net) is clearly marked on the Acceptable Use Policy page linked from the home page. However, they do not reply to reports sent to this address so I tried to file a complaint via a form an their website. These forms can be found under customer support and are designed for troubleshooting customer issues and not reporting abuse.

blueyonder.co.uk
Stopped soon after being reported. The complaint was handled in a clear and professional manner.

btbroadband.com
There is a complaint contact form at their Contact Us link. Send headers to abuse@btbroadband.com and they will reply with an auto-message that directs you to obtain anti-spam software or use mailbox filtering rules. The message contains this paragraph:

"I have carried out an investigation into this and have taken action against our user to stop this happening again."

But I have trouble believing this since the virus email keeps coming.

charter.net
With nearly 1500 virus emails from a charter client spanning several weeks, I have very little faith in their ability to address issues like this. Charter's website only has a complaint interface for customers. Sending your headers to abuse@charter.net results in an auto-reply that has no ticket number. There has been no follow-up. Awful.

pacbell.net
Very confusing. Complaints sent to abuse@pacbell.net result in replies from sbcglobal.net. The auto-reply email directs you to file you complaint at a specific link, but the link is complaint form for customers only who need help with DSL or Dial-up service. You have to provide an excessive amount of personal information to file the complaint. I have not received any follow-up from these reports and the virus emails keep coming.

PaeTec
Email stopped immediately after being reported.

rr.com
Headers forwarded to abuse@rr.com result in an instant auto-reply. They have a number of contact methods here: http://security.rr.com/contact.htm but they are geared towards customers. When you submit a complaint on their website, you get an email instructing you to forward the headers to abuse@rr.com. The vicious circle!

sifycorp.com
Handled quickly and professionally. Emails have stopped.

tds.net
Handled quickly and professionally. Emails have stopped.

• Registration Confirmation Protected message is attached!
• hi, ive a new mail address hey its me, my old address dont work at time...
• Paris Hilton & Nicole Richie The Simple Life: View Paris Hilton...
• Your Password Account and Password Information are attached!
• smtp mail failed
• Mail delivery failed

You may have received many emails like the following:


These are junk messages but they are not exactly spam emails because they are not selling anything. The sender addresses are spoofed just like other junk mail. Downloading the attached file will infect you PC with a virus. One mailbox we use for this project has received over 2500 messages like this in 24 hours. 2500 messages seems like an overwhelming pile of junk that should just be deleted, but that is exactly what the spammers want. By deleting the messages you are allowing someone else the opportunity to be infected. Infected computers send more virus emails. You have the power to stop the buck at your mailbox. System administrators will only shutdown virus sources if they are reported. But how do you research and report 2500 messages? What if I told you that these 2500 messages were only coming from 10 locations. Even if you just report one, you are helping stop the spread. Here is what you can do, you need to look at the headers of the email. The headers will tell where the email really originated from. Each email program has a different way to access the headers you may have to do a little research view the headers. When you do, find the field value "Originating-IP." The value will be series of four numbers separated by periods: 24.167.6.223. This is an IP Address. Next, open a command-line DOS window(Start, Run, CMD). At the prompt enter tracert -h 1 and the IP address and hit enter. Example:



Look at the line starting with "Tracing route..." and find the end of the string, the "rr.com" is what we are interested in, this is host of the IP address. In this case it is Road Runner ISP. Important: just because this is where the viruses are originating it does not mean they are doing it on purpose. It more than likely that the ISP is a victim of hacking and viruses. Go to the ISP's homepage and find the contact email for abuse. Copy the entire header from your virus email and forward it to the administrators. Just forward a small sample, a little reporting goes a long way.

Removal Instructions/More information
ca.com
symantec.com
mcafee.com

Not only is NewDot difficult to remove, but they will sue you if you talk about it. NewDot installs very easily by simply opening an email or web page. NewDot's registry entry will try to launch this DLL on start-up: C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL. If you delete the DLL and registry entry it will reinstall. It may only be removed completely in safe mode. Hijack this can help. But NewDot is not done with you yet! They insist that their hidden-install-forced-download-impossible-to-remove-browser-hijack is not "spyware" but simply a new type of marketing and they will sue you if you say that it is "spyware"(some call it "Foistware"). They have even filed a lawsuit against the Internet Corporation For Assigned Names and Numbers for discussing NewDot's business practices.

Letter to ICANN from NewDot
ICANN Response to NewDot


NewDot Sues Lavasoft (LavaSoft is a recommended PC security tool)


Here is a case of someone from NewDot going into a spyware discussion blog a telling users that NewDot is not spyware(see post #3): pcreview.co.uk

NewDot has a large amount of information on the subject at their site, but since we cannot guarantee that the site is safe we will not link to it directly.

Removal and Information
Removal Discussion Thread
spywaredata.com
cexx.org
cnet.com
Analyze your PC for threats
Lavasoft suit(pdf)

If you are running Windows 2000 and get an SVCHOST.EXE Application Error when you use a dial-up connection you probably have the Blaster virus. When you get this error, open Task Manager and you should see msblast .exe in the program list. Download the McAfee/Network Associates Stinger program which will clean out Blaster and other virues and run it.
You will note that after you clean the virus, SVCHOST.EXE is still broken. You need to load a patch to fix it here. This link may not be current. Click here to search for additional links.

Avoid openning unscanned attachments. Delete emails with attachments from persons you don't know. If you've got it, then get stinger.exe to remove it.

Stinger 1.9.7 and the 4319 DATs will both require that infected Systems be rebooted to achieve complete removal of W32/Mydoom@mm.

The shimgapi.dll file is injected into the EXPLORER.EXE process if the system has been rebooted after the infection has occurred. In this situation, a reboot and rescan is required to remove this DLL from the system. McAfee information.

This virus hit Outlook email in 2001. "gone.scr" infects the Outlook address book through an email attachment masked as a screen saver program.

Double-clicking the attachment infects the PC.
The virus then uses email addresses in the outlook address book to forward the virus and message to more people in your name.

The program sits in C:\WINDOWS\SYSTEM and is hidden. The program is constantly running and accessing Outlook. Under these conditions it cannot be deleted.

Also, the virus creates a registry key which launches the program on boot. The program also recreates the registry key if it's deleted or renamed.

In order to disinfect, the program and registry key must be deleted and this cannot be done while Windows is running.

Follow these steps:

• Restart in DOS mode or to a boot disk
• On the command line type:
  ATTRIB -R -A -S -H C:\WINDOWS\SYSTEM\gone.scr
• Hit ENTER
• On the command line type:
  DEL C:\WINDOWS\SYSTEM\gone.scr
• Hit ENTER
• Restart the PC
• Go to Start, Run and type REGEDIT, click OK
• Find the key(by expanding the folders):
  HKEY_CURRENT_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{C:\windows\system\gone.scr}
• Select this key and delete it
• Also go to Start, Find and do a search for "gone.scr", There may be copies in temp folders.
• Emtpy the Recycle Bin
• Delete any emails with the attachment
• Empty the Outlook Deleted Items folder

An infected machine (running msblast.exe or teekids.exe) will send out malformed packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash upon receiving malformed exploit code. Other symptoms may include:
- inability to cut/paste
- inability to move icons
- Add/Remove Programs list empty
- dll errors in most Microsoft Office programs
- generally slow, or unresponsive system performance

By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. **It is very important that the machine is rebooted after the patch has been installed.** The machine can then be updated to the latest dats/engine/config and an on-demand scan run to pickup msblast.exe or teekids.exe, IF it exists. I must reiterate, all these symptoms are related to the RPC vulnerability and not necessarily due to W32/Lovsan running locally. Msblast.exe/teekids.exe may not be present at all.

Please visit the VIL links below for more information:
W32/Lovsan
(W32/Lovsan.b variant)
(W32/Lovsan.c variant)
(W32/Spybot.worm.lz which exploits the same RPC vulnerability)

Protection and Detection

Spyware

Spyware "infects" your PC but does not have the same intent as a traditional virus. Spyware usually collects information from your cookies for advertising purposes, launches pop-ups and changes your default homepage. If your startup web page changes and you reset it but it changes back on reboot, you may have spyware.

Some spyware is legitimate, meaning it is part of something you intentionally downloaded. For example, you may have installed RealPlayer. RealPlayer checks your version for updates and upgrades and prompts you when new versions are available. They also launch popups for advertising. However, you are getting their product for free and if you uninstall it, the spayware goes away too.

It is important to note that these attacks are conducted by random hackers looking to damage personal PCs, but rather a targeted attempt by entities to control how you use the Internet and force advertising on you. They are doing this for money and it is not a prank.

The not-so-nice ones are very hard to get rid of sometimes. There are many free programs that can help:
SpyBot - Search and destroy
Spyware Blaster
Hijackthis
CWShredder

U.S. House approves less stringent anti-spyware bill(05.22.07)

Lavasoft Ad-Ware, recomended purchase product for protection and removal

---

ZQuest

ZQuest is a Trojan that can be spread through email, web pages and instant messages. ZQuest forces pop-ups and modifies viewed web pages on the fly. ZQuest may show up along side an infection of SurfSideKick. The registry key needs to be deleted in safe mode:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{22131A58-5F9A-3EAA-28A7-C3059A3D0632}

May force your browser to topconverting.com, revenue.net, zwoops.com, Z-QUEST.COM, and other sites.

Information and Removal
symantec.com
nai.com
scanspyware.net

---

More "It's Not Spyaware" Claims - SurfSideKick

According to the SurfSideKick website: "Surf Sidekick guides relevant web sites to you at the precise moment you are actually interested in them. Just browse the internet as you normally do and ... ." Similar to NewDot they claim that it is not spyware and "helps" users search the web. There is one problem with that claim, SurfSideKick installs without the user's permission or knowledge.

Registry key: HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe must be deleted in safe mode.

Information and Removal
Ssk - Ssk.exe - Process Information
Ssk.exe is Adware.SurfSideKick greatis.com
Alias: SurfSideKick 2 sunbelt-software.com
SurfSideKick Removal majorgeeks.com
SurfSideKick ca.com
HOW TO REMOVE SSK.EXE (surfsidekick 2) techsupportforum.com
Hijackthis logfile....please help techsupportforum.com

---

MIRAR

Have you noticed an additional toolbar on your Browser called MIRAR? If so you have a spyware virus on your PC. The "uninstall" link for MIRAR actually links to their website and phony form that requests personal information that has nothing to with uninstalling the program. Never fill forms like this out.

The purpose here is to a) deter people from uninstalling the spyware or b) gather more personal information.

The following sites are associated with this spyaware:
mirarsearch.com
getnirar.com
net-nucleus.com
mt-download.com
adservs.com
findthewebsiteyouneed.com

Removal
http://www.spyany.com/program/article_spw_rm_Mirar.html
http://www.nuker.com/container/details/mirar_toolbar.php

---

Fake Spyware Scans

You may have had a pop-up window like the one below:

Do not click on the links in this window. These advertised scans are often launched by viruses or spyware that have already infected your PC. Downloading the software will "fix" the virus problem and in turn expose you to more spyware and viruses. Some companies have infected PCs with spyware and then billed users to have them removed. The above pop-up links to web-update.org and scanandrepair.com. They are listed as "Rogue/Suspect Anti-Spyware Products & Web Sites" by spywarewarrior.com. Read more.

---

oneclicksearches.com and psguard.com

oneclicksearches.com and psguard.com use Trojan.ByteVerify and variants to infect your PC.


What do oneclicksearches.com and psguard.com do to you?

• Sets default homepage to: oneclicksearches.com
• Turns on Active Desktop and defaults the page to %SystemRoot%\system32\\wppp.html which is psguard.com
• Installs these programs in c:\winnt\system32\
  down1.exe
  hhk.dll
  hpF443.tmp
  intell32.exe
  intmon.exe
  msmsgs.exe
  oleext32.dll
  shnlog.exe
  uninstIU.exe
  wppp.html
  
• Sets up a fake "Virus Alert" in your task bar. Clicking on the "alert" brings you to psguard.com where they try to sell you anti-spyware software.
• The oneclicksearches.com home page uses hijacked microsoft.com icons so the site looks like a Windows security page.
• Sets hundreds, possibly thousands of registry keys pointing to oneclicksearches.com

What you can do about it

1. If you don't already have anti-virus software, get some. If you do have it, update the definitions lists. There are free anti-virus packages available from symantec and mcafee. Download stinger.exe.
2. Disconnect from the Internet/Network
3. Reboot in Safe Mode with Network support(reboot and hold F8)
4. Run the anti-virus software in Safe Mode
5. Disable Active Desktop(Control Panel, Folder Options)
6. Do a search for the files listed above and delete them
7. Open the Registry editor(Start, Run, regedit) and do a search for all keys with "oneclicksearches.com" and delete them. Do the same for "wppp.html" and "psguard.com"
8. If you know approximately when you got the virus, do a search on your PC for any file created since that time. More than likely you will see recently created EXEs in the system32 folder. Rename these files rather than delete them just in case they are not part of the virus.
9. Open a browser(while stil off-line!) and delete all cookies, cache, temp files, bookmarks that were added by the virus and change your home page back to what it was.
10. Reboot your PC and test to see if the viruses are gone
11. oneclicksearches.com psguard.com are registered through ESTDOMAINS, file a complaint with estdomains.com.
12. Email the admins for oneclicksearches.com psguard.com at dep@sexpicsporn.com and psguard@ua.fm and tell them how disgusted you are with their tactics.
13. File a complaint with the BBB
14. File a complaint with FTC

---

Gator/GAIN

One of the earliest and most well-known examples. Often comes bundled with downloaded freeware or shareware like KaZaA, weatherbug, Napster, and the like. Gator launches adds and redirects your searches to their selected products. Having Gator installed will expose you to other types of spyware.

Removal: In Gator's case you may be able to remove it through Add/Remove Software in the Control Panel. To be sure find and delete the following files:
iegator.dll
fsg.exe
fsg-ag.exe
GMT.exe
Do a Registry search for it also and delete the keys in ...\Current Version\Run and ...\Current Version\RunOnce

---

Xupiter

An example of Brower Hijacking is the Xupiter toolbar. Keeps resetting your homepage to Xupiter.com, adds a toolbar and launches popups. Use these instructions: pchell.com to remove it, then send an email to help@xupiter.com, support@xupiter.com, and dnsadmin@tucows.com telling them you do not like their spyware advertising tactics.

---

fastsearch.cc

What a pain this one is. Sets registry keys for startup pages to
http://%69%6e%2e%77%65%62%63%6f%75%6e%74%65%72%2e%63%63/%2d%2d/?%79%64%74%66%73.
Why? The % followed by numbers and letters are hexidecimal numbers. %69 = i, %6e = n, etc. The entire string decoded is: in.webcounter.cc/--/?ydtfs, this page redirects your browser to fastsearch.cc(.cc is Cocos Islands). The reasons: for one, you cannot put the % in your web blocking list. Then, your browser keeps resolving to fastsearch.cc, but if you search your harddrive, cache and registry "fastsearch.cc" wont come up. This is called obfuscation.

This was apparently caused by CWS.Tapicfg a variant of the CoolWebSearch. It's named so because CoolWebSearch.com was one of the first ones to use it.

SpyBot, spywareblaster, and HijackThis did not clean it out but CWShredder did get it.

After you have cleaned out webcounter.cc or fastsearch.cc send and email to:
Helen Bauer - webmaster@fastsearch.cc and Katsuji Yoneyama - webmaster@webcounter.cc expressing your disgust at their advertising tactics.

To reduce the risk of spywear infection, load Spyware Blaster which will block specific spyware packages and also increase the security on your browser settings, specifically blocking or prompting for stylesheet downloads.

More Info:
Anti-spyware guidelines get final version(msn-cnet.com 01/12/2006)
Information Kit: Spyware
Whatis.com
spychecker.com
cexx.org
grc.com
spywareinfo.com
Spyware forum

---

Worms

Computer worm (wikipedia.org)
The Internet Worm of 1988 (std.com)
Fighting Internet Worms With Honeypots (securityfocus.com)
The Internet Worm Program: An Analysis (purdue.edu)
A REPORT ON THE INTERNET WORM (ryerson.ca)
What is an internet worm? (bbc.co.uk)
Monitoring and Early Warning for Internet Worms (blog.namics.com)

---

Fake System Alerts

Have you ever seen one of these?


This is not a real system message it is a junk message made to look like a system message. Sites associated with this kind of fake system message:
fix-ms.com
set32.com
patchupdate.info
gerfixit.com
windowsrepair.net
msregistryupdate.com
pcspywarescan.com
uric.com

Don't go to any of these sites. You can stop the messages by disabling Windows Messenger Service(Control Panel, Admin Tools, Select "Services", find the "Messenger" service, right-click and Stop. Also set to manual or disabled rather than automatic or boot). This is not the same as Instant Messaging.

More Information:
dell.com/supportforums
aumha.org
blogharbor.com/hacked/