Wednesday, June 11, 2008

AntiSpyCheck Rogue Program

AntiSpycheck is a new rogue spyware program. It's installed by the zlob trojan, giving fake alerts that try to get you to purchase it. The zlob trojan disguises itself as a video codec that is supposedly needed to view a video. It really installs spyware to make fake alerts and installs AntiSpyCheck to trick you into buying it.

Here are some lines from Hijackthis that you may find if you are infected:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
O2 - BHO: WarningBHO Class - {56FA7933-DC3E-403b-8D47-BB5E3F345A21} - C:\Program Files\AntiSpyCheck\IEWarning.dll
O2 - BHO: 514852 helper - {9420D9C5-E151-4D83-B9A6-27DE1A7A0E5F} - C:\WINDOWS\system32\514852\514852.dll
O2 - BHO: (no name) - {99BA268B-4021-4739-9945-3C774217FE75} - C:\Program Files\NetProject\sbmdl.dll
O4 - HKLM\..\Run: [AntiSpyCheck 2.1.0] "C:\Program Files\AntiSpyCheck\AntiSpyCheck.exe"
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolpro.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ietoolpro.com/redirect.php (file missing)
O22 - SharedTaskScheduler: campaniform - {5c7b71bb-6d49-4bdc-b60d-f9fe0481eb5f} - C:\WINDOWS\system32\kfcpnd.dll

Here are some files that you my have if you are infected with this trojan:

c:\Program Files\AntiSpyCheck
c:\Program Files\AntiSpyCheck\AntiSpyCheck.exe
c:\Program Files\AntiSpyCheck\IEWarning.dll
c:\Program Files\Mozilla Firefox\extensions\sotfone-tracker@sotfone.ru
c:\Program Files\NetProject
c:\Program Files\NetProject\sbmdl.dll
c:\Program Files\NetProject\sbmntr.exe
c:\Program Files\NetProject\sbsm.exe
c:\Program Files\NetProject\sbun.exe
c:\Program Files\NetProject\scit.exe
c:\Program Files\NetProject\scm.exe
c:\Program Files\NetProject\scu.exe
c:\WINDOWS\system32\kfcpnd.dll
c:\WINDOWS\system32\514852\514852.dll

For full details and a free removal guide, take a look at Bleeping Computer's AntiSpyCheck Removal Guide.

Monday, June 02, 2008

Internet Explorer Flaw Plus Safari Equals Trouble

An undisclosed vulnerability in Internet Explorer, combined with exploiting Safari for Windows' ability to download files without being prompted, apparently allows the bad guys to take over Windows. This affects XP, Vista and IE versions 6 and 7. The unnamed Internet Explorer bug has been around for awhile. Combined with the Windows version of Safari, where files can be downloaded without an option to prompt before doing so, the flaw can be used to take over Windows, reports Aviv Raff.

The flaw in Internet Explorer uses the calculator program in conjunction with Safari for Windows to make two moderate vulnerabilities into a critical one. Microsoft has issued a bulletin, but it doesn't really say too much. Even if Microsoft patches IE, there's still Safari's "carpet bomb" issue that can allow unwanted downloads. Right now, Apple doesn't appear to want to fix this. Simply adding the option to prompt for all downloads before doing the download would help prevent this. Stopbadware wrote on their blog to urge Apple to do so.

You have to visit a specially crafted web page for this exploit to work. So it is not an all out fiasco. So far, there is not a known use of this problem. Right now, the only guaranteed fix to prevent this is to uninstall Safari for Windows. This may not be a bad idea, since there could be more bugs like this that can be exploited in Safari for Windows, said Raff in an interview with Macworld.

Sitemeter