Net-Worm.Win32.Koobface net worm infects Myspace and Facebook users


There is a new virus spreading among both Facebook and Muspace uswers – Net-Worm.Win32.Koobface.

It has two variants: Net-Worm.Win32.Koobface.a. /for Myspace/  and Net-Worm.Win32.Koobface.b /for  Facebook/

In  their malicious action, the net worms transform victim computers  into zombie computers to form botnets.

What is a Botnethttp://en.wikipedia.org/wiki/Botnet 

The Net-Worm.Win32.Koobface.a. /for Myspace/ worm creates many commentaries to friends’ accounts.

 The Net-Worm.Win32.Koobface.b /targets Facebook users/ creates many spam messages and sends them to the infected users’friends via the Facebook.

Messages and comments can include ‘Paris Hilton Tosses Dwarf On The Street’; ‘Examiners Caught Downloading Grades From The Internet’; ‘Hello’;’ You must see it!!! LOL. My friend catched you on hidden cam’;’ Is it really celebrity? Funny Moments’ and many others.

Messages and comments include links to http://youtube     .pl.

If you click on this link, you are redirected to http://youtube      .ru,  – a site which contains a video clip.

If the user wants to watch it, a message pops up reading that you need the latest version of Flash Player to watch the funny clip.

Of course, instead of the latest version of Flash Player, a malicious file called codecsetup.exe is downloaded to  victimcomputer; this file is also a network worm.

Advertisements

Worm.Win32.GetCodec infects MP3 audio files


This worm was reported in July and is a new step in worms and viruses development.

The new is it converts the mp3 file into WMA file and embeds in it. When the file is opened, the Worm.Win32.GetCodec worm opens a web page telling you to download a new codec.

NEVER download and install codecs from unknown sites! It is 99% sure they are worms/trojans.

 If you agree to install the ‘codec’ file, a Trojan – known as Trojan-Proxy.Win32.Agent.arp is downloaded to your  computer, giving the hackers control of the victim’s PC.

if you got infected, use http://www.pctools.com/spyware-doctor/ to clean the worm.

AntiSpyCheck – yet another trojan


 

 Do you have noticed how many trojans with ‘Anti-‘ names appeared nowdays? It seems to be the last trends among virus/trojans creators. They have masked their malware code as antivirus software with colorful GUI telling you have 345247827469726482246 trojans and viruses and have to hurry to their page and buy antivirus software which is the only one to clean your computer.    
 
Anti Spy Check Description:
Anti Spy Check, or AntiSpyCheck 2.4, is a fake antispyware and antivirus program that claims to be a spyware remover, popup blocker and trojans cleaner.

AntiSpyCheck program may install without your knowledge through a Trojan Zlob.

Trojan.Zlob is a back door Trojan. It allows the hacker to perform various malicious actions on the remote computer.

Trojan.Zlob usually is masked as a needed video codec in the form of ActiveX.

Here is a typical example of it:

 

Image taken from http://www.jahewi.nl/lists/fakecodecs/fakecodecs.html

 

Anti-SpyCheck usually pops up fake security alerts trying to make you buy their software.

How can you get rid of AntiSpyCheck?
The best spyware removal tactic is to uninstall Anti Spy Check  using the “Add/Remove Programs” from the Control Panel.

If there are still files remaining after reboot, follow the steps below: /Sistem Restore has to be disabled/

1. Run the Task Manager /“Alt+Ctrl+Del“, and “Task Manager” opens/ ! ‘+’ sign means to press three keys at once- the 3 fingers rule.

2. Find the following processes: ad-protect.exe and AntiSpyCheck.exe then select one by one and press the ‘End Process’ button.

3.  Find the files above using Search and delete them.

4.  Go to “Start” button and then click on “Run”.

5. In the Run  box  type “cmd“, and then click on “OK”  button

6. Type regsvr32 /u spamdet.dll and hit Enter. This will unregister the trojan .dll library.

7. Find and Delete spamdet.dll

8. Open registry editor /Start — Run — Regedt32/ then find and delete /if any/ the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ad-protect.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\spamdet.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9DA1990B-9BCA-4c80-AEFB-11A40FA849F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C628512D-A058-4BD4-B47B-B036F45FA02B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99A753C6-E429-46BD-989E-DD4A21CD059D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBBD3E11-D201-46C9-8471-091D33159287}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2608046-DD09-A225-01BF-70C1EDD8B2E8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2C1986A-FBEC-4472-AABF-6D42F08DBC8E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D7ABE914-B8CF-4602-9145-6BDAAEDA21AA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3210E86-46A8-5973-963F-0EF4CF226A0C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{214345B8-BB69-498D-A168-29F58F15D806}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF231820-9904-4A37-B5B0-C87EF6F6CC82}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D2C1986A-FBEC-4472-AABF-6D42F08DBC8E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F51BC478-D997-4C56-988D-79D9EEAAD1EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FD4DCB8B-C33A-4E70-A351-6FAB7E1071A4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{32BD20FD-41FD-47FB-9BC9-28DCBD7D55D7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{5AA883DB-7CFD-4737-B3C3-C671595ECCE5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Addin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Addin.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad-Protect.Server.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spamdet.SpamDetector
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\spamdet.SpamDetector.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AntiSpyCheck.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyCheck
HKEY_LOCAL_MACHINE\SOFTWARE\AntiSpyCheck
HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\Addins\Ad-Protect.Addin.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\AntiSpyCheck  

 

After restarting the computer there will be no more annoying pop ups and slowdowns.

And one advice: there is no free lunch as you know, so when watching porn and it says wou have to download something to watch more – think first before click Yes, or better – Quickly RUN of the site without thinking!

How to close ports


When my computer becomes slow, I use to check connections established. In command prompt /Start button — Run —type  CMD — Enter/ I type command ‘netstat -a‘ and press enter.

It gives all the connections in my computer. Especcialy attention I pay to those marked as ESTABLISHED. Some of them are with my Skype friends or Internet sites I have connected.

 But if I close all the programs running /like Skype, IE, games, torrents, etc/ there are still some established connections with unknown sites in Germany, Russia, all over the world. Near them is written the port. It is known that malicious software uses higher ports number /bigger than 10000/ and ‘good’ programs use small numbered ports.

One way to close a port is to terminate the process /program/ that has opened it.  But if you don’t know the program or someone is using trojans to connect with you, the other way is to use a program to close those ports.

There are many programs for scanning and closing ports. I found this http://www.nirsoft.net/utils/cports.html an use it from time to time. It is free. I don’t know the autors but think it is a good program for non proffessionalists like me. If you have better programs in mind, please share their URL.

Google involved in spreading XP Antivirus 2009 and Vista Antivirus 2009


As my last post made a hudge interest, I made a quick research regarding those trojan which has so wide spreaded.

Almost all of my search keywords are “How to remove XP Antivirus 2008

About removing of the trojan I have written before. Write to me if you have more questions or problems – I will try to help with advices.

If I dont know something, I ask Google.

And the irony in this case is Google told me that Google is was spreading malware via its AdWords links.

If you don’t know – AdWords is an advertising program of Google. They get paid to put ads in some pages and in main search results page too.

Some of those advertising links belonged to hackers. They had redirected the user who had clicked on their link to a trojan downloader page. This way many web users become infected with viruses just surfing the web.

The good news is Google have identified and canceled AdWords accounts which displayed malicious ads re-directing users to hacker sites.

More info can find at the official Google AdWords blog 

http://adwords.blogspot.com/2007/04/protecting-your-security-online.html

XP Antivirus 2008 is a Trojan!


I had surfing the net when a red alert in Tray menu started to appear. It read Windows Seciruty has to be updated.

It offered me a site with “XP Antivirus 2008”

As I tought it is Microsoft security center alert, entered the site  http://s c a n n e r . a n v i-s c a n n e r . c o m / 3 4 /? a d v i d  =  0 0 0 0 0 0 4 6 8 3 & H T T &  /Attention – better do not try to open/

When I saw the fake system scanning and $20 price to “clean my system” I quickly left but was too late.

Then Avira Antivir  started to alert about viruses detected. The computer became very slow.

I restarted in Safe Mode /F8/ and  ran Spyware Doctor – it found more than 20 viruses and 30 infected files. Spyware Doctor cleaned them. I had disabled System Restore in advance. /Important!/

Then ran Avira Antivir again and cleaned  17 trojans.

Open Task manager /alt+ctrl+del/ and stop the following processes:

vav.exe
XPAntivirus.exe
XPAntivirusUpdate.exe
xpa.exe
xpa2008.exe

Then Remove following XP Antivirus 2008 Registry Values:

HKEY_USERS\Software\XP antivirus
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c uninstallstring
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c advid
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c automaticallyupdates
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscan
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscantimeout
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c databaseversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c daysinterval
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c domain
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c engineversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c guiversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c installdir
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c minimizeonstart
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c programversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyname
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyport
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationdiscurl
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationurl
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scandepth
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scanpriority
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scansystemonstartup
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c softid

This way I cleaned my system from that annoying malware.

Myspace code for Hide Friends Area


Sometimes you may want others not to see your friends list in your Myspace profile.

There is an easy way to Hide Friends Area :

Go to your “About Me” section of Myspace page.

Copy and paste the code below in “About Me” section:

 

<style type=”text/css”>td.text td.text table table table,td.text td.text table br,td.text td.text table .orangetext15,td.text td.text .redlink,td.text td.text span.btext{display:none;}td.text td.text table {background-color:transparent;}td.text td.text table td, td.text td.text table {height:0;padding:0;border:0;}td.text td.text table table td {padding:3;}td.text td.text table table br {display:inline;}td.text td.text table td {font-size:0pt;}td.text td.text {height:0;}td.text td.text table b, td.text td.text table table td {font-size:8pt;}</style>

 

That’s all! Now you will have friends area hidden.