Saturday, November 24, 2007

MSN Messenger Trojan

An MSN trojan is infecting thousands of PC’s worldwide via an IRC botnet. The malware is being introduced by MSN Messenger files posing as pictures, mostly seeming to come from known contacts.

So you get a message saying ‘Hey, this is your pic’ or ‘Hey this is your pic on this site’ with a link to a picture rating site. Click on the link and you will find that your computer has been recruited into the botnet!

From e-Week

The Trojan is an IRC bot that’s spreading through MSN Messenger by sending itself in a .zip file with two names. One of the names includes the word “pics” as a double extension executable—a name generally used by scanners and digital cameras: for example, DSC00432.jpg.exe. The Trojan is also contained in a .zip file with the name “images” as a .pif executable—for example, IMG34814.pif.

The files are infiltrating new systems by using either known contacts from which the Trojan has harvested instant messaging names, as well as from the systems of unknown users.

The infection vector—an IM program—isn’t new. But the Trojan is the first that eSafe has tracked that has tried to scan for VNC (Virtual Network Computing) instances, likely in order to multiply the botnet’s number of connections.

Use your common sense when chatting with friends, don’t click on links or open files sent from friends or otherwise unless you are 100% sure that your friend intended to send you the link. They won’t be offended if you decline to click…. !

Here is some good advice from Get Safe Online about using Instant Messaging Safely

Wednesday, November 14, 2007 (formerly Security Central)

For various reasons my friends at Security Central (or have felt it necessary to change name and move domain.

You can find the team at or if you want a direct link to the forums then click here.

Nothing else has changed.. you will still get great security news and support there… although the nice green skin has been disabled for the time being as there is still a little bit of work that needs to be done on that.

Please update your bookmarks and give Larry and Paul some support by paying them a visit now and then.

Tuesday, November 13, 2007

Zangcodec and Virus Protect 3.8

A codec is a little piece of software that is needed so that you can play or stream some video files.  Personally I’ve never had to install a codec.. but then I don’t do a lot with that medium.

One of the biggest problems around on the internet at the moment is the Zlob trojan (and variants of it), people get stung because they are told they need a codec to run certain adult material.   Once installed the victim is plagued with pop ups from some fake antispyware program or other and the computer becomes more or less unusable.

Recently the stakes have been upped a little and the Apple Mac platform has been targeted along with Windows.  The latest malicious codec site is  Zangocodec as reported by Sunbelt.

The latest rogue program seems to be Virus Protect 3.8 which was put on the Smitfraud list by S!Ri yesterday.  S!Ri is the author of Smitfraudfix and has been keeping this essential tool updated for the last three years or so.  Thank you S!Ri.

If you want a bit more information about zangcodec then click here.   If you need to know how to use the Smitfraudfix tool then click here.  But I do suggest that you ask for assistance at one of the fantastic anti malware sites that will not only help to get you clean but will give you some good technical advice on how to avoid these sort of infections in the future.   You can find a list of anti malware sites here.

Monday, November 12, 2007

Get Safe Online Awareness Week

Get Safe Online is a cracking site full of useful information in language that we can all understand, it’s the site I recommend to friends and colleagues who aren’t exactly computer nuts like me. The site is sponsored by the UK Government and various industry partners including Microsoft.

Unfortunately it also seems to be one of the best kept secrets on the internet. I very rarely see links to the site in my travels and certainly see very little about it in other types of media.

Hopefully this will change soon. The BBC ran a story today about the risks of identity theft and fraud when using social networking sites and Get Safe Online was heavily featured in the article.

This week is Get Safe Online Awareness week and the Get Safe Online campaign will be travelling around the country offering independent, expert advice on how you can stay safe and secure when using the internet.

  • Tuesday 13th November - Bristol & Edinburgh
  • Wednesday 14th November - Cardiff & Newcastle
  • Thursday 15th November - Birmingham & Manchester

If you have a web site or a blog then why not share a link?  The site will provide banners and script snippets in their supporters kit and they will also link to your site.. and as we all know… Google loves links!!! Get Safe Online Link information here.

Thursday, November 08, 2007

Microsoft Security Bulletin Advance Notification for November 2007

Microsoft have released an advance notification for the normal monthly updates that are due to be released next Tuesday. Don't forget to prepare for the updates as I've outlined in an earlier entry - How To Prepare for Patch Tuesday.

On 13 November 2007 Microsoft is planning to release:

Security Updates

One Critical Bulletin.

  • One Microsoft Security Bulletin affecting Microsoft Windows with a Maximum Severity rating of Critical. This update will require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

One Important Bulletin.

  • One Microsoft Security Bulletin affecting Windows with a Maximum Severity rating of Important. This update may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

Microsoft Windows Malicious Software Removal Tool

  • Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Centre.

Non-security High Priority updates on MU, WU,WSUS and SUS

  • Microsoft will release zero NON-SECURITY High-Priority Updates for Windows on Windows Update (WU)
  • Microsoft will release three NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

Microsoft Security Bulletin Advance Notification

Obtaining Other Security Updates

Updates for other security issues are available from the following locations:

  • Security updates are available from Microsoft Download Center. You can find them most easily by doing a keyword search for "security update".
  • Updates for consumer platforms are available from Microsoft Update.
  • You can obtain the security updates offered this month on Windows Update, from Download Center on Security and Critical Releases ISO CD Image files. For more information, see Microsoft Knowledge Base Article 913086

Saturday, November 03, 2007

Firefox Update to v2.0.0.9

I've had a bad cold which finally got the better of me yesterday, so I didn't get to tell you about the latest update to Firefox.  If you use Firefox and it hasn't already prompted you to download and intsall the update then you can do it manually by opening Firefox and going to Help > Check For Updates.

This is a stability update that corrects several issues that were found in the previous version of Firefox.

Thursday, November 01, 2007

October's Top Twenty

Want to know what was doing the rounds last month?

Online Scanner Top Twenty for October


  • New: Packed.Win32.NSAnti.r,, Trojan.Win32.VB.atg, Trojan-Downloader.Win32.AutoIt.q, not-a-virus:Porn-Dialer.Win32.AdultBrowser.
  • Moved up:, Email-Worm.Win32.Rays, IM-Worm.Win32.Sohanad.t,, Worm.Win32.AutoIt.c
  • Moved down: Trojan.Win32.Dialer.qn, Trojan-Downloader.Win32.Small.ddp,, not-a-virus:PSWTool.Win32.RAS.a,, Trojan-Spy.Win32.Perfloger.ab
  • No change: Email-Worm.Win32.Brontok.q, Virus.VBS.Small.a, Trojan.Win32.Obfuscated.en

Virus Top Twenty for October


  • New: Trojan-Spy.HTML.Fraud.ay, Exploit.Win32.PDF-URI.k, Virus.Win32.Virut.a
  • Went up: Worm.Win32.Feebs.gen, Email-Worm.Win32.NetSky.t, Net-Worm.Win32.Mytob.t, Net-Worm.Win32.Mytob.u
  • Went down: Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Mydoom.l,, Email-Worm.Win32.Nyxem.e, Net-Worm.Win32.Mytob.c, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.dam, Exploit.Win32.IMG-WMF.y,
  • Re-entry: Email-Worm.Win32.LovGate.w

OSX Has It's Own Zlob DNSChanger OSX.RSPlug.A

Right before going to bed, I saw that there is a new variant of the all too familiar Zlob DNSChanger that has been infecting Windows computers for some 2 years now. The big change is it targeting Mac OS X instead of Windows. It does the same thing as the Windows versions that change your DNS to hijack your computer. It will redirect you to web sites you didn't mean to go to and your search results will also get sent to ones that the bad guys want you to see. That way,they can bombard you with ads and other garbage to try and get money out of you.

DNS is like a phone book. Your computer looks up what IP address a site like has. Since you are now using the fake phone book, when you click on a link or enter a web address, they send you to a similar web site. Usually, it has a lot of ads and links to other crappy websites. My experience with the Windows variants tends to be only a few redirects and then you are left alone for awhile. Also, unlike the zlob variant that tries to sell a fake antispyware program, you do not get pop ups and warning balloons that your system is infected.

The OS X version uses the same tactics to get you to install the trojan. A video gives you a warning that you need t install a codec or plug-in for Quicktime to view it. When you download the fake codec and try to install it, OS X will ask you for your admin password. This is one advantage that OS X has that most Windows users do not have. If you do not enter your password, then nothing bad happens. If you do enter your password, then you get hijacked.

Macworld has more details on this and how it can be removed. One of the first to report this trojan was Intego, who makes security software for MacIntosh computers.

Check in your Library folder (not the System/Library or your user Library) for a file called plugins.settings. The path to the file is:

/Library/Internet Plug-Ins/plugins.settings

Removing that file by itself won't fix the trojan. You need to do a little work in Terminal to remove OSX.RSPlug.A

1. In the Finder, navigate to /Library -> Internet Plug-Ins, and delete the file named plugins.settings. Empty the trash. This deletes the tool that sets the rogue DNS Server information.

2. In Terminal, type sudo crontab -r and provide your admin password when asked. This deletes the root cron job that checks the DNS Server settings. You can prove it worked by typing sudo crontab -l; you should see the message crontab: no crontab for root.

3. Open your Network System Preferences panel, go to the DNS Server box, and copy the entries you can see to a Stickies note, TextEdit document, or memorize them. Now retype those same values in the box, then click Apply.

4. Reboot your Mac.

For the most part, this is more of an annoyance. The main danger comes if you go to a website and enter personal information that the crooks want. They could redirect you to a website that isn't really your bank or Pay Pal and steal your login information. Although it seems now that it is mainly to send you to websites to peddle programs and display ads for you to click on.