Free Monthly Newsletter...and much more!

5 Star Support - Free Computer Help and Technical Support

 

.
5 Star Support Home
Computer Help Forums
Computer Tutorials
Tips, Tricks & Tweaks
Troubleshooting FAQ
 
Google

Computer Security Information Center


Mission Statement

The Computer Security Information Center is one of the newer sections here on 5 Star Support. It is one of the ten major sections of the Web site. We are dedicated to assisting you with security threat concerns to your computer from various sources on the Internet. While we cannot say "Don't worry, we've got your back", nobody else can either. What we are all about here is trying to keep you as safe as possible by supplying concise security information organized in one place so you won't have to waste a lot of time looking all over the Internet for it yourself. We hope to improve your computer security and help you both avoid and solve problems by:

  • Raising your awareness to security risks through tutorials and news articles
  • Provide tutorials explaining how to fix problems related to security issues
  • Provide high-quality information regarding virus risks and solutions
  • Increase your knowledge of needed security related skills
  • Help you set up your computer to avoid major security related problems
  • Provide assistance in treating and removing virus issues you may encounter

If we can accomplish this, then we feel very good about the free security assistance we have provided for you. If you agree, please let us know we have helped - it's what keeps us going. Stay safe by visiting us often here at the 5 Star Support Security Center.

For Free Spyware scanners and other security related downloads, please visit our Free Anti-Virus and Anti-Spyware Software page.

Weekly Virus Article

Remove Spyware/Malware or ANY Virus - FOR FREE
Source: 5 Star Support

06.10.09
Spyware/Malware and computer viruses are a big problem that nearly all computer users face. The greatest defense against these parasites is awareness. If you visit web sites of questionable integrity or if you download files frivolously, you are taking huge risks. Many viruses these days are programmed with very harmful intent. They can log your keystrokes on your computer so that banking information is compromised. Granted, I have used probably the worst case scenario for my example, but this is a very real scenario that happens all the time.

If you need help, there are many Security Experts at your disposal that are willing to give you their free time to either coach you on how to keep your files safe or for safely removing threats from an infected machine. All of this we provide to you for free!

We are here for you when you need our help!

http://www.5starsupport.com/ipboard/index.php

 

 

For Free Spyware scanners and other security related downloads, please visit our Virus Information Page.


Weekly Security News

Posted by Dave
5 Star Support Security Specialist

Week of 06/07/09 –

General -

This has been a huge week for patches from many of the major vendors, so you will have a lot of updating to do. Everything I am covering this week should be considered as an urgent project on your to do list. Microsoft, Adobe, Java, Apple and Firefox are all in the mix this month.

Microsoft –

Now that I have had a day to look over all the bulletins, we can possibly all benefit from a brief explanation of what each one relates to and does. There are a total of 10 bulletins that represent a total of 31 patches in all. Here goes (in numerical order, and there is a live link to each bulletin for your convenience if you want the entire spiel):

MS08-018 (Critical): Fixes two privately reported vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. The more severe vulnerability could allow remote code execution.  It is rated Critical for all supported editions of Microsoft Windows 2000 Server, and rated Important for supported versions of Windows XP Professional and Windows Server 2003.

Details –

Description
This patch fixes two vulnerabilities within Microsoft Active Directory and Active Directory Application Mode (ADAM). These vulnerabilities allow an attacker to craft a malicious Active Directory network request that, when received by a vulnerable host, could allow for the arbitrary execution of code on Windows 2000 hosts or a Denial of Service (DoS) condition on other host operating systems.

Active Directory Invalid Free Vulnerability - CVE-2009-1138
A remote code execution vulnerability exists in implementations of Active Directory on Microsoft Windows 2000 Server. The vulnerability is due to incorrect freeing of memory when processing specially crafted LDAP or LDAPS requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Active Directory Memory Leak Vulnerability - CVE-2009-1139
A denial of service vulnerability exists in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003. The vulnerability also exists in implementations of Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. The vulnerability is due to improper memory management during execution of certain types of LDAP or LDAPS requests. An attacker who successfully exploited this vulnerability could cause the affected server to stop responding.

Windows 2000 Active Directory Servers are at the highest risk from this vulnerability, where as CVE-2009-1138 could lead to arbitrary code execution. Since Active Directory vulnerabilities could allow attackers to compromise entire subnets and domains, they are high priority targets for attackers who have already gained access to workstations by other means.

MS09-019 (Critical): Patches seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Affects IE 5.01, IE 6, IE 7 and IE 8 running on all supported editions of Windows.

Details –

Description
This patch fixes eight vulnerabilities within Microsoft Internet Explorer. These vulnerabilities allow an attacker to craft a malicious website or HTML page that when viewed by a vulnerable Internet Explorer browser, could allow for Cross-Domain Information Disclosure (Cross-Domain Scripting/Hijacking), Denial of Service (Browser crash), or execution of arbitrary code in the context of the current user.

Race Condition Cross-Domain Information Disclosure Vulnerability - CVE-2007-3091
An information disclosure vulnerability exists in Internet Explorer that could allow script to gain access to the content in another browser window in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could view data from a Web page in another Internet Explorer domain.

Cross-Domain Information Disclosure Vulnerability - CVE-2009-1140
An information disclosure vulnerability exists in the way that Internet Explorer caches data and incorrectly allows the cached content to be called, potentially bypassing Internet Explorer domain restriction. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could view content from the local computer or another browser window in another domain or Internet Explorer zone.

DHTML Object Memory Corruption Vulnerability - CVE-2009-1141
A remote code execution vulnerability exists in the way Internet Explorer displays a Web page that contains certain unexpected method calls to HTML objects. As a result, system memory may be corrupted in such a way that an attacker could execute arbitrary code if a user visited a specially crafted Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

HTML Object Memory Corruption Vulnerability - CVE-2009-1528/1530/1531/1532
A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Uninitialized Memory Corruption Vulnerability - CVE-2009-1529
A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Internet Explorer vulnerabilities are among the most targeted vulnerabilities used by attackers. They are easily delivered via email and Instant Message (IM) links, social engineering, Cross-site scripting (XSS), or SQL Injection attacks on legitimate websites that redirect visitors to malicious websites. Attackers will then use these vulnerabilities to execute and install malware which allows the attacker to further infiltrate the compromised system and gain access to sensitive information.

MS09-020 (Important): Fixes one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The vulnerabilities could allow elevation of privilege if an attacker sent a specially crafted HTTP request to a Web site that requires authentication. These vulnerabilities allow an attacker to bypass the IIS configuration that specifies which type of authentication is allowed, but not the file system-based access control list (ACL) check that verifies whether a file is accessible by a given user.  Affects all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003.

Details –

Description
This patch fixes two vulnerabilities within Microsoft IIS 5, 5.1, and 6.0 WebDAV. These vulnerabilities allow an attacker to craft a malicious HTTP WebDAV request that, when received by a vulnerable host, could allow the attacker to bypass certain authentication restrictions and gain access to sensitive information or files.

IIS 5.0 WebDAV Authentication Bypass Vulnerability - CVE-2009-1122
An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that should require authentication.

IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability - CVE-2009-1535
An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.

This patch addresses two authentication bypass vulnerabilities, including one previously publicly disclosed vulnerability (CVE-2009-1535). This specific attack is being used in the wild by attackers in order to gain access to files and websites with WebDAV restrictions in place. Attacks of this nature could allow attackers to gain access to files or data that could be used to compromise additional systems in addition to sensitive personal or business information that could also be at risk.

MS09-021 (Critical): Patches seven privately reported vulnerabilities that could allow remote code execution if a user opens a specially crafted Microsoft Excel file that includes a malformed record object. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system.  It affects Excel 2000, Excel 2002, Excel 2003, Excel 2007, Office 2004 for Mac, and Microsoft Office 2008 for Mac; Open XML File Format Converter for Mac; and all supported versions of Microsoft Office Excel Viewer and Microsoft Office Compatibility Pack.

Details –

Description
This patch fixes seven vulnerabilities within all versions of Microsoft Excel. These vulnerabilities allow an attacker to form a specially-crafted Excel document that, when viewed by a vulnerable user, could allow for an attacker to execute arbitrary code on the remote system.

Record Pointer Corruption Vulnerability - CVE-2009-0549/1134
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Object Record Corruption Vulnerability - CVE-2009-0557
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Array Indexing Memory Corruption Vulnerability - CVE-2009-0558
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

String Copy Stack-Based Overrun Vulnerability - CVE-2009-0559
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Field Sanitization Memory Corruption Vulnerability - CVE-2009-0560
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Record Integer Overflow Vulnerability - CVE-2009-0561
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

These vulnerabilities pose a very serious risk to all Excel users. Attackers are likely to deliver these attacks through various means, such as social engineering and malicious emails or websites hosting malformed files. Once exploited, attackers will likely install malware on the system in order to gain further access and steal sensitive information stored on the vulnerable machine.

MS09-022 (Critical): Covers three privately reported vulnerabilities in Windows Print Spooler. The most severe vulnerability could allow remote code execution if an affected server received a specially crafted RPC request.  It applies to Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

Details –

Description
This patch fixes three vulnerabilities within Microsoft Windows Print Spooler service. These vulnerabilities allow an attacker to craft a malicious RPC network request that, when received by a vulnerable host, could allow the attacker to gain access to sensitive local information, elevate their privileges or execute arbitrary code at elevated privileges that would lead to the complete compromise of the affected system.

Buffer Overflow in Print Spooler Vulnerability - CVE-2009-0228
A remote code execution vulnerability exists in the Windows Print Spooler that could allow a remote, unauthenticated attacker to execute arbitrary code on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.

Print Spooler Read File Vulnerability - CVE-2009-0229
A local, authenticated information disclosure vulnerability exists in the Windows Printing Service that could allow a user to read or print any file on the system. This action can be taken even if the user does not have administrative access. However, the vulnerability could not be exploited remotely or by anonymous users.

Print Spooler Load Library Vulnerability - CVE-2009-0230
A remote, authenticated elevation of privilege vulnerability exists in the Windows Print Spooler that could allow an arbitrary dynamic link library (DLL) to be loaded by the Print Spooler. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This patch addresses one local and two remote vulnerabilities that allow complete system compromise. Windows 2000 is at the highest risk for this vulnerability, which allows remote unauthenticated attackers to trigger the vulnerability.

MS09-023 (Moderate): Patches a privately reported vulnerability in Windows Search. The vulnerability could allow information disclosure if a user performs a search that returns a specially crafted file as the first result or if the user previews a specially crafted file from the search results.

This security update is rated Moderate for Windows Search installed on all supported editions of Windows XP and Windows Server 2003.

Details –

Description
This patch fixes a single vulnerabilities within the optional Microsoft Windows Search. This vulnerability allows an attacker to craft a malicious search request/file that, when executed by a vulnerable host, could allow the attacker to execute arbitrary HTML script that could disclose sensitive information to remote attackers. This attack requires user interaction in order to successfully exploit a system.

Script Execution in Windows Search Vulnerability - CVE-2009-0239
An information disclosure vulnerability exists in Windows Search due to the way file previews are generated. Attempts to exploit this vulnerability require user interaction. An attacker who successfully exploited this vulnerability could run a malicious HTML script that could disclose information, forward user data to a third party, or access any data on the affected systems that was accessible to the logged-on user. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.

This patch addresses a user-interaction required vulnerability in Windows Search. This attack is relatively low on the exploitability scale and could only be delivered by trusted attackers or through extensive social engineering attacks.

MS09-024 (Critical): Fixes a privately reported vulnerability in the Microsoft Works converters. The vulnerability could allow remote code execution if a user opens a specially crafted Works file. Affects Word 2000, Word 2002, Word 2003 with the Microsoft Works 6–9 File Converter, Word 2007 Service Pack 1, Microsoft Works 8.5 and Microsoft Works 9.

Details –

Description
This patch fixes a vulnerability within the Microsoft Works Converters. This vulnerability allows an attacker to craft a malicious Works file (.wps) that, when opened by a vulnerable host, could allow the attacker to execute arbitrary code in the context of the currently logged in user.

File Converter Buffer Overflow Vulnerability - CVE-2009-1533 A remote code execution vulnerability exists in the way that the Works for Windows document converters handle specially crafted Works files. The vulnerability could allow remote code execution if a user opens a specially crafted .wps file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This patch addresses a single vulnerability within Microsoft Works that remote attackers could deliver through typical means of email, IM, or website links. Once executed, the malicious WPS file would typically install malware on the system that allows remote attackers to gain access to the system and its resources.

MS09-025 (Important): Covers two publicly disclosed and two privately reported vulnerabilities in the Windows kernel that could allow elevation of privilege. An attacker who successfully exploited any of these vulnerabilities could execute arbitrary code and take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users. Affects Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

Details –

Description
This patch fixes four vulnerabilities within the Microsoft Kernel. These vulnerabilities allow an local attacker or exploit to craft a malicious API call or execute code in such a way that it would trigger a denial of service condition (BSOD) or elevate the malicious program or attackers privileges to kernel level. This could then be used to completely compromise the system.

Windows Kernel Desktop Vulnerability- CVE-2009-1123
A remote code execution vulnerability exists in the way that the Works for Windows document converters handle specially crafted Works files. The vulnerability could allow remote code execution if a user opens a specially crafted .wps file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Windows Kernel Pointer Validation Vulnerability- CVE-2009-1124
An elevation of privilege vulnerability exists in the Windows kernel due to the insufficient validation of certain pointers passed from user mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Windows Driver Class Registration Vulnerability - CVE-2009-1125
An elevation of privilege vulnerability exists because the Windows kernel does not properly validate an argument passed to a Windows kernel system call. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Windows Desktop Parameter Edit Vulnerability - CVE-2009-1126
An elevation of privilege vulnerability exists when the Windows kernel improperly validates input passed from user mode to the kernel when editing a specific desktop parameter. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Attackers are likely to implement these vulnerabilities with other exploits, a technique known as exploit-piggy-backing. This would allow an attacker to use one exploit to gain access to the system and then combine it with any of the above vulnerabilities in order to elevate their privileges to kernel level and completely compromise the system. These types of vulnerabilities are essentially what makes Windows rootkits possible.

MS09-026 (Important): Patches a publicly disclosed vulnerability in the Windows remote procedure call (RPC) facility where the RPC Marshalling Engine does not update its internal state appropriately. The vulnerability could allow an attacker to execute arbitrary code and take complete control of an affected system.  Rated Important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

Details –

Description
This patch fixes a vulnerability within the Microsoft Remote Procedure Call (RPC) framework. This vulnerability allows an attacker to craft a malicious RPC request that, when processed by a vulnerable application, could allow the attacker to execute arbitrary code with elevated privileges. It's important to know that this vulnerability does not affect any RPC interface that ships with Microsoft Windows, however certain 3rd party applications are at risk.

RPC Marshalling Engine Vulnerability - CVE-2009-0568
An elevation of privilege vulnerability exists in the Windows remote procedure call (RPC) facility where the RPM Marshalling Engine does not update its internal state appropriately. The failure to update internal state could lead to a pointer being read from an incorrect location. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This patch addresses a single vulnerability within the RPC library for Microsoft Windows. The vulnerability can be present in 32bit applications implementing RPC calls using a specific data structure.

MS09-027 (Critical): Covers two privately reported vulnerabilities that could allow remote code execution if a user opens a specially crafted Microsoft Word file. Rated Critical for all supported editions of Microsoft Office Word 2000. For all supported editions of Microsoft Office Word 2002, Microsoft Office Word 2003, Microsoft Office Word 2007, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac, and all supported versions of Open XML File Format Converter for Mac, Microsoft Office Compatibility Pack, and Microsoft Office Word Viewers, this security update is rated Important.

Details –

Description
This patch fixes two vulnerabilities within all supported versions of Microsoft Office Word. This vulnerability allows an attacker to craft a malicious Word document that, when opened by a vulnerable host, could allow the attacker to execute arbitrary code in the context of the currently logged in user.

Word Buffer Overflow Vulnerability - CVE-2009-0563/0565
A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This patch addresses two vulnerabilities within Microsoft Word that remote attackers could deliver through typical means of email, IM, or website links. Once executed, the malicious document would typically install malware on the system that allows remote attackers to gain access to the system and its resources.

Other Software –

Adobe has released new updates for both Acrobat and AdobeReader.

Summary:

Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions update to Adobe Reader 9.1.2 and Acrobat 9.1.2.

Adobe recommends users of Acrobat 8 update to Acrobat 8.1.6, and users of Acrobat 7 update to Acrobat 7.1.3. For Adobe Reader users who can't update to Adobe Reader 9.1.2, Adobe has provided the Adobe Reader 8.1.6 and Adobe Reader 7.1.3 updates. Updates apply to Windows and Macintosh.

Adobe FlashPlayer

Adobe has released v 10.0.22.87 of FlashPlayer 10. Users are advised to update to this new version as soon as possible. If you use Firefox, please note that you will have to update the version of FlashPlayer plug-in version) for Netscape based browsers as well. File size is 1837kb (1.8 MB)

Adobe Shockwave

Adobe (Macromedia) has also released v 11.5.0.596 of Shockwave and I urge readers to be sure that they use this latest version for Windows XP or Vista.

Sun (Java)

The new release for Java is v 1.6.0_14 (Java 6 update 14) and I urge you to apply this update right away as it addresses a number of security issues.

Apple

Apple has released Safari 4.0 as well as new versions of iTunes and QuickTime over the past week. Patches total over 50 not including the recent updates for iTunes and QuickTime released recently as well (you should be running iTunes v 8.2 and QuickTime v 7.6.2).

Firefox

Mozilla has released Firefox v 3.0.11 and users should update to this version immediately – more that 10 security issues are addressed in this new version.

Please be diligent and apply all the updates that apply to your situation as soon as possible. Happy computing, and stay safe out there on the Internet.

Dave

[Top]


Dangerous Applications
Unwanted Freeware

03/16/08

Posted by Dave
5 Star Support Security Specialist

There are always new free add-ons for your browser and free applications for your computer coming out, almost on a daily basis anymore. Trouble is, most of them cause a host of other problems because many contain Adware and/or Spyware of some sort. Sophos UK maintains a list of these and refers to them as Potentially Unwanted Applications or PUA's. Below is a list of the most recent ones released that you need to avoid:

1. Spyware Remover is a an application for the Windows platform. Spyware Remover is known to produce bogus warning to ask user to register.

When Spyware Remover is installed the following files are created:

<Start Menu\Programs>\SpywareRemover\SpywareRemover on the Web.lnk
<Start Menu\Programs>\SpywareRemover\SpywareRemover.lnk
<Start Menu\Programs>\SpywareRemover\Uninstall SpywareRemover.lnk
<Desktop>\SpywareRemover.lnk
<Program Files>\SpywareRemover\DataBase.ref
<Program Files>\SpywareRemover\Launcher.exe
<Program Files>\SpywareRemover\SpyCleaner.dll
<Program Files>\SpywareRemover\SpywareRemover.exe
<Program Files>\SpywareRemover\SpywareRemover.url
<Program Files>\SpywareRemover\license.rtf
<Program Files>\SpywareRemover\tcl.dll
<Program Files>\SpywareRemover\unins000.dat
<Program Files>\SpywareRemover\unins000.exe
<Program Files>\SpywareRemover\zlib.dll
<Windows>\Tasks\SpywareRemover Scheduled Scan.job

2. FakeShareaza is an unwanted program. Adware

3. FakeShareaza MediaBar is a potentially unwanted application for the Windows platform.

When Fake Shareaza MediaBar is installed the following files are created:

<Program Files>\Shareaza Applications\Shareaza MediaBar\Shareaza.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\ShareazaIEHelper.dll
<Program Files>\Shareaza Applications\Shareaza MediaBar\ShareazaMediaBar.dll
<Program Files>\Shareaza Applications\Shareaza MediaBar\Shareaza_icons.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\Shareaza_logo.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\Uninstall.exe
<Program Files>\Shareaza Applications\Shareaza MediaBar\Updater.exe
<Program Files>\Shareaza Applications\Shareaza MediaBar\basis.xml
<Program Files>\Shareaza Applications\Shareaza MediaBar\button_arrow.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\historyCombo.html
<Program Files>\Shareaza Applications\Shareaza MediaBar\resizer.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search.html
<Program Files>\Shareaza Applications\Shareaza MediaBar\search.js
<Program Files>\Shareaza Applications\Shareaza MediaBar\search_images.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search_maps.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search_news.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\showSettings.js
<Program Files>\Shareaza Applications\Shareaza MediaBar\storesearchcriteria.js
<Program Files>\Shareaza Applications\Shareaza MediaBar\version.txt
<Program Files>\Shareaza Applications\Shareaza MediaBar\web.bmp

4. ForceLibrary is an unwanted program – Adware.

5. SpySheriff is a anti-spyware application for the Windows platform.

Known trial versions of this software use excessive amounts of virtual memory, leading to a reduction in system performance.

6. SpySheriff Downloader is a potentially unwanted application.

SpySheriff Downloader downloads the application SpySheriff Installer from a pre-defined site.

7. Soso AddressBar Search Downloader is a potentially unwanted application – Adware

8. Shutdown Timer is a potentially unwanted application.

Shutdown Timer allows the following actions to occur on the computer:

Log off
Hibernate
Standby
Restart
Shutdown

9. Vapsup is an unwanted program – Adware

10. Mal/Dial-U is a dialer.

When first run Mal/Dial-U copies itself to the Windows system folder.

The following registry entry is created to run Mal/Dial-U on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
OpenMstart
<System>\<original dialer filename>

11. Passware Password Recovery is a potentially unwanted application for the Windows platform.

Passware Password Recovery includes functionality to steal passwords saved in Internet Explorer.

12. IRCFast Downloader is a Potentially Unwanted Application for the Windows platform.

IRCFast Downloader attempts to persuade the user to download otherwise free software from the author's servers for an extremely high price. This site has been associated with malware.

13. OneStepSearch is an unwanted program – Adware

[Top]


New Malware Spotlight

New Malware spotlight-

This new section of the Security Center is designed to help raise awareness of new malware threats that are often not publicized and often found in places where you do not expect them. We will update it as new threats are released.

Week of 02/10/08
Posted by Dave
5 Star Support Security Specialist

1. This year has begun with alarming data: in addition to Trojans, the use of worms to steal users’ confidential data is also on the increase. According to data collected by the Panda ActiveScan online anti-malware solution, while Trojans caused 24.41 percent of infections, worms accounted for 15.01 percent. This data contrasts with the 2007 data, in which attacks caused by worms were responsible for less than 10 percent of infections.

According to PandaLabs, the malware analysis and detection laboratory at Panda Security, this is due to the increasing activity of Nuwar-type worms, also known as Storm Worms. Computer worms can spread rapidly on their own. However, unlike those that caused epidemics massively covered by the media, they do not seek to collapse data traffic or damage computers. Instead, their objective is to steal confidential data for online fraud or identity-theft crimes.

To do so, these worms usually arrive in messages that use social engineering techniques which refer to current affairs. They also include links redirected to pages that have been modified to automatically install other malware which steals the data, or to spoof pages similar to those used for phishing attacks.
Although we suspected this would occur, we didn’t think cyber-crooks would focus on these types of worms so soon. It is a very dangerous threat, since even though its effects are more visible than Trojans’ and they can be neutralized more easily, these worms can carry out indiscriminate ‘storm’ attacks to collect large amounts of confidential data very quickly. For further efficiency, hackers are putting numerous samples of these worms in circulation in very little time, so the probability of being infected is higher.
Other types of malware that caused damage in January included; adware (21.21%), backdoor Trojans (4.03%), spyware (3.13%) and bots (2.65%).

The most active malware in January was the Downloader.MDW Trojan, designed to download other malicious codes onto the system. Bagle.HX and Perlovga.A come second and third. Next come the Puce.E worm, the Spammer.ADX Trojan and the Brontok.H email worm. The last four in the table are the QV variant of the Bagle worm, the Downloader.RWJ Trojan, the VideoAddon adware and the Lineage.GYE worm, whose objective is to steal passwords of the Lineage online game.

2. Percoban.A reaches computers disguised as a Word file. When run, it makes a copy of itself with names such as Rahasiamu.exe or Jangan Dibuka.exe. It also creates a Windows registry key to ensure that it is run on every session startup. In addition, it disables the Registry editor and the task manager and hides the search function in the Start menu.

Manclick.A is a worm that installs on computers under the guise of a Windows folder. When this worm is run, it passes itself off as the web page of the Google search engine. The appearance of this page is very similar to the original one and the results, if a user were to click them, could lead to malicious websites that download malware or take other malicious action.

The worm creates several copies of itself on the system and it also creates two registry keys to ensure it is run every time the system is started up. Similarly, it deletes certain Windows registry keys to prevent the computer from starting up in any of the available save modes.

Dung.A is a worm that also enters computers using the icon of a Windows folder. This malicious code opens a random system port and waits to receive commands, sending requests to a certain web page.

This worm makes several copies of itself on the system and edits two Windows registry keys to be able to run every time a session is started.

[Top]


Phishing Scams

By Dave
5 Star Support Security Specialist

02/04/07

What to Watch Out for This Month
As of this writing, there were over 185 reported phishing alerts during the month of January. Don't take the bait! Before you respond to any
email requests for personal information, call your bank, credit union or other institution. In general, reputable financial institutions do
not request personal information via email. Listed below are some institutions whose account holders were the object of many of the
phishing scams this past month. Information for this report was gathered from various sites including:
http://www.trendmicro.com/en/security/phishing/overview.htm  &
http://www.millersmiles.co.uk

Chase Bank
Egg Bank
Halifax Bank
Lloyds TSB Bank
Regions Bank

Are the phishers working your bank or credit union? Check the list at
http://www.millersmiles.co.uk/

More Phishing
Subject: "Internal Revenue ... Please read this"
Bait: As tax time nears you may receive an email, allegedly from the IRS, which states you are eligible for a tax refund if you'll just click
on the embedded link and fill out a form. But don't. This is a perennial phishing scheme with many variations. The IRS never offers refunds byemail or sends out unsolicited email to taxpayers.
More information: http://www.ksl.com/?nid=172&sid=780389 &
http://www.irs.gov/newsroom/article/0,,id=154848,00.html

Subject: Lottery Scam Meets AOL/Microsoft Hoax
Bait: An email addressed to "Lucky winner," trumpeting that the "prestigious Microsoft and AOL" have "rolled out over 100,000.000.00L
(One Hundred Million English Pounds) for our 2006 Anniversary Draws." What's the scam? Respondents will be instructed to send processing fees to cover certain costs before the check can be released (draining you slowly), or respondents will be sent a big but forged check for a sum even larger than the supposed winnings. You then write a personal check to "repay" the overage, and soon after their check bounces (draining you quickly).
More information: http://antivirus.about.com/od/emailscams/a/msaolscam.htm

Subject: Paypal: "Get Verified and Remove Your Spending Limit"
Bait: A spoofed email, allegedly sent from service@paypal.com, suggesting that you "Get Verified" so you can send PayPal large payments
by clicking on the embedded link. The link takes you to a bogus website where you are asked to enter your personal information.
More information: http://www.millersmiles.co.uk/report/4219  

[Top]

 
 

 

 

   Site Map  | About 5 Star Support  | Links | Comments
    Privacy Policy  | Terms of Use  | Newsletter Archive  | Awards
Usage of this site constitutes acceptance of our Terms of Use
Copyright © 2000-2009  5 Star Support All rights reserved.