PC-Armor Computer Security News Blog

Welcome to our new Site!

If you have been to our site before, you probably noticed the new look.  We have been working long and hard on the new design, which explains why we haven’t posted many blogs lately; but now we’re done!  If you have a chance, check out the new “University” page, where we have introduced video tutorials to help you, the user, through the complex process of hardening your Microsoft Windows XP environment to the point where it will be quite secure.

At this time, we have only made two videos available: Email and Web Browser Security.  However, we will be uploading more new videos soon showing you how to:

1. Turn off unnecessary and potentially harmful Windows services,
2. Install and configure a world-class Anti-spyware program,
3. Install and configure a world-class Anti-Virus program,
4. Install and configure a world-class firewall program,
5. Install, configure, and use a world-class encryption program,
6. Install and configure a secure Wireless network,
7. Install and configure a simple, but effective and cost-efficient backup solution,
8. and other important security-related topics

All of our videos are downloadable and viewable with Microsoft Windows Media Player.  This will allow you to play them, pause them, rewind them, or do just about anything you need to learn the content.

We are confident these videos will help raise the level of security for everyone who purchases them.

Be Safe.  Be secure!

PC-Armor.com

Firefox 3 is now available!

The Mozilla site experienced some technical difficulties [this morning] that delayed the scheduled launch of Firefox 3; however, they are back!

I just downloaded my version and will install it after this post.

Hopefully, the world will follow suit and download the greatest browser available…

Blog Spam is a HUGE Headache!

Blog spam has reached the point where it is very difficult to manage.  It is possible that we might accidentally delete a legitimate comment as we sift through the hundreds of blog spam we receive on a regular basis, so we apologize if we mistakenly delete a legitimate comment.

As with other types of spam, we scrutinize all comments very carefully before deciding to publish them.

Cheers!

PC-Armor.com

Nasty Trojan causes Task Manager and Registry Editor to stop working

I received a call from a friend over the weekend asking for help to rid his neighbor’s computer of a nasty Trojan.  Apparently, he had been working on the problem for days and didn’t know what else he could do, so I took a look and it was indeed a nasty infection.  The computer had McAfee and Norton security products installed, but they apparently didn’t help prevent the infection, so we removed them and installed CounterSpy and F-Secure.

What happened was the Trojan hijacked the desktop and changed it to a Bright Red background with a warning stating that the computer was infected with a malicious program and provided a link to for the user to click to purchase a program that would clean the computer.  Obviously, this was not a legitimate link, so I copied the link location to notepad and it pointed to hxxp://antispyspider.us/69.  DO NOT GO TO THIS LINK, IT IS VERY BAD!  Some other things this infection did was change the IP address and subnet mask; disabled the Task Manager and Registry Editor; and caused Internet Explorer to launch every couple of minutes to connect to the malicious site.  There was also a service that was added to the computer and it launched when Windows XP started.

The steps we used to try and defeat this nasty infection included:

- Running “msconfig” to disable all programs from starting
- Disabled the “Service” that was installed
- Turned off the System Restore feature, since we didn’t want anything malicious to be included in a restore
- Installed and ran CounterSpy, which found many malicious files, registry entries, and cookies.  We removed everything successfully

But we could not kill the Trojan, so I googled “AntiSpySpider” and found a very good web page showing how to kill this critter and if you need the instructions, you can get them from:

http://www.bleepingcomputer.com/malware-removal/antispyspider

The fix includes running a program to restore the registry editor, as well as a file to restore the task manager.  The instructions do a great job showing the victim how to remove this threat, so if you are one of the unfortunate souls, try this fix.  Then if you get it removed, you might consider running CounterSpy and F-Secure Internet Security; both of these programs have been quite dependable protecting our computers, as well as people we know.

Notification, Lottery Winner, Response Needed, My Wish….

We get many email scams each week and the title of this blog has some of the more common subject titles for these types of emails.  Additionally, some other email “subjects” that should raise red flags include:

• Security Alert from the board of trustee
• RE: Hello
• I AM WAITING TO HEAR FROM YOU SOONEXT
• RE: CHANGE OF YOUR BANK A/C DETAILS/ REPLY ASAP!
• CONTACT MY SECREATARY
• FROM THE DESK MR MUHAMMED OMAR
• Strictly Confidential
• Your Winnings
• CONTACT ME URGENTLY
• From: Central Bank ATM CARD
• Dear e-mail owner
• RELEASE OF YOUR FUND VALUED 8.3M DOLLARS
• Your Payment
• CONTACT MR WILL FREEMAN
• IMMEDIATE DELIVARY OF YOUR FUNDS

These are just a handful of the many, many different email subjects lines associated with scams that have one purpose…to steal someone’s money and/or identity.  If you have ever read these types of scam emails, you have may noticed that many of them ask for the following types of information:

1) YOUR FULL NAME:
2) FULL ADDRESS OF YOUR CITY, STATE AND COUNTRY:
3) PHONE, FAX AND MOBILE:
4) COMPANY NAME, POSITION AND ADDRESS:
5) BANK INFORMATIONS:
a) BANK NAME:
b) BANK ADRESS:
c) ACCOUNT NUMBER:
d) SWIFT CODE/
e) ROUTING NUMBER:
6) PROFESSION,AGE AND MARITAL STATUS:
7) A COPY OF YOUR INT’L PASSPORT/DRIVERS LICENSE

As people become more savvy, the scammers have to come up with new ways to trick their victims; well, here is a new scam we received.  As you will see, it doesn’t follow the typical promise stating that someone left you millions of dollars or you just won a lottery somewhere; instead, the scammers are using a new angle, stating that FedEx has a package waiting for you and all you have to do is complete a form to receive the package.  Here is the scam:

From:     Add Contact
FedEx Online Management Team
“FedEx Online Management Team” <fedex012@msn.com>
Subject:     NOTIFICATION

Customer Service:Dear Customer,We have been waiting for you to contact us for your Package that is been registered with us for shipping to your residential location. We had thought that your sender gave you our contact details. It may interest you to know that a letter is also added to your package. However, we cannot quote it’s content to you via email for privacy reasons. We understand that the content of your package itself is a Bank Draft worth of $900,000.00 USD. As you know, FedEx do not ship money in CASH or in CHEQUES but Bank Drafts are shippable. The package is registered with us for mailing by your colleague as claimed, and your colleague explained that he is from the United States but he is here in Vietnam for a three(3) month Survey Project as he works with a construction firm in Vietnam Asia. We are sending you this email because your package is been registered on a Special Order. What you have to do now, is to contact our Delivery Department for immediate dispatchment of your package to your residencial address. Note that as soon as our Delivery Team confirms your informations, it will take only one working day (24Hrs) for your package to arrive it designated destination.For your information, the VAT & Shipping charges as well as Insurance fees have been paid by your colleague before your package was registered.Note that the payment that is made on the Insurance, Premium & Clearance Certificates, are to certify that the Bank Draft is not a Drug Affiliated Fund (DAF) neither is it funds to sponsor Terrorism in your country.

This will help you avoid any form of query from the Monetary Authority of your country. However, you will have to pay a sum of £100 which is equivalent to $199.432 USD to the FedEx Delivery Department being full payment for the Security Keeping Fee of the FedEx company as stated in our privacy terms & condition page. Also be informed that your colleague wished to pay for the Security Keeping charges, but we do not accept such payments considering the fact that all items & packages that is registered with us have a time limitation and we cannot accept payment without knowing when you will be picking up the package or even respond to us. So we cannot take the risk to have accepted such a payment incase of any possible demurrage. Kindly note that your colleague did not leave us with any further information. We hope that you respond to us as soon as possible because if you fail to respond until the expiry date of the foremost package, we may refer the package to the British Commission for Welfare as the package do not have a return address. Kindly contact the delivery department (FedEx Delivery Post) with the details given below:Contact Person: Mr. Chu Van Duong.Email: fedexdeliveriesvn@yahoo.com.vn
Kindly complete the below form and send it to the email address given above. This is mandatory to reconfirm your Postal address and telephone numbers.FULL NAMES:TELEPHONE:POSTAL ADDRESS:CITY:STATE:COUNTRY:As soon as your details are received, our delivery team will give you the neccessary payment procedure so that you can effect the payment for the Security Keeping Fees. As soon as they confirm your payment of £100 GBP which is equivalent to $199.432 USD, they shall immediately dispatch your package to the designated address. It usually takes 24 hours being an over night delivery service. Note that we were not instructed to email you,but due to the high priority of your package we had to inform you as your sender did not leave us with his phone number because he stated that he just arrived England and he wasnt on phone yet. We indeed personally sealed your Bank Draft and we found your email contact in the attached letter as the recipient of the foremost package. Ensure to contact the delivery department with the email addressand ensure to fill the above form as well to enable successful reconfirmation.All responses must be forwarded to: fedexdeliveriesvn@yahoo.com.vnYours Faithfully,Mrs. Margaret Blaire.FedEx Online Management Team.All rights reserved. © 1995-2008 FedEx.

Scammers rely on human greed to get some poor soul to take their bait.  If you think about this particular email…how many times has FedEx sent you an email requesting that you complete an online form to receive a package?  I would be will to bet the answer is “NEVER!”.  Also, check out the horrible grammar; how long would FedEx be in business if they sent such poorly written correspondence?

The point here is simple…any time you receive an unsolicited email and the sender is requesting information from you; delete it!  It’s evil!

Attention: Winner

Isn’t it amazing how rich you can become by doing nothing? You don’t even have to enter any contests…because if you are connected to the Internet, you will probably receive numerous awards like this one. There’s just one little problem though…the generous organization(s) who want to give you all this wonderful cash will probably need to verify your identity by asking for certain information. Obviously volunteering such information is a bad idea; but someone must be giving out their personal information, because the awards keep coming. Here is another lottery winning email scam we received today:

Royal Dutch Shell plc.
SHELL GROUP INTERNATIONAL UK .
Shell Centre London
SE1 7NA.
(Registration 70339411).
REGISTERED UNDER THE DATA PROTECTION ACT.
REF NO: HLP/200-26937
BATCH: 2008MJL-01

Attention: Winner,

We wish to heartily congratulate you on your emergence as a 2008 SHELL GROUP AWARDS-INTERNATIONAL PROGRAMS winner.
Your email which drew the winning number, of our yearly cash give away Promotions, was selected via our Random Computer Selection System (RCSS) and attached to file reference number (HLP/200-26937).
We write to hereby inform you that a prize of GBP 2,500,000.00 Pounds Sterling in cash are pending your redemption.
The verification department has already proceeded with the verification process of your winnings. We would instruct you on how to receive your prize money as soon as your claims have been verified.
To Proceed you are adviced to contact our paying bank personnel to activate an account so your cheque will be cashed and deposited at:

NEW ACCOUNTS DEPT.
LYOLDS TSB BANK PLC
ACCOUNT OFFICER:JAN PHILIP
TEL: +44 7005-947-384
EMAIL: newaccountdept01@yahoo.co.uk

Kindest Regards,
Steph Wilson
Shell Group International ,
United Kingdom .

If you receive emails such as this, check this site to see if you can find it:

http://www.scamwarning.org/

Chances are…you probably will.

Scammers are hedging their bets that human greed will make it worth their effort to try and steal money from the unfortunate few that take the bait.

RE: CHANGE OF YOUR BANK A/C DETAILS/ REPLY ASAP!

Well, for the past two days, we have received the following scam in our “info@pc-armor.com” email inbox. Both emails had identical subjects and body; however, the header information was different. The messages came from the Russian Federation and were sent to “undisclosed-recipients”. Here is the body of the email:

DEAR CLIENT RE: CHANGE OF YOUR BANK ACCOUNT DETAILS.
We have received an official notification on Friday 2ND MAY 2008 from MR EARIC E HOPE who claimed that you have authorized him to handle everything concerning the release of your payment as you are now in the Hospital taking care of your illness but in consideration to the nature of our activities here, we deem it necessary that we should get in touch with you first for confirmation before we can proceed with his request, therefore, we need your prompt instruction to proceed with him in this matter or not. Below are the Bank details that he has forwarded to us for the purpose of remitting the fund to him, thus:- HSBC BANK USA, N.A.
P.O. BOX 2013, BUFFALO, NY 14240 USA
1-800-975-HSBC (1-800-975-4722)
A/C NO: 253128218
ROUTING NUMBER: 022000020
A/C NAME: MR EARIC E HOPE. NOTE: The release of the fund will be fixed as soon as we receive your prompt response to this message therefore, it is very important that you should get in touch with us for immediate confirmation. If you need further information, feel free to get in touch with us while it is very important that you should call our Financial Officer, MR HARRISON LEYTTON on telephone number + 44 207060 1652 EXT 4 as soon as you receive this message.
Thanks and best regards.
Miss Hilda Duchess.
(Secretary/Financial Co-ordinator)
ANFIELD FINANCE & INVESTMENT CO LTD.

As the recipient of this email, you should ask yourself why was it sent to more than one address, when it appears it is written for an individual? Common sense questions like this would indicate this email is obviously a scam and besides, in our case, “info@pc-armor.com” is not a real person…so how could “info” be in the hospital?

The bottom line is this: when you receive any email that sounds too good to be true, it probably is! A good rule of thumb to remember is when someone wants to give you money, or they need more information from you, it is most likely a scam. When you receive such emails, question everything before replying or doing whatever it is they want you to do. A little investigative work can go a long way in protecting you and your assets!

Looking for an Encryption Program?

Greetings,

Just a quick note for those of you who may be looking for encryption software…Laura Milligan posted a great article on the Bootstrapper blog today listing 50 different Encryption Programs and how each could benefit your needs.

This is a nice compilation and Laura organized the programs in different categories to help you make an easier and better choice.  You can read the article on the Bootstrapper Blog here.

“Referral Notice”

Greetings,

We have been busy working on a new look and some new offerings to PC-Armor, so we haven’t been writing any new blog stories lately. However, there are some things you might want to keep an eye out for…

First, the NCAA Basketball Championships are now in full swing and you can expect to see a ton of emails with subjects related to this tournament. We had many, many spams come into the PC-Armor blog as comments today and some of the key words in the spam messages you might look for are: Online Sports Book, March Madness, Final Four Betting, Basketball Betting, and NCAA.

Secondly, I received 4 new spams on my personal email account today with the subject of “Referral Notice” and all of them were from an overseas source. The body contained the following text:

–Registered and USDA/FDA apprv.–

Compliant Email Notification:Referral based

We are pleased that you were referred
to us. We would like to invite you to
our special website only available to
existing customers. As a referral we
are extending this oppourtunity for
you to become a customer. Please
see how our products can be of
assistance to you

Peter W. Johnson
New Customer Manager

http://registeredfda[dot]com

Well, I searched the domain name on DNSStuff.com and found that the domain was registered on March 14, 2008 to a company located in China. Anyone who reads security articles, blogs, or other computer security-related sources, understands that many malicious sites are located in China.

Obviously, I did not click the link for the following reasons:

1. It was registered 3 days ago. Many malicious sites are registered just before emails from the domain start flooding inboxes.

2. It is located in China and I simply would prefer to not risk an infection from a domain hosted in a country where many malicious sites originate.

3. The email states it is USDA/FDA approved. Why would the US Government be approving emails from China?

4. They are extending an “opportunity” for me to become a customer. Who are they and what is their product?  Also, they have extended this “special” website to “existing” customers…how many existing customers can they accumulate in just 3 days?

5. The sending email address was spoofed and the address the email was supposedly sent to was not my address. I left this information out; but what is important here is that I checked and nothing made sense.

As always, question all emails; no matter how legitimate they may appear.  You may save yourself time and money in the long run by taking a few extra steps to ensure an email is legitimate and preventing an infection or compromise!

Watch those Valentine offers with a weary eye!

Certain holidays bring the cyber criminals out like mosquitoes from stagnant water in the summer and Valentines day is one of those times.  Today I received an email with the subject of “February 72% OFF” and included an offer for Roses from $19.99 with Guaranteed Delivery.  All I had to do was click a link in the email that would have redirected me to who knows where!  For all I know, it would have dropped a Trojan or some other type of harmful code onto my system for some obvious malicious purpose, such as compromising my personal information, stealing my files, or use my computer as a zombie in a botnet!

Well I researched the originating IP address and it came from the Russian Federation in Moscow and one interesting piece in the email was the disclaimer at the end of the message stating:

“You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers’ content nor any of the goods or service advertised. Prices and item availability subject to change without notice.”

Somehow, I don’t believe any Microsoft featured offer would be coming from the Russian Federation…

Your best protection would be to simply delete all email offers without opening them, and make sure you clean your deleted items folder.

If you follow the SAN Internet Storm Center Diary or the F-Secure Weblog, you will find that there is a spike in malicious activity tied to Valentine’s Day.

Protect yourself and steer away from any offer that looks too good to be true…because it probably is!