Alert: Be careful shopping this coming Cyber Monday (11/29) as the bad guys are looking for easy victims

As always the bad guys are online, out to try and steal from unknowing victims this holiday season. With the popularity of Online Shopping, it has never been easier for a bad guy to steal from you without ever having to leave his home. The following post below comes from Panda Labs (LINK: http://pandalabs.pandasecurity.com/blackhat-friday-and-cybercrime-monday/ (http://pandalabs NULL.pandasecurity NULL.com/blackhat-friday-and-cybercrime-monday/) ), showing how crooks are manipulating search engines to trick users. As always, just because you are shopping online that doesn’t mean that you don’t have top pay attention. Always make sure to keep your Cyber Guard up.

*******************************************************************************************************************************************

Black(hat) Friday and Cyber(crime) Monday

by Sean-Paul Correll (http://pandalabs NULL.pandasecurity NULL.com/author/sean-paul-correll/)

You may be in for more than you bargained for if you plan on looking for the latest Black Friday or Cyber Monday deals online. Cyber criminals are quick to capitalize on new opportunities and have already done so by optimizing their Blackhat SEO campaigns to infect those looking for those hot ticket item deals.

The following image is a malicious search result aimed at innocent users looking for Black Friday deals at a popular U.S. based retail chain:

Best Buy/Black Friday Malicious Search Result (http://pandalabs NULL.pandasecurity NULL.com/wp-content/uploads/2010/11/bestbuy_malicious_search NULL.png)

Best Buy/Black Friday Malicious Search Result

Clicking on the link in the Firefox browser will redirect you to a fake Firefox “update” website, which will then infect your computer with fake antivirus software:

Fake Firefox Update Website (http://pandalabs NULL.pandasecurity NULL.com/wp-content/uploads/2010/11/fakefirefoxupdate NULL.png)

Fake Firefox Update Website

Clicking the link in Internet Explorer (or any other browser) will lead you directly to the fake antivirus scan page:

Rogueware "Fake Antivirus" Page (http://pandalabs NULL.pandasecurity NULL.com/wp-content/uploads/2010/11/Roguewarepage NULL.png)

Rogueware “Fake Antivirus” Page

Giveaway – Panda Cloud Anti-Virus Paid Version Licenses

**Update – 10/4/2010…..Due to illness, announcing the winners was a little delayed, but now Tech Geek and More would like to congratulate Mr. G.T, Jesus, John D., and Gitesh. An email has been sent to each of you with instructions on getting Panda Cloud Antivirus Pro. Thank you again to everyone (as always) for visiting TGM.

Alex

Head of TeachGeekandMore.com

**********************************************************************************************************************************

After using the Panda Cloud Anti-Virus (LINK: http://www.techgeekandmore.com/2010/09/16/panda-antivirus-review-cloud-free-paid-versions-test-recommend/ ), and seeing how it worked 1st hand, Tech Geek and More is very happy to be able to giveaway 4 licenses to the paid version of Panda Cloud Anti-Virus.

If you are interested in getting 1 of the licenses for the paid version of the Panda Cloud Software, here is what you will need to do. (Trying to Keep it simple)

- Post a message below this post (with your correct info).

The 4 people selected will be notified on Wednesday 9/22 via Email (with instructions)

Good Luck

Software: Panda Cloud Antivirus – Review

Last week I was given an opportunity to try Panda’s Cloud Anti-virus solution. I’ve always been under the belief that I need to directly use a product before I tell others what I think, I’m not comfortable just going by awards or others word of mouth alone. So for the past week I have been running Panda’s cloud solution on a couple of computers and here is what I have found so far.

It works simply
Its footprint is small

–> I’ve installed the Paid version of the software on a Windows 7 Enterprise (32 bit, w/500 gig HD, 2 gigs of memory) Lenovo laptop that is my work horse machine. My laptop is running about 18 hours a day 7 days a week. I have seen no slow downs during boot up, during usage, or shut down. I’ve been able to run a full scan of the Panda software and still continue to multi-task (Connected to customers via GoToMeeting or PCAnywhere, while doing documentation, transferring large files, access email, streaming music/TV, web surfing, etc.). Previously when I had other Anti-Virus products installed on the same machine (Symantec being one of them), the laptop would struggle while the scan was going on.

–> I installed the free version on a Ultra Mobile PC (Samsung) running Windows XP Tablet Edition (32bit, 40 gig HD, 1 Gig of Memory). The UMPC has struggled with most anti-virus software, however, Panda has been running with no sign of issues. The UMPC is used for handheld software testing for a couple of the customers I serve. Previously The UMPC had been running Microsoft Security Essential and MSC would lock up the UMPC every time I tried to do a full hard drive scan, Panda has not had that issue.

I have various tools that I use to check and see if the Anti-Virus is working. Everything I tried to throw at it, was found and cleaned up.**

**The only issue I discovered is that the software had difficulty cleaning up a pc that was already infected prior to Panda being installed.

The Panda Cloud Software comes in both a free (for personal use and non-profit organizations only) and paid version ($29.95 for 1 year / $65.95 for 3 year’s of coverage), the differences are as follows

So far in my usage of the Panda software, I can feel comfortable saying that I can recommend giving Panda Cloud Software a try.

Alert: Desktop Security2010 – Another Rogueware program which seems to be spreading fast. This is NOT something you want on your pc.

Job security is the probability that an individual will keep his or her job, and with the rate of computer clean up that I have to do that unfortunately seems to be going up and not down, I think I have job security for a while (Honestly, this is not the kind of job security that I want). We have had many posts on TGM about viruses, spyware, rogueware, yet the “my computer is infected” calls continue to come in, as people continue to fall for the tricks that get them infected.

The latest rogueware infection is called DesktopSecurity2010. What will happen if you get infected with the DesktopSecurity2010 rogueware

DesktopSecurity2010 is an adware program that warns users of non-existing threats in their computers so that they purchase a certain program that removes them from the computer.
Additionally, in order to make users think that their computer is really infected, it displays a warning message when the computer is restarted, and from time to time the screen fades to black and other times blinks with different colors.
DesktopSecurity2010 can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

What should you look out for when web surfing

DesktopSecurity2010 is easy to recognize, as it shows the symptoms below (These are some possible symptoms, you can still get infected without seeing these):

It reaches the computer in a file with the following icon:
When it is run, a screen to install the program is displayed:
Once installed, it starts to carry out a system scan in search for possible malware and once finished, it displays warning messages informing users that the computer is infected:

One of the known ways that the rogueware is installing

The following post on the PandaLabs site (LINK: http://pandalabs.pandasecurity.com/making-new-friends%e2%80%a6/ (http://pandalabs NULL.pandasecurity NULL.com/making-new-friends%e2%80%a6/)) shows 1 of the ways you can get infected. Two of the clean up jobs that I have had to do in this past week occurred because the user also fell for a greeting card email as described below (Confirmed).

Making new friends…

Posted on 05/13/10 by Olaiz

I’m very happy because I’ve received a greeting card via email from a new friend, thought it’s not my birthday, my saint’s day or anything like that :-)

Look what a nice card I’ve received:

Google_groups_email_en

Besides, it has been sent from 123greetings, which is a legal website to download and send cards, so it must be trustworthy.

I’ve clicked the picture of the message and I’ve been redirected to the website http://luxxxx.googlegroups.com/web/setup.zip, but I can’t see any greeting card here, but a Google groups website containing a link… maybe I have to follow the link in order to view it…

There’s no way. I can only see the Windows of an antivirus called DesktopSecurity2010 (http://www NULL.pandasecurity NULL.com/homeusers/security-info/218297/DesktopSecurity2010) informing me that my computer is infected and that I have to pay the license in order to eliminate the malware. I think that I got infected :-( and I have neither a greeting card nor a new friend…

Now, talking seriously, yesterday we commented how this false antivirus was using Google Groups users (with malicious intentions) to be distributed. In fact, the URL from which the rogueware is downloaded is like the following:

http://Google Groups user.googlegroups.com/web/setup.zip

Some of these users are felixss, gorlum or misterxyz.

Google has reacted to this and has started blocking these malicious users. So, if you try to access any URL that uses these malicious users, the following message is displayed informing you that the user cannot be found:

Google_groups

Even so, some malicious accounts may still be active, so don’t trust messages like this and don’t follow any link like those we’ve previously mentioned in this post.

So what can you do to help protect yourself

If you get a link, email, instant message, asking you or telling about something you were not expecting, even if it seems to be from someone you know, DO NOT TRUST IT! Getting a message from grandma saying check out the new pictures i upload and realizing she is 80 years old, ask yourself, does grandma really know how to upload pictures? It only takes a minute to call the person, and get a response to “did you send me….. message”, if they did, they will tell you instantly. If they didn’t they will be the 1st to say “What are you talking about”.
Because of Twitter, the use of link shorting sites seems to have become the norm. The problem is that a link to http://bit.ly/dr9Ucz (http://bit NULL.ly/dr9Ucz) could be a link to many place. How do you know if it is a safe link or not a safe link. Again, even if the link is sent to you by someone you know, DO NOT TRUST IT unless you were specifically expecting it. For the record, http://bit.ly/dr9Ucz (http://bit NULL.ly/dr9Ucz) is actually a link to techgeekandmore.com, and TGM does not list shorten links on the TGM site, because we want you to know where you are clicking to. One thing you can do to check shortened links is visit sites that expand the shortened link. (If you use one of these link expander services and copy the link, be careful to copy the link and NOT accidently double click on the link) Some of the sites you can visit to use to expand links

-> LongURL (LINK: http://longurl.org/ (http://longurl NULL.org/)), PrevURL (LINK: http://www.prevurl.com/index.php (http://www NULL.prevurl NULL.com/index NULL.php)), ExpandMyURL (http://longurl NULL.org/) (LINK: http://www.expandmyurl.com/ (http://longurl NULL.org/)), URL Snoop (http://urlsnoop NULL.com/) (LINK: http://urlsnoop.com/ (http://urlsnoop NULL.com/)), Securi.net (http://sucuri NULL.net/?page=tools&title=check-url) (LINK: http://sucuri.net/?page=tools&title=check-url (http://sucuri NULL.net/?page=tools&title=check-url)). At all the sites, enter the shortened URL and click to find out where the link will lead

-> In addition if you use Firefox to browse the web, you can install LongURLPlease (LINK: http://www.longurlplease.com/ (http://www NULL.longurlplease NULL.com/)), or LongURL (LINK: http://longurl.org/tools (http://longurl NULL.org/tools)), which are Firefox browser extensions that automatically preview the destination URL for shortened links from just about any shortener you can name.

As always make sure that your PC is updated with all the latest Windows Updates, your Anti-virus is updated, your install of JAVA is updated, your install of Adobe Flash player is updated, Your PDF reader is updated. Most viruses, spyware, rogueware use problems with these programs to get into your computer. Use can use sites like File Hippo (LINK: http://www.filehippo.com/ (http://www NULL.filehippo NULL.com/) ) to check and make sure your programs are up to date.

What to do if you do get infected

If you still get infected, you can use SuperAntispyware and Malwarebytes programs to clean your machine, I recommend downloading both before you get any infection. Run them on a regular basis (Regular = once a week or so), even if your computer does not show any signs of issues.

To download both programs I recommend using Ninite (LINK: ninite.com)

If you would like to see more information on ninite you can see the TGM post http://www.techgeekandmore.com/2009/12/25/software-two-must-haves-for-the-new-pc-pc-decrapifier-and-ninite/

If after running SuperAntispyware and Malwarebytes, you are still infected, then you will need to use a PE (Physical Environment) disk. The PE disk that TGM recommends is UBCD (LINK: http://www.ubcd4win.com (http://www NULL.ubcd4win NULL.com)). The how to for the UBCD can be found at http://www.ubcd4win.com/howto.htm (http://www NULL.ubcd4win NULL.com/howto NULL.htm) .

Alert: Fake IRS email scam. This is from the PandaLabs website

With April 15th and the tax deadline here in the US being just a few days away, here is an alert from the PandaLabs Website (LINK: http://pandalabs.pandasecurity.com/ (http://pandalabs NULL.pandasecurity NULL.com/)). This alert especially goes to all those internet users out there that seem to believe everything they get in an email (You know who you are).

***************************************************************************************************************

From PandaLabs Website (LINK:http://pandalabs.pandasecurity.com/irs-1042-w-identity-theft-scam/ (http://pandalabs NULL.pandasecurity NULL.com/irs-1042-w-identity-theft-scam/))

IRS 1042-W Identity Theft Scam (http://pandalabs NULL.pandasecurity NULL.com/irs-1042-w-identity-theft-scam/)

Posted on 04/9/10 by Sean-Paul Correll (http://pandalabs NULL.pandasecurity NULL.com/author/sean-paul-correll/)

It’s tax season in the United States and the April 15th filing deadline is approaching quickly. Every year around this time U.S. citizens stress about getting their finances in order and reported to the Internal Revenue Service in time to avoid penalties. Careful though, because that nervousness might just help a cyber criminal steal your identity. A fake IRS Tax Form (1042-W, which apparently doesn’t even exist) has been spammed out and is currently circulating on the Internet.

The e-mail arrives disguised as an official correspondence (irs@irs.gov) from a rep named Cindy at the Internal Revenue Service.

Fake IRS E-mail

Two PDF attachments are included with the email, both of which were authored in Microsoft Word 2007.

Fake IRS PDF Documents

Fake IRS PDF Documents (1042-S B.PDF and 1042-S A.PDF)

The first document introduces the 1042-W form and reads:

Dear Sir/Madam,

Our record indicates that you have not submitted your form 1042-W. As a result, you are exempted from United States of America Tax reporting and withholdings, on interest paid you on your account and other financial dealing to protect your exemption from tax on your account and other financial benefit in rectifying your exemption status.

Therefore, you are to authenticate the following by completing form 1042-W, and return to us as soon as possible through the fax number: +1-780-669-7364

Fake IRS Document

The second PDF document is the form itself. It asks for the following:

Name
Date of Birth
Nationality
Place of Birth
Address
Passport Number
Mothers Maiden Name
Social Security Number
Profession
Bank Name/Account/Pin – Date bank account was opened and branch location
Attached photocopy of passport

Fake IRS Tax Form (1042-W)

After completing the form, the instructions call for faxing it over to a phone number (+1-780-669-7364) located in Alberta, Canada.

Sending this form over to the criminals would most definitely result in a stolen identity. The IRS has stressed year after year that it does not make unsolicited requests via e-mail. Here are some tips on how to spot an IRS scam and what to do if you receive one in your inbox:

How to Spot a Scam

Many e-mail scams are fairly sophisticated and hard to detect. However, there are signs to watch for, such as an e-mail that:

Requests detailed or an unusual amount of personal and/or financial information, such as name, SSN, bank or credit card account numbers or security-related information, such as mother’s maiden name, either in the e-mail itself or on another site to which a link in the e-mail sends the recipient.
Dangles bait to get the recipient to respond to the e-mail, such as mentioning a tax refund or offering to pay the recipient to participate in an IRS survey.
Threatens a consequence for not responding to the e-mail, such as additional taxes or blocking access to the recipient’s funds.
Gets the Internal Revenue Service or other federal agency names wrong.
Uses incorrect grammar or odd phrasing (many of the e-mail scams originate overseas and are written by non-native English speakers).
Uses a really long address in any link contained in the e-mail message or one that does not start with the actual IRS Web site address (www.irs.gov). To see the actual link address, or url, move the mouse over the link included in the text of the e-mail.

What to Do

The IRS does not initiate taxpayer contact via unsolicited e-mail or ask for personal identifying or financial information via e-mail. If you receive a suspicious e-mail claiming to come from the IRS, take the following steps:

Do not open any attachments to the e-mail, in case they contain malicious code that will infect your computer.
Do not click on any links, for the same reason. Also, be aware that the links often connect to a phony IRS Web site that appears authentic and then prompts the victim for personal identifiers, bank or credit card account numbers or PINs. The phony Web sites appear legitimate because the appearance and much of the content are directly copied from an actual page on the IRS Web site and then modified by the scammers for their own purposes.
Contact the IRS at 1-800-829-1040 to determine whether the IRS is trying to contact you.
Forward the suspicious e-mail or url address to the IRS mailbox phishing@irs.gov (phishing null@null irs NULL.gov), then delete the e-mail from your inbox.

Alert: BlackHat SEO attack targeting Google Nexus One (Updated) (From Panda Labs Blog)

From the Panda Labs Blog (BlackHat SEO attack targeting Google Nexus One (Updated) (http://pandalabs NULL.pandasecurity NULL.com/blackhat-seo-attack-targeting-google-nexus-one/))

A few days ago Google presented their brand new phone, called Nexus One:

And some days later we find out that if a user searchs for “buy Nexus One” he will obtain around 4,000 malicious links:

When clicking on any of these links, you will see some of the typical fake antivirus sites:

It will try to infect your computer with a rogueware called LivePcCare. Be careful while searching, and use at least some free web filtering tools (http://www NULL.mywot NULL.com/). (Like Web of Trust)

Update: 5 out of the 6 first results are malicious, including the 1st and the 2nd one.

Update 2: Now the same crew is using the Haiti earthquake

Alert: Rogueware with new Ransom Technology (This takes it up to a whole new level!)

The challenge these days seem to be to try and stay ahead of the criminals who try and steal from you via your computer. I get asked almost daily “Why do I keep having to update my anti-virus, anti-spyware or my anti-malware solutions?” “Can’t I just update it once and get it over with?” Well the simple answer is NO!

Let me ask you this, why do you listen to the traffic every morning on the radio on the way to work? Isn’t finding that route to work, where you can stop and get breakfast or your coffee at Starbucks good enough? Won’t that get you what you need? Well……of course the answer is no. We all listen in case that one day we hear about a traffic accident or police action or broken water main or …… well you get the idea. We want to know this so that we can get a different route and try and avoid getting stuck in a traffic mess. Your route may never be affected, but you listen anyways everyday because that 1 time you don’t listen, you know will be the 1 time that your 30 minute commute will become 4 hours (I did have that once, it was a nightmare). Ok so if you know put that analogy to why you update your software (Operating System, Software, and your Anti-Virus/Anti-malware protection), its basically so that you can hope that you never run into that “nightmare situation”.

Now let me tell you a little about the latest nightmare that the bad guys have started releasing on to the internet that you and I travel. This one is called TotalSecurity2009 (From the same people that brought you AntiVirus2008, AntiVirus2009, and many others http://techgeekandmore.wordpress.com/2009/08/29/alert-another-fake-anti-virus-program/ (http://techgeekandmore NULL.com/2009/08/29/alert-another-fake-anti-virus-program/)). This one does the same things as the others, you go to an infected website and you see a pop up that says “Your computer is infected, click scan now to clean your machine” (or something to that effect depending on which one you get).

Then all of a sudden you start getting these pop-ups that look official and legit and even look like they my be part of your operating system, telling you that “the sky is falling” and that you need to buy (insert Rogue Malware name here), and that you can pay $XX amount of dollars (of course by major credit card) and they will clean your pc for you. That’s like having a burglar walk up to your house and say, sorry I just robbed your house, may I now install your new security system to keep me from robbing you again!

Ok back to TotalSecurity2009, this one has a new wrinkle. An extra level of sophistication, like we haven’t really seen before. In the past when you go infected you suffered thru allot of pop-ups and messages, but for the most part all functions of a pc still worked (OK except maybe web browsing to a legitimate web Anti-Virus website which previous ones would redirect your webpage so that you would only see Antivirus site pages they wanted you to see). In TS2009, its different, TS2009 actually locks all your applications and files, except for Internet Explorer and that is basically so that Internet Explorer can keep giving you messages that you need to pay $79.99 to get the unlock code for TotalSecurity2009 and then be able to use TotalSecurity2009 to clean your system. So in essence, if your a non-technical person and don’t know any better, you will feel like you have no choice but to pay them to release your pc from malware jail.

Here is the biggest problem with paying them, because to me it really isn’t about the $79.99, you will probably never get billed that amount. What you will have done is given a criminal your name and information and your credit card number and in fact what it will cost you will probably be more than $79.99 with your information out in the open for the bad guys to use (and charge your card) at will until you have to close and change your accounts.

The following Video comes from Panda Labs (A maker of legitimate Anti-Virus / Anti-Malware software) that shows how the rogue malware works and what effects it will have on your pc.

[vodpod id=Groupvideo.3686216&w=425&h=350&fv=]

more about “From Panda Labs: Rogueware with new R… (http://vodpod NULL.com/watch/2362304-from-panda-labs-rogueware-with-new-ranson-technology?pod=techgeekandmore)“, posted with vodpod (http://vodpod NULL.com?r=wp)

Additional information from Panda Labs can be found at http://pandalabs.pandasecurity.com/archive/Rogueware-with-new-Ransomware-Technology_2221_.aspx (http://pandalabs NULL.pandasecurity NULL.com/archive/Rogueware-with-new-Ransomware-Technology_2221_ NULL.aspx)

Panda Labs has also cracked the Rogue Anti-Virus so that you can unlock your machine if you get infected with this Rogue malware. Once you unlock your machine, you can download a 1 month free trial of the Panda Global Protection software that you can then use to clean your pc http://www.pandasecurity.com/usa/homeusers/downloads/register?Tipo=1&CodigoProducto=60&Idioma=2&TipoUsuario=12&Country=US&TipoLead=2&Ref=WWUS-GP10-DWN (http://www NULL.pandasecurity NULL.com/usa/homeusers/downloads/register?Tipo=1&CodigoProducto=60&Idioma=2&TipoUsuario=12&Country=US&TipoLead=2&Ref=WWUS-GP10-DWN)

Additionally you can also download Malwarebytes http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button (http://download NULL.cnet NULL.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572 NULL.html?part=dl-10804572&subj=dl&tag=button) and SuperAntiSpyware http://superantispyware.com/ (http://superantispyware NULL.com/) to do additional scanning of your machine to make sure everything is clean.

Remember, all 3 of these products plus all other PC security software that is from a legitimate software company still needs to be updated by you the user before scanning or attempting to clean any malware from your pc, because you don’t know if your infection was created weeks ago or 1 hour ago and all security software needs to have the latest updates from its maker in order to give you the best chance and cleaning your pc.

Alert: How malware / viruses can ruin your day

From the Panda Labs Blog ( http://pandalabs.pandasecurity.com/ (http://pandalabs NULL.pandasecurity NULL.com/) ), shows how malware and viruses can make small changing to your online banking screens and fool you into giving up information that can then be used to make unauthorized charges or clean you bank account out. (Click on the link below “Live Demo” or look on the sidebar under VodPod Videos)

Live Demo: Banking Trojan (http://vimeo NULL.com/6491332) from Panda Security (http://vimeo NULL.com/pandasecurity) on Vimeo (http://vimeo NULL.com).

I had a client a couple of days ago who asked me to clean her pc of viruses, during the conversation, she mentioned to me that on top of having to deal with the virus on the PC that she was dealing with her bank because someone got her info and drained her bank account in one evening. She mentioned that she didn’t know how they did it because she knew she followed all the rules people know for keeping her information private……

- She would shred old documents

- Had a very difficult sign on passwords

- Only thing she did online was banking at her bank, she would never buy anything online because she was afraid that somehow her info would be compromised (which it was anyways).

I unfortunately had to explain to her that the virus I was cleaning from her PC was the reason she had her information compromised and her bank account drained. The panda labs demo in this post shows how normally going to a banking site (they use Bank of America in the example, however, I should point out that B of A was not the bank my client was using) you get prompted for your Online ID and Online password for your bank. However, as shown once the machine is infected, the entire site looks normal to an untrained eye except for the fact that your sign on suddenly wants you to enter your pin #. Considering your at your banks website by all appearances most people would not think twice in entering that information. However, in fact, as shown in the video the information is on the sign in is actually being sent to criminals who can then use it to steal from you without ever meeting you in person.

Just another example as to why you need a good anti-virus, a good anti-malware (and yes these are 2 different functions) on your machine and that both programs need to be updated regularly and run regularly on your machine to try and keep your PC secure. Also if you do get infected, you should either directly address the issue and make sure to clean your machine if you know what your doing, or make sure that a trained professional cleans your machine before doing any sensitive work on your pc.

Alert: Another Fake Anti-Virus program

If anything can get under my skin, this will do it. It seems we have another “Anti-Virus” program out there who’s only goal is to scare the user (who probably doesn’t know any better) into believing that the “sky is falling” and then requiring them to give up their credit card number in order not to get hit with the “falling sky”. I’ve have had to spend a lot of my time this past week cleaning this one up because a couple of clients didn’t know any better. There have been numerous versions of this malware scam over the past few years, some examples are

A

* Ad-Protect
* AlfaCleaner
* Antispyware Soldier
* Anti-virus 2008 * Anti-Virus 2009
* AntiVermins
* AntiVirGear
* AntivirusGold

B

* BraveSentry
* BreakSpyware

C

* CmdService
* ContraVirus

D

* DeluxeCommunications
* Dr. AntiSpy

E

* ErrorSafe

M

* MalwareWipe
* MrAntispy
* Mirar
* Movieland
* MySpyProtector

P

* PestCapture
* Pest Trap
* Popcorn.net
* PSGuard

S

* Seekmo
* Smitfraud
* SpyAxe
* SpyCrush
* SpyDawn
* SpyFalcon
* SpyHeal
* SpyLocked
* SpyLocker
* SpyMarshal
* SpySheriff
* SpyShield
* SpySoldier
* SpywareKnight
* SpywareLocked
* SpywareQuake
* SpywareStrike
* Starware
* SystemDoctor

T

* Toolbar888

U

* UnSpyPC

V

* VirusBlast
* VirusBurst
* VirusBurster
* VirusRay
* VirusRescue

W

* Winfixer

Z

* Zango Search
* Zlob

and now joining the list is a Rogue Anti-Virus programs comes SaveSoldier. Here is information on the malware from the Panda Website ( http://www.pandasecurity.com/homeusers/security-info/212755/SaveSoldier (http://www NULL.pandasecurity NULL.com/homeusers/security-info/212755/SaveSoldier) ).

Effects

SaveSoldier is an adware (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#ADWARE) program that carries out the following actions:

It reaches the computer downloaded from the following website:

When the file is run, it is installed in the affected computer and starts scanning the system in search for possible malware.

Once ended, it displays a warning message like the following, informing users that their computer is infected:

If the button "Remind me later" is clicked, the interface of the program is displayed, which is like the following image:

If users decide to follow the program’s instructions and remove the threats, the program will require a registration code:

This code is obtained after purchasing the antivirus solution. Therefore, the user will be redirected to a website where it can be purchased:

On the other hand, if users do not follow the program’s recommendations, it will display warning messages like the following to make them think their computer is infected:

<?xml version="1.0" encoding="utf-8"?>

Infection strategy

SaveSoldier creates a directory called SaveSoldier in the folder SaveSoldier Software (created by itself) of the Program Files directory and a group of programs with the same name in the Start menu.

SaveSoldier creates the following files in the folder SaveSoldier Software\SaveSoldier of the Program Files directory:

SAVESOLDIER.EXE, which is a copy of itself.

SAVESOLDIERSVC.EXE

UNINSTALL.EXE

SaveSoldier creates the following entries (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#CLAVE) en el Windows Registry (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#REGISTRO):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SaveSoldier = C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldier.exe – min
By creating this entry, SaveSoldier ensures that it is run whenever Windows is started.

HKEY_LOCAL_MACHINE\SOFTWARE\SaveSoldier
Install_Dir = C:\Program Files\SaveSoldier Software\SaveSoldier
By creating this entry, SaveSoldier creates a new directory.

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ SaveSoldier
DisplayName = SaveSoldier

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ SaveSoldier
UninstallString = C:\Program Files\SaveSoldier Software\SaveSoldier\uninstall.exe

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
Class = LegacyDriver

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
DeviceDesc = SaveSoldier Security Service

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
Service = SaveSoldierSvc

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000\ Control
ActiveService = SaveSoldierSvc

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveSoldierSvc
DisplayName = SaveSoldier Security Service

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveSoldierSvc
ImagePath = C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldierSvc.exe

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc\ Enum
0 = Root\LEGACY_SAVESOLDIERSVC000

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc
Start

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc\ Security
Security

<?xm
l version="1.0" encoding="utf-8"?>

Means of transmission

SaveSoldier can be voluntarily downloaded from the website belonging to the company that has developed it.

<?xml version="1.0" encoding="utf-8"?>

Further Details

SaveSoldier is 712,704 bytes (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#BYTE) in size.

As additional information, a website that promotes another fake antivirus has been detected. In this case, it is called TrustNinja. The interesting thing is that both the format and content of this website is the same as the website of SaveSoldier . Only the references to SaveSoldier have been replaced with TrustNinja.

The file downloaded from this website is called TRUSTNINJA.EXE and once run, a program with the same interface and functions as SaveSoldier is installed on the computer. Even the fake results displayed when the scan is finished are the same. The only thing that changes is the name of the program.

As always, the 1st line of defense is to not click on every pop up that you see without reading it 1st. Additionally, if your not sure what the message or the pop up is for, its always better to click on deny or no on a pop up if your not sure what its for or at least take the time to run a quick search on Bing or Google with the name of the pop up. There are many sites out there that will tell you what the pop up is and if it is safe.

Software: Panda AV offering FREE USB Vaccine to help stop malware from spreading via external drives

As a tech, one of the biggest headaches involves someone bring there USB key (or external hard drive) from home, full of malware infections because the user doesn’t know how to protect their home pc. They go to the office and start “Copying that Excel sheet” or even better “The cute pictures of their kids” so that it can be seen on every pc. Unfortunately as that drive keeps getting plugged in, every machine it goes into get infected with malware because of what is know as the autorun feature.

Panda Labs is offering a FREE download (http://www.pandasecurity.com/usa/homeusers/downloads/usbvaccine/ (http://www NULL.pandasecurity NULL.com/usa/homeusers/downloads/usbvaccine/) ) that can be used on your external drives and on each pc, which will basically disable the autorun feature. With the feature disabled, you should be able to scan your external drive, and make sure its ok, prior to it being able to cause malware havoc.

********************************************************************

From the Panda Website

There is an increasing amount of malware which, like the dangerous Conficker worm, spreads via removable devices and drives such as memory sticks, MP3 players, digital cameras, etc. To do this, these malicious codes modify the AutoRun file on these devices.

Panda USB Vaccine is a free solution designed to protect against this threat. It offers a double layer of preventive protection, allowing users to disable the AutoRun feature on computers as well as on USB drives and other devices:

Vaccine for computers: This is a ‘vaccine’ for computers to prevent any AutoRun file from running, regardless of whether the device (memory stick, CD, etc.) is infected or not.

Vaccine for USB devices: This is a ‘vaccine’ for removable USB devices, preventing the AutoRun file from becoming a source of infection. The tool disables this file so it cannot be read, modified or replaced by malicious code.

This is a very useful tool as there is no simple way of disabling the AutoRun feature in Windows. This provides users with a simple way of disabling this feature, offering a high degree of protection against infections from removable drives and devices.

*********************************************************************

Just remember that this needs to be used both on the external drives and PC. Even if you don’t have an external drive yourself, its a good thing to run it on your pc, in case some one visits (or your kids or co-workers) and brings an external drive with them.

Tech Geek and More

Technology Explained for All

Category Archives: Panda AntiVirus