" />

Tech Geek and More

Technology Explained for All

AD IDrive Remote Backup

Category Archives: Scams

Alert: Another Fake Anti-Virus program

     If anything can get under my skin, this will do it.  It seems we have another “Anti-Virus” program out there who’s only goal is to scare the user (who probably doesn’t know any better) into believing that the “sky is falling” and then requiring them to give up their credit card number in order not to get hit with the “falling sky”.  I’ve have had to spend a lot of my time this past week cleaning this one up because a couple of clients didn’t know any better. There have been numerous versions of this malware scam over the past few years, some examples are

A

* Ad-Protect
* AlfaCleaner
* Antispyware Soldier
* Anti-virus 2008  * Anti-Virus 2009
* AntiVermins
* AntiVirGear
* AntivirusGold

B

* BraveSentry
* BreakSpyware

C

* CmdService
* ContraVirus
D

* DeluxeCommunications
* Dr. AntiSpy

E

* ErrorSafe

M

* MalwareWipe
* MrAntispy
* Mirar
* Movieland
* MySpyProtector

P

* PestCapture
* Pest Trap
* Popcorn.net
* PSGuard
S

* Seekmo
* Smitfraud
* SpyAxe
* SpyCrush
* SpyDawn
* SpyFalcon
* SpyHeal
* SpyLocked
* SpyLocker
* SpyMarshal
* SpySheriff
* SpyShield
* SpySoldier
* SpywareKnight
* SpywareLocked
* SpywareQuake
* SpywareStrike
* Starware
* SystemDoctor
T

* Toolbar888

U

* UnSpyPC

V

* VirusBlast
* VirusBurst
* VirusBurster
* VirusRay
* VirusRescue

W

* Winfixer

Z

* Zango Search
* Zlob

    and now joining the list is a Rogue Anti-Virus programs comes SaveSoldier. Here is information on the malware from the Panda Website ( http://www.pandasecurity.com/homeusers/security-info/212755/SaveSoldier (http://www NULL.pandasecurity NULL.com/homeusers/security-info/212755/SaveSoldier) ).

Effects

SaveSoldier is an adware (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#ADWARE) program that carries out the following actions:

  • It reaches the computer downloaded from the following website:
  • When the file is run, it is installed in the affected computer and starts scanning the system in search for possible malware.
  • Once ended, it displays a warning message like the following, informing users that their computer is infected:
  • If the button "Remind me later" is clicked, the interface of the program is displayed, which is like the following image:
  • If users decide to follow the program’s instructions and remove the threats, the program will require a registration code:
  • This code is obtained after purchasing the antivirus solution. Therefore, the user will be redirected to a website where it can be purchased:
  • On the other hand, if users do not follow the program’s recommendations, it will display warning messages like the following to make them think their computer is infected:

<?xml version="1.0" encoding="utf-8"?>

Infection strategy

SaveSoldier creates a directory called SaveSoldier in the folder SaveSoldier Software (created by itself) of the Program Files directory and a group of programs with the same name in the Start menu.

SaveSoldier creates the following files in the folder SaveSoldier Software\SaveSoldier of the Program Files directory:

  • SAVESOLDIER.EXE, which is a copy of itself.
  • SAVESOLDIERSVC.EXE
  • UNINSTALL.EXE

SaveSoldier creates the following entries (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#CLAVE) en el Windows Registry (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#REGISTRO):

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    SaveSoldier = C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldier.exe – min
    By creating this entry, SaveSoldier ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\SOFTWARE\SaveSoldier
    Install_Dir = C:\Program Files\SaveSoldier Software\SaveSoldier
    By creating this entry, SaveSoldier creates a new directory.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ SaveSoldier
    DisplayName = SaveSoldier
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ SaveSoldier
    UninstallString = C:\Program Files\SaveSoldier Software\SaveSoldier\uninstall.exe
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
    Class = LegacyDriver
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
    ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
    DeviceDesc = SaveSoldier Security Service
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
    Service = SaveSoldierSvc
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000\ Control
    ActiveService = SaveSoldierSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveSoldierSvc
    DisplayName = SaveSoldier Security Service
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveSoldierSvc
    ImagePath = C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldierSvc.exe
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc\ Enum
    0 = Root\LEGACY_SAVESOLDIERSVC000
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc
    Start
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc\ Security
    Security

<?xm
l version="1.0" encoding="utf-8"?>

Means of transmission

SaveSoldier can be voluntarily downloaded from the website belonging to the company that has developed it.

<?xml version="1.0" encoding="utf-8"?>

Further Details

SaveSoldier is 712,704 bytes (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#BYTE) in size.

As additional information, a website that promotes another fake antivirus has been detected. In this case, it is called TrustNinja. The interesting thing is that both the format and content of this website is the same as the website of SaveSoldier . Only the references to SaveSoldier have been replaced with TrustNinja.

The file downloaded from this website is called TRUSTNINJA.EXE and once run, a program with the same interface and functions as SaveSoldier is installed on the computer. Even the fake results displayed when the scan is finished are the same. The only thing that changes is the name of the program.

As always, the 1st line of defense is to not click on every pop up that you see without reading it 1st.  Additionally, if your not sure what the message or the pop up is for, its always better to click on deny or no on a pop up if your not sure what its for or at least take the time to run a quick search on Bing or Google with the name of the pop up.  There are many sites out there that will tell you what the pop up is and if it is safe.

And More: (Soapbox) There isn’t always truth in advertising and Dell customer service/support has “NO CLUE”

     (Notice: This post is entirely based on what just happened to me while attempting to discuss an order I placed Online with Dell, all the information posted is based on my experience)

     My son has been wanting an XBox360 for a while now because it has a number of games that are Xbox only games that he wants to play.  He has worked very hard in school and at home (doing everything asked of him), to show me that he deserves to get his Xbox.  So for his birthday (after seeing how hard he has tried) I started looking around the net to order him an Xbox, and found the best deal from the Dell Website.  (I have screenshot of the page from Dell’s site, I also found the discount coupon code 65G7RQ11J?M2LH from the dealnews site ( http://dealnews.com/Xbox-360-Arcade-Console-for-170-free-shipping/309111.html (http://dealnews NULL.com/Xbox-360-Arcade-Console-for-170-free-shipping/309111 NULL.html) ) which brought the price to $169 dollars). 

xbox360 arcade package

     The Dell page  for the 360 Arcade bundle seemed to me to be a little lacking in formation, but this is Dell, this isn’t some person I’ve never met on an e-Bay auction, this is Dell one of the biggest players in the computer and technology markets so I didn’t make much of it.  Additionally, prior to making my order, I saw the posting on Microsoft’s own 360 website concerning the XBox360 arcade edition ( http://www.xbox.com/en-US/hardware/x/xbox360arcadesystem/ ) which told me that the 360 arcade bundle came with a 5 game CD (Pac-Man, Uno, etc……). Even though the information was lacking on the website, Dell posted a picture that shows the console, cable, controller, memory card, and arcade CD and its Dell so that what I should get, or so I figured. WRONG!!!!!!!

     So there I was and I placed the order online with dell.  Received the order and waited for my son’s Birthday which is today.  He was so happy when he unwrapped his gift and saw it had gotten his wish.  Then we started opening the box and in that’s when the fun began. 

    In the box was the Xbox console, a wireless controller, the power supply, and the cable to the TV.  That it.  So where was the memory card and the game (Check out what they show on the Dell picture)

xbox360 arcade package missing

     So I called Dell, and that’s where the “fun” part of my story comes in.  My calls started at 9:30a (EST) and as of 1:30p (EST), I have now been so frustrated and given up to the point where I will just go to my local store (probably GameStop) and buy a used edition of each.  That’s not where my problem is, because if it was just about the $10 or $15 that the 2 missing pieces would cost, I guess this post would have never even occurred. Its about principle and the fact that I called Dell (Using both the 800-999-3355 and the 800-624-9897 numbers) and started with customer support (after a 20 min hold time) who said they couldn’t help me because this was not their issue (using those words) and sent me to customer care who told me that …………….ding ding ding. Wait they could have told me something after I explained what was up but suddenly I was disconnected and all i got was a loud tone.  (**I’m not saying I was hung up on but lets see if someone sees a pattern).  So I called back (again 15 min waiting) until I got to customer support and they sent me to customer care who then said that the Xbox comes with only what they sent.  I explained that what I received isn’t on what is showing on the ding ding ding ding ding…wait again I didn’t get to finish what I was explaining because the same loud tone, and again I’m disconnected).  So I called again, this time, I called customer care directly because I was able to find that number (the 3355 one) on-line. This time (30 min wait) I was told that they have no one of knowing what was supposed to be in the package and that I need to speak to the sales department, they transferred me to sales to confirm what’s on the order.  Sales gets on the line and starts asking me if i want to start a new order, of which I explained the story to them and they said they could tell me what was in the package and was told that yes a game and memory card comes with the package…..when I then asked to get back to customer ding ding ding ding (lets see is there a pattern here or what……) , again I’m disconnected with the same loud tone as before.  So I now call customer care back and get back to the same person as before (at least she gave me her extension) and told her that sales said that yes I should have gotten a game, I am now told that what they need to do is order me a new system, for $199 dollars I may add because they had no way of adding the discount code I used online.  Then I would go back to a different department that would then arrange a return of the system I just got and that I would then get a refund from Dell in a few weeks, The refund of course would be for what I paid on the 1st one, which was less than $199 dollars. When I questioned as to why I would have to pay 2x’s (in my opinion at least) and if this was just a game issue why they couldn’t just send me the missing pieces, ding ding ding ding…..I again get that loud tone and I’m disconnected.  I was going to ask her if I would actually get that I expected if I bothered to jump thru that many hoops since sales said I should but customer care wasn’t sure, but with it “disconnecting” again, I was never even able to ask.

So with that, my son has been able to enjoy his xbox360, due to the fact that a friend from work was nice enough to let me have some of his 360 games this week (after I told him we were getting the Xbox for my son), so that my son would be able to enjoy a few games while we built his collection.  So to Andrew I say thanks, and to Dell I say,  (well I can’t say what I really want) NO THANKS!.

    And to you, who read my posts, I just have this caution, even if the site your on is as big a Dell, pay very close attention to orders online, you may not always get what you are expecting. A good thing to do is look at the customer rating comment which I didn’t do, as I now see from Dell’s own site that I am not the only one who was expecting something that he didn’t get.

 

dell review

dell review2 

(End of the soapbox for now)

ALERT: Fake Antivirus software really adware meant to take your money $$$

pandalabs_security Story (and pictures) from the Panda Labs website (LINK: http://www.pandasecurity.com/emailhtml/oxygen/022809_ENG_in.htm (http://www NULL.pandasecurity NULL.com/emailhtml/oxygen/022809_ENG_in NULL.htm))

Anti-Virus-1: A new fake antivirus

Anti-Virus-1 is adware, specifically a "fake antivirus". As with all such adware, it is designed to simulate a scan of the computer, supposedly detecting thousands of strains of (non-existent) malware. The end aim is to sell users a pay version of the fake antivirus in order to eliminate the threats.

When run, this adware warns the user that the computer is not protected. The main screen displayed (http://www NULL.flickr NULL.com/photos/panda_security/3313653378/) is a spoof of the Window Security Center

3313653378_e9307e88f8

It then pretends to scan the system for malware (http://www NULL.flickr NULL.com/photos/panda_security/3313653384/). If users do not immediately take the bait and buy the pay version of the fake antivirus, the malicious code will sporadically display a message reminding the user that the computer is infected (http://www NULL.flickr NULL.com/photos/panda_security/3313653386/)

3313653386_d7d2477df1

In warning messages, and after the fake scan, a link is provided from which users can download the fake antivirus. Anyone clicking on the link will be redirected to a page like this (http://www NULL.flickr NULL.com/photos/panda_security/3313653390/).

3313653390_a9554b8264

Additionally, when infected users visit certain Web pages with comparative reviews of antivirus products, there will be redirected to a spoof page showing a review of an ‘antivirus’, called Antivirus2010, with functions and characteristics similar to Anti-Virus-1.

"By doing this, cyber-crooks hope that users will download this adware on their own initiative. This makes it far less likely that users will suspect that they have been infected and consequently more likely that they will buy the fake antivirus", explains Luis Corrons, Technical Director of Panda Labs.

ALERT: Gmail Users Gets Phished

google-logo After the widespread Gmail outage yesterday users were hit by a phishing attack over the Gtalk chat client. "The malicious message spread via the Google Talk instant messaging chat system (http://www NULL.sophos NULL.com/blogs/gc/g/2009/02/25/gmail-users-hit-viddyho), urging users to a video by clicking on a link connected via the TinyURL service.

gtalk-viddyho

The link points to a website called ViddyHo, which invited users to submit their Gmail usernames and passwords."

viddyho

     When users entered their credentials the information would be logged and the email account would be compromised. If you think you may have been subjected to this attack it is advised you change your password immediately. The attack was not immediately picked up by Google either because it did not use conventional means. By using the Gtalk client it bypassed the Gmail filters completely.

(*Story information and pictures from http://www.sophos.com/blogs/gc/g/2009/02/25/gmail-users-hit-viddyho (http://www NULL.sophos NULL.com/blogs/gc/g/2009/02/25/gmail-users-hit-viddyho))

ALERT: Fake IRS email Phishing Scam

From MSNBC : http://www.msnbc.msn.com/id/29266355/?GT1=43001 (http://www NULL.msnbc NULL.msn NULL.com/id/29266355/?GT1=43001)

Visit msnbc.com for breaking news (http://www NULL.msnbc NULL.msn NULL.com), world news (http://www NULL.msnbc NULL.msn NULL.com/id/3032507), and news about the economy (http://www NULL.msnbc NULL.msn NULL.com/id/3032072)

Cyber-thieves are clever crooks. They know an e-mail that looks like it’s from the IRS will get your attention. So they send out fake e-mail that says you are about to be audited or are due a big refund. Who could ignore a message like that?

Ads by Google

View in: Mobile | Standard