Alert: “If I Die” fake Facebook App scam (Via Email) – Virus Alert

Another alert, this time in the form of a new email that has started circulating around the internet, as found/reported by anti-virus software maker Bitdefender (http://www NULL.malwarecity NULL.com/blog/fake-app-sends-you-and-your-pc-on-memento-mori-trip-1140 NULL.html). The email which will appear to come from someone you know talks about “A new Facebook Application”. The claim that you can download a file that will let you record a message on Facebook, so that “If you die” your loved ones can get a final goodbye from you. The email carries an attachment that ends in .exe (That alone should be your 1st WARNING SIGN).

Death obviously isn’t an easy subject and I can only assume the bad guys are hoping to pull at the emotions of the end user. So what happens if you download/open this attachment. The .exe file will install 3 encrypted executables, and when I say encrypted, I mean they will be extremely difficult to remove once they have made it on to your machine.

Once installed the files will

- Install and use a keylogger to record all user name / passwords and other “important” number sequences (like SS#, credit cards #’s, address information) from any visited website or email account and send that information to the bad guys

- Install software so that your installed webcam (and virtually all laptops these days have a built in webcam) will automatically take snapshot pictures and send those to the bad guys. (Which could put you in an even more compromising position depending on what these pictures show)

- Install software that could let someone (the bad guys) take over and remotely control your pc. (Haunted PC anyone)

As a side note concerning the bogus email, there is a legit Facebook app called “If I Die” (LINK) http://ifidie.net/ (http://ifidie NULL.net/) , which allows you to record a message for your Facebook. Those who are aware of the legit app may confuse this email for the legit app. This email has nothing to do with the legit app.

So what should you do

NEVER NEVER NEVER open any attachment unless you can confirm with the sender that they actually sent it and what it actually does.
Make sure to have your system updates (Windows, Office, Adobe Flash / Acrobat, Java, etc) up to date. Many of these malware software scams try and use bugs, holes, or issues with older versions of software to get into your system. (Like locking your front door but leaving a window wide open)
Always make sure that your Antivirus software is up to date. When I say up to date, I mean both the software itself and the “signature files”. If your software program is more than 3 years old, you really need to be getting a newer version. You should not be running Norton Antivirus 2003 in 2011 and expect the program to protect you. You should also go into whatever AV program you are running look for the signature file date and make sure that its no more than a couple of days old. Signatures are what AV companies update to include all the new viruses/malware that’s created.
LASTLY, DON’T BE STUPID AND DON’T BELIEVE EVERYTHING YOU SEE ON THE INTERNET OR IN AN EMAIL. When in doubt always make sure and ask someone before clicking where you don’t know. Remember the computer you save may be your own.

Alert: New Android Malware Mimics Google+ (from Phandroid)

There is a New Android Malware that Mimics Google+ And Spies On Your Phone Calls. The Malware is called Google++. See the following information on the Malware (from phandroid) http://phandroid.com/?p=60957 (http://phandroid NULL.com/?p=60957)

Alert: Facebook – Tagged Picture used to spread “Fake” links and Malware. (Plus How to Untag yourself)

Since Facebook is the BIG FISH currently, and most users on Facebook seem to “trust” what they see, the bad guys are now targeting Facebook with more daily scams. From Rogue apps, to fake links, to hacking accounts, to now Fake picture tagging on profiles. The following was something I came across yesterday

the tagged picture was on the profile of someone I know. I did confirm with that person that they don’t know “Julie” (either by name or picture) the person on the tag. Of course Julie has a link on her tag. If you happen to click on the link (even if just by mistake) what you get is sent to a website that will download malware on your pc.

So as always having a Facebook account means that you need to pay attention to what is happening on your account. If you run into a situation where a picture is tagged to you that you don’t want showing on your profile, here are the steps to Un-Tag yourself from the picture.

How to Untag yourself –

From your Facebook home page, locate the blue bar at the top of the screen. It says Facebook, Home, Profile, Friends, and Inbox. Click on “Profile”. Now you will be sent to your profile page.

On your profile page, look underneath your profile picture that is located at the top left. Under it, you will see “Photos”. Click on Photos

Now in the middle section of the page toward the bottom you will find the “Photos and Videos of you” section.

Look at the pictures below this section. Any pictures tagged will appear in this area. Click on the picture you would like to remove.

Now look under the picture for the section that says “In this photo”. Next to that you will find “Remove tag”.

Click remove tag. The photo will not show up on your profile anymore

Alert: Facebook Scam to look out for – “See who viewed your profile”

I ran across another (of the many) Facebook scam this week. A friend had a post listing the iknow_extension this weekend. The app is one of many floating around Facebookland all claiming that they can help a user see who have been “looking at your page”.

At the core, all these scam apps are the same, they prey on the unsuspecting who are not technologically knowledgeable. Some of the variations of catch line that I’ve seen are

Awesome! you can finally find out who has looked at your page
OMG… I cant believe this actually works! Now you really can see who viewed your profile!
Check out who has blocked you on Facebook

of course there are many more than these.

In all cases, it plays into the human curiosity factor, using social engineering to trick the user into infecting there machines. One thing that everyone should be aware of, is that even if it was possible to create an app for the purposes of seeing who has looked at your page, such an app would be completely against the Facebook privacy policy.

In cases like the “iknow” app, it will lead you to a page with an “allow” function that will do 2 things, add itself into your Facebook profile, with the specific purpose of being able to then control your profile so that it can continue to spread itself (Like a bad disease), and also then tell you that you need to “download” a file to activate the app. That download in fact being the master malware that will then infect and control your pc (I refer to it as the gatekeeper, as this malware you download in fact just handles what your pc does, so that it can continue to download more and more on your machine. In the same way of what would happen if you gave a burglar the keys to your home, and he was just there to open the door so others can steal from your house).

If you do (or have fallen for these) scams, the 1st thing you need to do is go into the Applications and plugins area in Facebook to remove the rogue app from being allowed access to your account. You do that by doing the following

Application and Plugins (http://www NULL.facebook NULL.com/help/?page=25) › General Application Support: Adding, displaying, and removing applications (http://www NULL.facebook NULL.com/help/?page=964)

How do I remove or delete an application from my account?

You can remove an application you have allowed from the Applications Y…

You can remove an application you have allowed from the Applications You Use (http://www NULL.facebook NULL.com/settings/?tab=applications) page. To get to that page, follow these steps:

Go to the Privacy Settings (http://www NULL.facebook NULL.com/settings/?tab=privacy) page from the “Account” drop-down menu located at the top of any page on Facebook.

Click the “Edit your settings” link under the Applications and Websites section towards the bottom of the page.

Click on the application you’d like to remove. If you don’t see the application listed, you can find it by clicking the Edit Settings button towards the top right-hand side of the page.

You’ll then see an expanded view of your settings for that application. From here, you can click the “Remove application” link. Once you confirm you’d like to remove the application, it will no longer have access to your data and be removed from your profile, bookmarks, and your Applications and Games Dashboards.

Once you have done that, the next step is reviewing your Facebook posts and removing any posts created by the “rogue” application. That is as a courtesy, so that others don’t fall for it from your posts.

Lastly – I recommend downloading the following applications, and running a full scan with each application (one at a time) on your pc.

Superantispyware
Malwarebytes

My suggestion for the simplest way of downloading and installing these 2 apps is by visiting www.ninite.com (http://www NULL.ninite NULL.com) and selecting them (about 1/2 of the page down). Ninite will not only download the apps on to your pc, but also handle the installation of the apps on your pc.

Remember that before running either of the apps, you should find the update tab on each and make sure that the app is updated to the latest definitions. Once each app finishes its “full scan”, clean out whatever each finds, and then reboot and run both apps again. (I know this sounds like a pain) You want to reboot and rerun both apps to make sure that nothing was left behind.

If your scans come up clean, then you should be ok. Until the next adventure in technology (at least)

Alert: You need to make sure your Windows/Office software is up to date. Targeted attacks against recently addressed Microsoft Office vulnerability is now out

Last November, Microsoft released security bulletin MS10-087 (http://www NULL.microsoft NULL.com/technet/security/Bulletin/MS10-087 NULL.mspx), which addresses a number of critical vulnerabilities in how Microsoft Office parses various office file formats. One of them is CVE-2010-3333 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=CVE-2010-3333), “RTF Stack Buffer Overflow Vulnerability,” which could lead to remote code execution via specially crafted RTF data. A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious shellcode which downloads other malware.

The notice that was posted on the Microsoft Protection Center blog ( http://blogs.technet.com/b/mmpc/archive/2010/12/29/targeted-attacks-against-recently-addressed-microsoft-office-vulnerability-cve-2010-3333-ms10-087.aspx (http://blogs NULL.technet NULL.com/b/mmpc/archive/2010/12/29/targeted-attacks-against-recently-addressed-microsoft-office-vulnerability-cve-2010-3333-ms10-087 NULL.aspx) ) concerns a flaw in the Microsoft Office program that was fixed in November. The bad guys have now found a way to exploit the flaw on computers that do NOT have the updated software. This affects you no matter which version of Office or Windows you are running.

Symantec underlined the seriousness of the flaw to CNET’s Elinor Mills in November:

“One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious e-mail to be infected,” Joshua Talbot, security intelligence manager at Symantec Security Response, said at the time. “All that is required is for the content of the e-mail to appear in Outlook’s Reading Pane. If a user highlights a malicious e-mail to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious e-mail is the most recently received in their in-box; that e-mail will appear in the Reading Pane by default and the computer will be infected.”

So what does this mean to you…….It means that if you receive an email, even if its obvious that the email is bad and you don’t click on it, just by it appearing in the reading pane section, will cause your computer to get infected with malware.

How do you make sure you are protected?

Windows Vista / Windows 7

If you are running Windows Vista or Windows 7 go to start –> Control Panel –> Windows Update

Once in Windows Update –> click on Check for updates –> Once the scan is complete –> system will tell you how many updates you need –> now click on Install updates.

Once you have successfully updated all Windows / Office software your Windows update should look like this.

Windows XP

In Windows XP –> Using Internet Explorer –> Visit the Microsoft Update website (LINK) http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us (http://www NULL.update NULL.microsoft NULL.com/microsoftupdate/v6/default NULL.aspx?ln=en-us)

(IMPORTANT NOTE: In XP – Microsoft has 2 websites for updates. One is called Windows Updates and one is called Microsoft Updates. You want to make sure that you are on the one that says Microsoft Updates as the Windows Updates site does NOT give you Office updates)

Once you are on the site –> Click on Custom and let it scan your pc. (Note you may be asked to run an ActiveX file if this is the 1st time you have been to the site. Just make sure you say you in this case specifically)

You may also get a message about a needed download –> if you do just click on “Download and Install Now”

Once Microsoft Update completes its scan it will show you what updates you are missing

Look under the “High Priority” updates and make sure that you have selected them all

Followed up clicking on “Review and install updates”

This will bring you to the confirmation page. Make sure you have all missing updates selected. You will see 1 final “Install Updates”. Click on it –>

Followed by “I Accept” under the agreements area –> and then watch your updates download and install.

After the updates install –> Reboot pc –> and visit site again to see if you have any remaining updates. Continue the steps until you get 0 (zero) remaining “High Priority” updates.

Once you are at 0 (Zero) now your Windows / Office software is up to date.

(FINAL NOTE: This does NOT mean you are free and clear, as always you need to take care of precautions when surfing the Internet. There are still many other ways you can have your computer compromised)

Alert: Be careful shopping this coming Cyber Monday (11/29) as the bad guys are looking for easy victims

As always the bad guys are online, out to try and steal from unknowing victims this holiday season. With the popularity of Online Shopping, it has never been easier for a bad guy to steal from you without ever having to leave his home. The following post below comes from Panda Labs (LINK: http://pandalabs.pandasecurity.com/blackhat-friday-and-cybercrime-monday/ (http://pandalabs NULL.pandasecurity NULL.com/blackhat-friday-and-cybercrime-monday/) ), showing how crooks are manipulating search engines to trick users. As always, just because you are shopping online that doesn’t mean that you don’t have top pay attention. Always make sure to keep your Cyber Guard up.

*******************************************************************************************************************************************

Black(hat) Friday and Cyber(crime) Monday

by Sean-Paul Correll (http://pandalabs NULL.pandasecurity NULL.com/author/sean-paul-correll/)

You may be in for more than you bargained for if you plan on looking for the latest Black Friday or Cyber Monday deals online. Cyber criminals are quick to capitalize on new opportunities and have already done so by optimizing their Blackhat SEO campaigns to infect those looking for those hot ticket item deals.

The following image is a malicious search result aimed at innocent users looking for Black Friday deals at a popular U.S. based retail chain:

Best Buy/Black Friday Malicious Search Result (http://pandalabs NULL.pandasecurity NULL.com/wp-content/uploads/2010/11/bestbuy_malicious_search NULL.png)

Best Buy/Black Friday Malicious Search Result

Clicking on the link in the Firefox browser will redirect you to a fake Firefox “update” website, which will then infect your computer with fake antivirus software:

Fake Firefox Update Website (http://pandalabs NULL.pandasecurity NULL.com/wp-content/uploads/2010/11/fakefirefoxupdate NULL.png)

Fake Firefox Update Website

Clicking the link in Internet Explorer (or any other browser) will lead you directly to the fake antivirus scan page:

Rogueware "Fake Antivirus" Page (http://pandalabs NULL.pandasecurity NULL.com/wp-content/uploads/2010/11/Roguewarepage NULL.png)

Rogueware “Fake Antivirus” Page

ALERT: Windows Live Messenger 2009 Users–“Active links in Messenger 2009 temporarily turned off to prevent a malicious worm”

Microsoft has announced via the Windows Team Blog (LINK) http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/12/security-alert-active-links-in-messenger-2009-temporarily-turned-off-to-prevent-a-malicious-worm.aspx (http://windowsteamblog NULL.com/windows_live/b/windowslive/archive/2010/11/12/security-alert-active-links-in-messenger-2009-temporarily-turned-off-to-prevent-a-malicious-worm NULL.aspx) that they are now blocking Active links in Windows Live Messenger 2009. What that means is that when you are in a chat with someone, if a link appears that you will NOT be able to directly click on it to open the link. If you wish to see the link you will need to copy it from the chat window and then past it into your browser.

Keep in mind that not only in WLM chat but in all chat programs there is always a possibility of receiving “Rogue” links that were not actually sent by the person who you are talking to. If you ever receive a link via chat, you want to make sure and check with the person you are talking to, so that you can confirm if its legit or not.

Those who click on the malicious link, will download a Worm (a form of virus), which will install on your pc, and then use your pc to send itself to all your friends links. As always you should make sure you have an up to date Antivirus.

A particularly malicious worm (a self-replicating computer virus) is currently trying to spread itself through many of the world’s largest instant messaging and social networks, including Windows Live Messenger 2009. We’re very serious about protecting our customers, and are pursuing multiple avenues to help stop its progress. The worm spreads by inserting a link into an IM conversation with a person whose computer is already infected. When someone clicks the link, it opens in a browser, downloads the worm on the recipient’s computer, and then repeats this process.

Normally, when Messenger sees a web address in a conversation it is turned into a hyperlink which, when clicked, automatically opens in a web browser. This feature makes it very easy for the malicious worm to be unknowingly installed on your computer by clicking on the link and being sent to a web site containing the malicious software. We’re pursuing a number of activities to help protect you, working actively with industry experts and law enforcement to help stop this criminal activity.

Most notably, we’ve temporarily turned off active hyperlinks for web addresses sent in IM conversations using Windows Live Messenger 2009. You will still be able to copy a web address and paste it into a browser window if you know it to be safe, but by removing active hyperlinks from Messenger 2009, we’re taking a significant step towards stopping the unintentional spreading of this worm.

Because we’ve now blocked active links in Messenger 2009, starting today, some customers may also see a notification in the main Messenger window warning them that some features might not be available.

Messenger warning message (http://windowsteamblog NULL.com/cfs-file NULL.ashx/__key/CommunityServer-Blogs-Components-WeblogFiles/00-00-00-53-82-metablogapi/6116 NULL.messenger_2D00_warning_5F00_3E135389 NULL.png)

Messenger 2011 is not impacted in the same way, thanks to its Link Safety feature. However, we are actively monitoring the situation and investigating different approaches to help protect customers using the latest version of Messenger, should the situation change.

As always, we encourage customers to exercise caution with links to web pages that you receive in IMs, especially if the links are to a web page that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a web page with harmful content.

If you think your computer may have already been infected by a malicious worm, check the , please visit the Security TechCenter on Microsoft TechNet (http://technet NULL.microsoft NULL.com/en-us/security/default NULL.aspx), and then download and use the malicious software removal tool (http://www NULL.microsoft NULL.com/security/malwareremove/default NULL.aspx). For additional help with Messenger, check out the Messenger Solution Center (http://windowslivehelp NULL.com/product NULL.aspx?productid=2).

ALERT: New Rogueware–This one can detect which browser your using and customize the fake alert to the browser you are using

In a never ending effort to inform the visitors to TGM, here is another ALERT concerning a new version of Rogueware (Rogue:MSIL/Zeven (http://www NULL.microsoft NULL.com/security/portal/Threat/Encyclopedia/Entry NULL.aspx?Name=Rogue:MSIL/Zeven)) that can actually figure out what web browser you are using and then customize the fake message to look like a standard message for the browser you are using. As always the reason these types of attacks work is because of the social engineering aspect, most people don’t know any better, they assume that if the message pops up on their pc the “it must be true”. Unfortunately the messages that you will see as a result of the Rogueware are nothing more than a trick to get control of your pc.

The following article (Written by Daniel Radu of the Microsoft Malware Protection Center) comes from the Microsoft TechNet Blog (LINK) http://blogs.technet.com/b/mmpc/archive/2010/09/01/rogue-msil-zeven-wants-a-piece-of-the-microsoft-security-essentials-pie.aspx (http://blogs NULL.technet NULL.com/b/mmpc/archive/2010/09/01/rogue-msil-zeven-wants-a-piece-of-the-microsoft-security-essentials-pie NULL.aspx) . You should pay close attention to what the fake alert can look at in each of the browsers (At the bottom of the message you get “Upgrade to a reliable solution”).

**************************************************************************************************************************************

Rogue:MSIL/Zeven wants a piece of the Microsoft Security Essentials pie

A new rogue has started making its appearance from compromised websites: Rogue:MSIL/Zeven (http://www NULL.microsoft NULL.com/security/portal/Threat/Encyclopedia/Entry NULL.aspx?Name=Rogue:MSIL/Zeven). We received a sample (70be8ca73142922fd78acf2aafa9f141a977f15a) and a URL and began our investigation.

Let us say from the beginning that the guys behind this rogue like to copy big-time. They start by auto-detecting what browser the user is currently using, and then faking the malware warning page if the browser is Internet Explorer, Chrome, or Firefox. This is meant to be a social engineering scheme in order to trick the user into downloading and installing the rogue, relying on the user’s trust of his day-to-day browser.

The similarity between the fake warning pages is so accurate that it can trick even highly trained eyes.

In the Firefox page, for example, you can see it’s not the real warning page because they misspelled ‘out’ and wrote ‘Get me our of here’.

Chrome

Internet Explorer

But for all three browsers, a common indication that you are not looking at the actual browser warning is the offer of some sort of an “update” or “solution”. All the “updates” point to a copy of MSIL/Zeven that promises to provide “a new approach to windows detection”. Internet Explorer, Firefox, and Chrome do not offer such a solution when a website is blocked.

When installed, the product looks very genuine: it allows you to scan files, tells you when you’re behind on doing your updates, and enables you to tweak your security and privacy settings. These features are usually available in various legitimate antivirus solutions. However, the features don’t work; everything is there just to look nice, not to offer any kind of protection (just like in all other rogue antivirus programs).

Of course once it scans your computer it’s bound to claim it found something scary (malicious), as shown below:

As usual with rogue scanners, although it “found” malicious files, it claims it cannot delete them unless you update. That implies that you need to pay for the full version, which has the ability to download updates. However, these files are totally bogus; no such files exist in the user’s computer.

If you decide to buy the product, this rogue opens an HTML window enabled with ‘Safe Browsing Mode’ and high strength encryption to “help” and ”protect” you while completing your purchase. Of course these features are totally worthless and don’t actually do anything in the way of securing your credit card details.

The main page of the rogue antivirus program itself looks awfully close to the Microsoft Security Essentials webpage – more copying from the bad guys. The people behind it have even copied the awards received by Microsoft Security Essentials and link to the Microsoft Malware Protection Center - pretty sneaky of them.

This is a screenshot of the rogue’s main webpage:

And, by way of contrast, this is a screenshot of the genuine Microsoft Security Essentials (http://www NULL.microsoft NULL.com/security_essentials/) page:

It seems that these guys want to profit on the good reputation and success of Microsoft Security Essentials in order to make money – but we remind our customers that Microsoft Security Essentials can be downloaded at no cost. And it really does protect your computer from malware!

We detect both the downloader of the rogue and the rogue itself as Rogue:MSIL/Zeven (http://www NULL.microsoft NULL.com/security/portal/Threat/Encyclopedia/Entry NULL.aspx?Name=Rogue:MSIL/Zeven).

Until our next encounter: browse safely!

Daniel Radu
MMPC Dublin

Alert: How to deal with Rogueware software when it tries to load on your computer.

While surfing the web today I ran across a another version of the installer that tries to load one FAKE antivirus software (Antivirus 2010 is one of the most common names). The following can come up if you visit an infected website. The site that triggered these pop ups is a well known site, so do not assume that just because you are on a MAJOR website that you are not at risk.

What to look our for

As soon as you get to the website, the following pop up appears. **This is why it is important to read messages before clicking ok.

What you probably wont see (unless you drag the window above around the screen) is the little window (as shown below) that opens directly behind the main window. If you were to expand the little window you will see that its for 1anetantispy.

If you click on the OK button above you will get infected.

What to do if you see the AV check Window

1 – DO NOT CLICK ON ANY OF THE POP UP WINDOWS.

2 – On your computer click on the start button –> click on Run (or type Run in the search box) –> Once you get the run box, type taskmgr into the Run box and press OK

3 – This will open up the Windows Task Manager. Look for all items that involve the browser you are using. (In the example below, its Internet Explorer) Highlight each item and then click End Task. Once all the browser windows close

4 – (A) If you are using Internet Explorer go to Tools –> Options –> and Click on Delete Browser History. (B) If you are using Firefox, go to Tools –> Options – > Privacy –> and click where it says “Clear you current history”.

Alert: Desktop Security2010 – Another Rogueware program which seems to be spreading fast. This is NOT something you want on your pc.

Job security is the probability that an individual will keep his or her job, and with the rate of computer clean up that I have to do that unfortunately seems to be going up and not down, I think I have job security for a while (Honestly, this is not the kind of job security that I want). We have had many posts on TGM about viruses, spyware, rogueware, yet the “my computer is infected” calls continue to come in, as people continue to fall for the tricks that get them infected.

The latest rogueware infection is called DesktopSecurity2010. What will happen if you get infected with the DesktopSecurity2010 rogueware

DesktopSecurity2010 is an adware program that warns users of non-existing threats in their computers so that they purchase a certain program that removes them from the computer.
Additionally, in order to make users think that their computer is really infected, it displays a warning message when the computer is restarted, and from time to time the screen fades to black and other times blinks with different colors.
DesktopSecurity2010 can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

What should you look out for when web surfing

DesktopSecurity2010 is easy to recognize, as it shows the symptoms below (These are some possible symptoms, you can still get infected without seeing these):

It reaches the computer in a file with the following icon:
When it is run, a screen to install the program is displayed:
Once installed, it starts to carry out a system scan in search for possible malware and once finished, it displays warning messages informing users that the computer is infected:

One of the known ways that the rogueware is installing

The following post on the PandaLabs site (LINK: http://pandalabs.pandasecurity.com/making-new-friends%e2%80%a6/ (http://pandalabs NULL.pandasecurity NULL.com/making-new-friends%e2%80%a6/)) shows 1 of the ways you can get infected. Two of the clean up jobs that I have had to do in this past week occurred because the user also fell for a greeting card email as described below (Confirmed).

Making new friends…

Posted on 05/13/10 by Olaiz

I’m very happy because I’ve received a greeting card via email from a new friend, thought it’s not my birthday, my saint’s day or anything like that :-)

Look what a nice card I’ve received:

Google_groups_email_en

Besides, it has been sent from 123greetings, which is a legal website to download and send cards, so it must be trustworthy.

I’ve clicked the picture of the message and I’ve been redirected to the website http://luxxxx.googlegroups.com/web/setup.zip, but I can’t see any greeting card here, but a Google groups website containing a link… maybe I have to follow the link in order to view it…

There’s no way. I can only see the Windows of an antivirus called DesktopSecurity2010 (http://www NULL.pandasecurity NULL.com/homeusers/security-info/218297/DesktopSecurity2010) informing me that my computer is infected and that I have to pay the license in order to eliminate the malware. I think that I got infected :-( and I have neither a greeting card nor a new friend…

Now, talking seriously, yesterday we commented how this false antivirus was using Google Groups users (with malicious intentions) to be distributed. In fact, the URL from which the rogueware is downloaded is like the following:

http://Google Groups user.googlegroups.com/web/setup.zip

Some of these users are felixss, gorlum or misterxyz.

Google has reacted to this and has started blocking these malicious users. So, if you try to access any URL that uses these malicious users, the following message is displayed informing you that the user cannot be found:

Google_groups

Even so, some malicious accounts may still be active, so don’t trust messages like this and don’t follow any link like those we’ve previously mentioned in this post.

So what can you do to help protect yourself

If you get a link, email, instant message, asking you or telling about something you were not expecting, even if it seems to be from someone you know, DO NOT TRUST IT! Getting a message from grandma saying check out the new pictures i upload and realizing she is 80 years old, ask yourself, does grandma really know how to upload pictures? It only takes a minute to call the person, and get a response to “did you send me….. message”, if they did, they will tell you instantly. If they didn’t they will be the 1st to say “What are you talking about”.
Because of Twitter, the use of link shorting sites seems to have become the norm. The problem is that a link to http://bit.ly/dr9Ucz (http://bit NULL.ly/dr9Ucz) could be a link to many place. How do you know if it is a safe link or not a safe link. Again, even if the link is sent to you by someone you know, DO NOT TRUST IT unless you were specifically expecting it. For the record, http://bit.ly/dr9Ucz (http://bit NULL.ly/dr9Ucz) is actually a link to techgeekandmore.com, and TGM does not list shorten links on the TGM site, because we want you to know where you are clicking to. One thing you can do to check shortened links is visit sites that expand the shortened link. (If you use one of these link expander services and copy the link, be careful to copy the link and NOT accidently double click on the link) Some of the sites you can visit to use to expand links

-> LongURL (LINK: http://longurl.org/ (http://longurl NULL.org/)), PrevURL (LINK: http://www.prevurl.com/index.php (http://www NULL.prevurl NULL.com/index NULL.php)), ExpandMyURL (http://longurl NULL.org/) (LINK: http://www.expandmyurl.com/ (http://longurl NULL.org/)), URL Snoop (http://urlsnoop NULL.com/) (LINK: http://urlsnoop.com/ (http://urlsnoop NULL.com/)), Securi.net (http://sucuri NULL.net/?page=tools&title=check-url) (LINK: http://sucuri.net/?page=tools&title=check-url (http://sucuri NULL.net/?page=tools&title=check-url)). At all the sites, enter the shortened URL and click to find out where the link will lead

-> In addition if you use Firefox to browse the web, you can install LongURLPlease (LINK: http://www.longurlplease.com/ (http://www NULL.longurlplease NULL.com/)), or LongURL (LINK: http://longurl.org/tools (http://longurl NULL.org/tools)), which are Firefox browser extensions that automatically preview the destination URL for shortened links from just about any shortener you can name.

As always make sure that your PC is updated with all the latest Windows Updates, your Anti-virus is updated, your install of JAVA is updated, your install of Adobe Flash player is updated, Your PDF reader is updated. Most viruses, spyware, rogueware use problems with these programs to get into your computer. Use can use sites like File Hippo (LINK: http://www.filehippo.com/ (http://www NULL.filehippo NULL.com/) ) to check and make sure your programs are up to date.

What to do if you do get infected

If you still get infected, you can use SuperAntispyware and Malwarebytes programs to clean your machine, I recommend downloading both before you get any infection. Run them on a regular basis (Regular = once a week or so), even if your computer does not show any signs of issues.

To download both programs I recommend using Ninite (LINK: ninite.com)

If you would like to see more information on ninite you can see the TGM post http://www.techgeekandmore.com/2009/12/25/software-two-must-haves-for-the-new-pc-pc-decrapifier-and-ninite/

If after running SuperAntispyware and Malwarebytes, you are still infected, then you will need to use a PE (Physical Environment) disk. The PE disk that TGM recommends is UBCD (LINK: http://www.ubcd4win.com (http://www NULL.ubcd4win NULL.com)). The how to for the UBCD can be found at http://www.ubcd4win.com/howto.htm (http://www NULL.ubcd4win NULL.com/howto NULL.htm) .

Tech Geek and More

Technology Explained for All

Category Archives: Virus