Adgitize

Monday, June 25, 2007

Another set of auto-sent emails

Sorry guys, I'm been very out recently... out in the midst of our very forested home (lott'sa trees in our lot) just spending playful time with my sister's kids who crash my computer from time to time. Hehehe...

Anyway, what this blog concerns me right now is the prevalence of worms, trojans and viruses I'm encountering daily despite the updates I checked on desktop and notebook computers at work. More than that, I've been continuously receiving emails from somebody I perceive that the user didn't even know that her mailbox automatically sent those.

Here's the rest of the story...

  • Trojans
The most common in this arena would be "HTML/Phishing.gen" and its so common that I'm already pissed about it. Hahahaha. On NOD32's website, "HTML/Phishing.gen" comes in a variety of names. Smithfraud, Bankfrand, etc., You name it! All those financial-type emails requesting you to update something based on the link provided on the email. Well, yeah correct link. Just putting your mouse over that link before clicking it means a difference. It's another link though: so careful please!

  • Worms
Here's something you wouldn't ordinarily found in your vegetable garden: internet worms. Nope, they're not to enrich your online soil experience. Rather, it just soil you much. "Win32/Bagle" is one of those worms that comes with siblings. Who says that internet worms doesn't have sexes? Win32/Bagle.AS, Win32/Bagle.DL, Win32/Bagle.DR, Win32/Bagle.FB, Win32/Bagle.FL, Win32/Bagle.FO, Win32/Bagle.HE Just naming a few...

  • Viruses
Like their biological cousins, computer viruses still do need a host to deliver a payload on the intended (or rather random) recipient. Not much to tell about here, but I'm pretty sure there's plenty lurking out there.

Consider this: I recently got an item called "Microsoft.WindowsSecurityCenter.AntiVirusOverride" using SpyBot - Search & Destroy. What is seems to do is it redirects common A/V update servers or sites (like "Microsoft.Windows.RedirectedHosts") to 192.168.0.101 You can check out Sophos for details.

SpyBot is such a good tool that when combined with your default A/V (I prefer BitDefender, McAfee, Sophos and Trend Micro though I consider Eset's NOD32 the best), an anti-spyware tool (Lavasoft's Ad-Aware).

TIP #1: Whenever you're having a hard time removing files, why not try a "Safe Mode with Command Prompt". From there, you can remove the unwanted files created by all the badwares.

Here's one example of a trojan which requires a "Safe Mode with Command Prompt" procedure:
Generic BackDoor.u:
- mstcpcon20.dll
- netmanage.dll
- netused.dll
(All removed via "Safe Mode" Command Prompt)

TIP #2: Hating to wait till your computer finishes loading those processes everytime you bootup? There's a tool available from Microsoft called "Autoruns" and it will help you determine which of these processes are legitimate and can be disabled. It can also be used to remove all the nastly entries worms, trojans and viruses inserted. Combined with "Process Explorer", it will be an effective tool (call it "dynamic duo") in killing those processes and removing them after. Click here for more details. Just a word of concern: do things the intelligent way, or else you might end up reformatting your computer.

TIP #3: If possible, disable System Restore because Windows backs up your files on a certain folder on your computer. So everytime you clean your computer, infected files are also backed up, leaving another opportunity that once restored - the badwares would be present again in your computer. McAfee Threat Center has details on this. You may go there by clicking here.

Sites to Avoid
(If you're using Yahoo! Messenger and a friend or somebody sent you a message, asking you to visit these sites, please don't - they're nasty conveyors of badwares)

  • 72.29.67.138
  • danhba24h.com
  • decore.biz
  • drantispy.com
  • hiddenprofiles.net
  • nhatquanglan6.t35.com
  • quicknews.info
  • spylocked.com
  • t35.com
  • taiwan-cool.com
  • thecoolpics.com
  • thecoolpics.net

Lastly, for the auto-email sender, its a Win32/VB.NEI worm. A simple Google search would yield hundeds of results for the Win32/VB.NEI worm. Here's a transcript of the actual email sent to me:

X-YPOPs-Folder: @B@Bulk
X-RocketYMUMID: ALjJjkQAADx1Rn9l0QmvJXlMNOI
X-Apparently-To: *********************** via 68.142.201.184; Sun, 24 Jun 2007 23:50:57 -0700
X-Rocket-Spam: 58.69.174.125
X-YahooFilteredBulk: 58.69.174.125
X-Originating-IP: [58.69.174.125]
Return-Path: <************************>
Authentication-Results: mta263.mail.re4.yahoo.com from=*****************; domainkeys=neutral (no sig)
Received: from 58.69.174.125 (HELO ******) (58.69.174.125)
by mta263.mail.re4.yahoo.com with SMTP; Sun, 24 Jun 2007 23:50:56 -0700
From: "******************" <************************>
To: <***********************>
Subject: [virus Win32/VB.NEI worm] the file
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_9.45058643817902E-02"
Content-Length: 129662
X-NOD32Result: Infected, Win32/VB.NEI worm

This is a multi-part message in MIME format.

------=_NextPart_9.45058643817902E-02
Content-Type: text/plain; format=flowed

how are you?
i send the details.
OK ?

__________ NOD32 2350 (20070624) Warning __________

Warning: NOD32 antivirus system found the following in the message:
document.pif - Win32/VB.NEI worm - deleted

http://www.eset.com

------=_NextPart_9.45058643817902E-02
Content-Type: text/plain
X-Removed: Removed by NOD32 Antivirus System

------=_NextPart_9.45058643817902E-02--

Got it? That's all for this blog!


Share/Bookmark