Online Security News is important and so are the updates. They are important to follow to know dangerous resources online and keep yourself safe while browsing the internet, just for anything.
This is a continuation to the Internet Security News at this link. The importance of it is that it keeps you updated and lets you know about dangerous resources you may already be using without knowing anything about your privacy, how they track your movement online and what kinds of malware they have.
It is important to know that the Trojan Downloader I mentioned on the internet security news updates comes with different names!
Another kind of Trojan-Downloader is the Trojan-Downloader.Java.OpenStream.ac (virus).
Using strong antivirus protection is enough to disinfect your computer. However, when disinfection is not possible, you can manage that manually. To disinfect standalone Malware (backdoors, worms, Trojans, etc.) manually, it is usually enough to delete all infected files from a computer and to restart it.
You can do that by tracking the root and the destination of the virus (where it resides). You can for example rename the file and delete it. However, manual disinfection is a risky process, so ignore this advice if you are not advanced user and request help from your antivirus provider.
I have found the following process at one of the Internet Security providers useful:
If Windows 95, 98 and ME operating system is used, it is recommended to restart a computer from a bootable system diskette and to delete an infected file from command prompt.
For example, if a malicious file named ABC.EXE is located in Windows folder, it is usually enough to type the following command at command prompt: DEL C:\WINDOWS\ABC.EXE and to press Enter. After that, an infected file will be gone.
If Windows NT, 2000 or XP is used, a malicious file has to be renamed with a different extension (for example .VIR) and then a system has to be restarted. After restarting, the renamed malicious file will no longer be active and it can be easily to delete manually.
Now, There is a Stupid Malware Called Kuang2.in!
As we know Malware Mydoom-in, Malware - Dabber in, Malware NetBus in and Malware Server Sasser-in, there is now a Malware called Kuang2.in. It seems that developers of those Malware and viruses need strong fists to break their noses. Sorry, we need to be tough sometimes with rude people only.
As I know Greeks are very peaceful people, I am surprised by having the late Malware - Kuang2.in coming from there two times to attack two computers at the same time. I moved from this computer to the second to track and see the same blocked traffic with the following information, thanks to my Internet guard:
Description: Inbound Malware prope
Services: Malware - Kuang2.in
Remote address: 220.127.116.11, Location: Country: Greece, Region: Attiki, City: Athens, ISP: Greek Public Administration Network, Domain: OTE.GR
Remote port: 31029
DNS name: host-84-205-241-5.cpe.syzefxis.ote.gr
Take Care of Trojan-D in Attachment!
Somebody called Zelma Fraser with the email address email@example.com sends Trojan-D in attachment with the subject line "Contract of retirement" and the file name "contract_n2.zip".
The body message goes like this:
We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions, we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision."
Worm W32/Autorun Spreads in Emails Attachments!
Do not open email spam with the subject line "Statement of fees 2008/09". The attached file in such email spam will be a Worm W32/Autorun.
I have received such Virus in an email spam with the following information:
The first lines of the body of the message go this way: Please find attached a statement of fees as requested; this will be posted today. I received such spam with a Trojan included in the attachment from astonrose dot co dot uk ([18.104.22.168]) UK United Kingdom, ISP: Worldinternet.
The sender was JetBlue Airways at erxsr at bmrcpas.com and the Subject line says, Your Online Flight Ticket N 67003 and the multi-part message was in MIME format.
How Worm W32/Autorun Works? Moreover, What It Does?
My Security system says about Worm W32/Autorun, Worm W32/Autorun is a Malware that works in W32 Platform. Autorun worms are capable to spread by copying themselves into the root of the directories of hard drives and other writable media such as USB memory sticks.
The worms create an autorun.inf into the root directory of drives they want to infect.
The autorun.inf includes the name and path of the actual worm executable. When an infected media device (CD, DVD OR USB drive) is inserted into the computer, the autorun.inf and consequently the actual malicious program is automatically executed.
In addition to drives on the local computer, an Autorun worm can also spread to remote computers by infecting shared network drives.
Members of the Autorun family also often contain other functionality in addition to just spreading. In fact, this infection method can be used to propagate any malicious playload, such as a backdoor, password stealer, or some other kind of Trojan.
United Postal Services Distribute Worms and Trojan in Attachments!
You may receive the following message in two email-spam from different email addresses if you have not received it yet. I published some details here to prevent you from opening such emails, as they include Worm's attachment.
The message goes this way: "Unfortunately, we were not able to deliver postal package you sent on Sept the 28 in time because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our office.
The words on the "From" fields are as the same as these words: United Postal Services.
The words on the Subject line are also the same. However, it is only that the numbers of the tracking are changed. The word read as this: UPS Tracking Number 30935741114; and UPS Tracking Number 02498012147.
The first email spam dropped in through the following details:
IP Address: 22.214.171.124, ISP Location UNITED KINGDOM, ENGLAND, LONDON SP: SINGLE STATIC IP ADDRESSES, domain: BTOPENWORLD.COM
The second email spam dropped in through the following details:
IP address: 126.96.36.199, ISP Location: NETHERLANDS, ZUID-HOLLAND, NAALDWIJK, IP: KABELFOON, Domain: CAIWAY.NL
Japan Enters Trojan Spy Industry!
I captured two emails spam while they were dropping at the same time into my mailbox. I could see them with some details about Trojan Spy they carried together while attacking my system.
I read the details on the screen and followed the two emails until they landed naked from that virus into my folder. I then followed them through the email system to discover the following details.
The two emails were received: from ([188.8.131.52]) located in Japan. Region: Gifu City: Gifu ISP: OPEN COMPUTER NETWORK with the "From" line: "Microsoft" <firstname.lastname@example.org> and the "Subject" line: Subject: Security Update for OS Microsoft Windows, on Tue, 14 Oct 2008 13:11:59 +0900.
The same stupid message was addressing me this way: Dear Microsoft Customer, and the lines followed:
Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.
Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.
Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.
As your computer is set to receive notifications when new updates are available, you have received this notice.
In order to start the update, please follow the step-by-step instruction:
If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.
We apologize for any inconvenience this back order may be causing you.
Director of Security Assurance
There are so many stories like this you can read at Beware of Add Ons, IP, IP Address and No One Cares of Privacy Nowadays.
Spammers Send PayPal’s Hacking Emails in French!
Email spammers and hackers began lately to use PayPal in French language to send French spam messages to Internet users. They use tracking tools and other Malware to spot active users on the Internet to send them their spoofs. Luckily, I have captured this stupid PayPal email spam.
Cher PayPal User.
Nous recemment avons determine que les differents ordinateurs ont note sur votre compte de PayPal, et les echecs multiples de mot de passe etaient presents avant les ouvertures.
Nous avons besoin maintenant de vous pour reconfirmer votre information de compte . Si ceci n'est pas accompli avant le 13 Octobre 2008, nous serons forcés de suspendre votre compte indefiniment, comme il a pu avoir ete employe pour des buts frauduleux.
Nous vous remercions de votre cooperation de cette maniere.
Cliquez ci-dessous pour confirmer et vérifier votre compte de PayPal:
Note : si vous choisissez d'ignorer notre demande, vous ne nous laissez aucun choix mais ? provisoire suspendez votre compte.
Les Meilleurs souvenirs.
Securité de PayPal et departement Anti-Frauduleux.
Trojan-Spy Spreads Using Google Groups!
If you were internet marketer then it is probably that you have received or will receive some Trojan-Spies attached to notifications from message boards, forums, groups and social networks you have joined. There are some silly hackers all over there using Google Groups to send in those Trojan-Spies.
However, since the processes goes through Google, so Google should be the first to block this door. Yes, it worth mentioning this note again and again. The following is a complete information of one silly hacker using this method to send his or her Trojan-Spy in.
Trojan-Spy.HTML.Fraud is fraudulent e-mail messages and website HTML. They include a mismatch in HREF tags used by hyperlinks. This happens when hackers attempts to disguise or obfuscate the hyperlink. An example to HREF mismatch is < a href="http://www.nananana.com" >http://www.paradox.com< / a>
The HREF tag in this example directs to nananana.com while the displayed hyperlink will show paradox.com. Phishers attempt to lure victims to spoofing sites in order to steal personal account details.
Obama Sex Scandal is a Trojan in Attachments!
Nonsense, they try to hurt the new President. As if they do not know, he is the promise to the world. Therefore, hackers follow even the late trends in politics to send Trojan-D.
The following case intended to send Trojan in attachment named zeland-01.zip. He or she entered a challenging Subject Line as the following: Barak Obama sex scandal. These kinds of people know the opening rate of such email should be 7/10 at least.
This software produces advertisements on the infected computer. It collects data and exposes it to users.
Are They MSN Featured Offers Really?
A silly spammer uses different email addresses I own in the "From" line, the "To" line and the "Return-Path" line, to send the same emails that intended to be from MSN to 4 of my email addresses.
All messages go this way:
About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below.
This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.
Following this message and just below it are three text links to Chinese websites at hudardd.cn, iicurpx.cn, and one site none cn at legacymethod.com. The text links are Unsubscribe | More Newsletters | Privacy.
I do not know what the spammer would feel, if somebody told him or her nothing like this works!