What happened was the Trojan hijacked the desktop and changed it to a Bright Red background with a warning stating that the computer was infected with a malicious program and provided a link to for the user to click to purchase a program that would clean the computer.  Obviously, this was not a legitimate link, so I copied the link location to notepad and it pointed to hxxp://antispyspider.us/69.  DO NOT GO TO THIS LINK, IT IS VERY BAD!  Some other things this infection did was change the IP address and subnet mask; disabled the Task Manager and Registry Editor; and caused Internet Explorer to launch every couple of minutes to connect to the malicious site.  There was also a service that was added to the computer and it launched when Windows XP started.

The steps we used to try and defeat this nasty infection included:

- Running “msconfig” to disable all programs from starting
- Disabled the “Service” that was installed
- Turned off the System Restore feature, since we didn’t want anything malicious to be included in a restore
- Installed and ran CounterSpy, which found many malicious files, registry entries, and cookies.  We removed everything successfully

But we could not kill the Trojan, so I googled “AntiSpySpider” and found a very good web page showing how to kill this critter and if you need the instructions, you can get them from:

http://www.bleepingcomputer.com/malware-removal/antispyspider

The fix includes running a program to restore the registry editor, as well as a file to restore the task manager.  The instructions do a great job showing the victim how to remove this threat, so if you are one of the unfortunate souls, try this fix.  Then if you get it removed, you might consider running CounterSpy and F-Secure Internet Security; both of these programs have been quite dependable protecting our computers, as well as people we know.

http://www.f-secure.com/weblog/archives/00001327.html

UPDATE: F-Secure just released new information about another Christmas Card scam that will infect computers if the user clicks the link to download and install a malicious Flash player. You can read the story here:

http://www.f-secure.com/weblog/archives/00001330.html

Following up the the QuickTime vulnerability, the SANS Internet Storm Center has an updated list of malicious websites exploiting the vulnerability and you can read it at:

http://isc.sans.org/diary.html?storyid=3713

Be vigilant and careful; it will only get worse as we approach year end.

As the article states, until Apple releases a patch for this problem, everyone would be well-advised to block outgoing traffic over port TCP 554 on their firewalls. Think twice before watching videos and visiting sites with which you are unfamiliar!

UPDATE: It appears there are many suggestions to work around this vulnerability until a patch is released, including blocking UDP ports 6970-6999.  You can read the details on the US-CERT site at: http://www.kb.cert.org/vuls/id/659761

• America Online
• Cog
• dBpoweramp
• FLAC
• Foobar2000
• jetAudio
• PhatBox
• Yahoo

You can read the US-CERT advisory at:

http://www.kb.cert.org/vuls/id/544656

The eEye Digital Security can be found at:

http://research.eeye.com/html/advisories/published/AD20071115.html

The estimated date for an update to patch the vulnerabilities, according to eEye Digital Security, will be around December 26, 2007. 

Be very careful before you decide to open any .FLAC files attached to an email!

Apparently, many DoubleClick ads found on popular and well-known websites like CNN and the Economist have been popping up informing the visitor that their computer is infected with viruses and that by downloading and installing the [rogue] security software, they would be able to remove the infections.

According to the article, the malicious ads were Trojans that would continuously pop up warnings until the end user paid for the bogus program.  You can read the article at:

http://www.eweek.com/article2/0%2C1895%2C2215635%2C00.asp

I have not experienced any such pop-ups, partly because I configured my browsers and security software to block pop-up advertising.  The other reason I may have avoided these malicious programs is that I filtered out “DoubleClick” on my Router/Firewall a couple of years ago; therefore, whenever I visit pages with advertising by DoubleClick on any website…the ad is replaced with a message stating that the website was blocked by my firewall.

Anytime you come across advertisements or web sites you do not want anyone on your network to open; simply add the name of the site to your perimeter firewall web content filtering rules.  When you filter out unwanted sites, they simply will never open!

Cheers!

http://www.f-secure.com/weblog/archives/00001308.html

Anytime you need to check for a Microsoft Security update, simply click the “Start” button and then click the “Windows Update” menu from the “Start Menu“.  This will open the Official Microsoft Windows update site where you can quickly check to see if you need any updates.

This applies to any other software you have installed.  Most programs have an update feature built in to their programs whereby you click an update button or menu to check for updates.

Remember, you should not open unsolicited emails or attachments, and under no circumstances, should you ever click on any link inside of an unsolicited email!

http://www.f-secure.com/weblog/archives/00001304.html

Recent history has shown us that cybercriminals launch new attacks during holidays, sporting events like the NFL season kickoff, and newsworthy events.  Just remember, don’t click links  pointing to an IP address and always be wary of other tricks.

Be safe and have a Happy Halloween!

Subject: You have yet to open your ecard.

The body of the email reads, “Someone sent you this Psycho Kitty card. It is Hilarious!” and of course, there is a link the criminals want you to click that points to an IP Address.

The other notable news from today is about a PDF Malware Spam outbreak throughout the Internet.  My F-Secure Anti-virus program has a nice little feature called “Security News” and during high levels of malicious activity, a balloon will pop up by the system clock with a warning to the consumer.

Today, the balloon popped up with an F-Secure Level 2 Security Alert and it read,

“Malicious PDF files being spammed out in volume. The files have “report” themed subjects and CVE-2007-5020 exploit that they use to download further components from the net.“

As usual, F-Secure protects against this threat; but other Anti-virus program may not, so please be aware that malicious PDF files are currently being spammed and you need to be extra cautious before opening them.

Also, Make sure you have the latest version of Adobe Acrobat and Acrobat Reader, because Adobe recently released security patches to address a critical vulnerability that if exploited, could have given the attacker complete control of the infected system.

To learn more about the latest PDF Threat, visit the F-Secure advisory at:

http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml

Or the SANS advisory at:

http://www.f-secure.com/weblog/archives/00001303.html

Stay safe out there…cyberspace is a hostile place!

In this particular e-mail, the bait is an “Online Game Tracker” and by clicking a link pointing to “http://IP address”, the victim is led to believe they will be able to follow the scores of the football games throughout the day.  However, the unsuspecting victim will most likely become infected with a variant of the Storm Worm.

As usual, when I saw this, I did my homework and checked out the SANS Internet Storm Center Diary for any late-breaking news about this latest threat and sure enough, they were on top of it.  Here is the story:

http://isc.sans.org/diary.html?storyid=3361

F-Secure also posted a warning on their Blog at: http://www.f-secure.com/weblog/

Anyone who reads security news blogs and articles understands that it is never a good idea to click on any link containing an IP Address and this link is no different.  Don’t take the bait…just delete the e-mail!

Before I read this article, I thought Rootkits were the most threatening form of compromise; but after reading this article, I think bootkits have just moved into first place.  Why?  Bootkits infect computers during the boot process, before the operating system loads and this means that detection is virtually impossible.

The good news is that you can protect your computer against this type of infection by:

- Configuring the BIOS to disable any boot devices other than the hard disk
- Use strong and complex BIOS password, which would be required to successfully boot the computer
- Limit physical access to your computer AND the motherboard by locking the case to prevent access to the interior of the case
- And if you really wish to lock it down, you could disable the USB and Firewire ports in the BIOS; but that could really hinder your computer’s functionality.

Check the article out…you’ll be amazed at the damage a bootkit is capable of causing!