What happened was the Trojan hijacked the desktop and changed it to a Bright Red background with a warning stating that the computer was infected with a malicious program and provided a link to for the user to click to purchase a program that would clean the computer.  Obviously, this was not a legitimate link, so I copied the link location to notepad and it pointed to hxxp://antispyspider.us/69.  DO NOT GO TO THIS LINK, IT IS VERY BAD!  Some other things this infection did was change the IP address and subnet mask; disabled the Task Manager and Registry Editor; and caused Internet Explorer to launch every couple of minutes to connect to the malicious site.  There was also a service that was added to the computer and it launched when Windows XP started.

The steps we used to try and defeat this nasty infection included:

- Running “msconfig” to disable all programs from starting
- Disabled the “Service” that was installed
- Turned off the System Restore feature, since we didn’t want anything malicious to be included in a restore
- Installed and ran CounterSpy, which found many malicious files, registry entries, and cookies.  We removed everything successfully

But we could not kill the Trojan, so I googled “AntiSpySpider” and found a very good web page showing how to kill this critter and if you need the instructions, you can get them from:

http://www.bleepingcomputer.com/malware-removal/antispyspider

The fix includes running a program to restore the registry editor, as well as a file to restore the task manager.  The instructions do a great job showing the victim how to remove this threat, so if you are one of the unfortunate souls, try this fix.  Then if you get it removed, you might consider running CounterSpy and F-Secure Internet Security; both of these programs have been quite dependable protecting our computers, as well as people we know.

Subject: You have yet to open your ecard.

The body of the email reads, “Someone sent you this Psycho Kitty card. It is Hilarious!” and of course, there is a link the criminals want you to click that points to an IP Address.

The other notable news from today is about a PDF Malware Spam outbreak throughout the Internet.  My F-Secure Anti-virus program has a nice little feature called “Security News” and during high levels of malicious activity, a balloon will pop up by the system clock with a warning to the consumer.

Today, the balloon popped up with an F-Secure Level 2 Security Alert and it read,

“Malicious PDF files being spammed out in volume. The files have “report” themed subjects and CVE-2007-5020 exploit that they use to download further components from the net.“

As usual, F-Secure protects against this threat; but other Anti-virus program may not, so please be aware that malicious PDF files are currently being spammed and you need to be extra cautious before opening them.

Also, Make sure you have the latest version of Adobe Acrobat and Acrobat Reader, because Adobe recently released security patches to address a critical vulnerability that if exploited, could have given the attacker complete control of the infected system.

To learn more about the latest PDF Threat, visit the F-Secure advisory at:

http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml

Or the SANS advisory at:

http://www.f-secure.com/weblog/archives/00001303.html

Stay safe out there…cyberspace is a hostile place!

In this particular e-mail, the bait is an “Online Game Tracker” and by clicking a link pointing to “http://IP address”, the victim is led to believe they will be able to follow the scores of the football games throughout the day.  However, the unsuspecting victim will most likely become infected with a variant of the Storm Worm.

As usual, when I saw this, I did my homework and checked out the SANS Internet Storm Center Diary for any late-breaking news about this latest threat and sure enough, they were on top of it.  Here is the story:

http://isc.sans.org/diary.html?storyid=3361

F-Secure also posted a warning on their Blog at: http://www.f-secure.com/weblog/

Anyone who reads security news blogs and articles understands that it is never a good idea to click on any link containing an IP Address and this link is no different.  Don’t take the bait…just delete the e-mail!

SANS has a good write-up about this latest threat and you can read it at:

http://isc.sans.org/diary.html?storyid=3298

Here is a variation I received today and if you read the SANS article, there are a lot of similarities; but what is important here is to realize this is just another example of a social engineering trick designed to tempt the unfortunate victim into clicking the link; which by the way is an IP Address…another dead giveaway that this is not an e-mail you should trust.  Below is a sample of the e-mail I received and of course, I changed the e-mail address and link address to protect the readers; but the content is very similar to the SANS example.

Subject: Secure Registration
From: “Recipes Galore” <spoofed address@spoofed domain>

Welcome Member,

Thank You for Joining Recipes Galore.

User Number: 866599439
Your Temp. Login ID: user1846
Your Password ID: tk604

Your temporary Login Info will expire in 24 hours. Please login and change it.

Use this link to change your Login info: http://www.xxx.yyy.zzz/

Enjoy,
Welcome Department
Recipes Galore

Be careful out there!  There’s nasty weather ahead!