Ok, so this has absolutely nothing to do with computers, the interenet and pc security; but, you got to admit, it’s one cool machine.

Super Snake: Shelby To Create Bigger ‘Stang With Longer Fangs and 725 Hp?

While perusing Digg, reading various postings I came across this interesting post: Remove Winantivirus-2007 from your PC which links to an article on Anti-Spyware 101’s blog. Now the information they present in the article is not inaccurate. However they offer a download in the form of a Free Anti-Spyware Scanner. There are several links on the page for this FREE scanner, funny thing is the file name changes several times.

I’ve been aware of this tactic for awhile and immediately suspected that the download in question is actually SpyHunter by Enigma Software Group (ESG); a former “Rogue” Anti-Spyware application. So, I went ahead and downloaded the file. Being slightly suspicious I first ran the file by VirusTotal for a in depth malware scanner. I wasn’t suprised when the file came back clean. I didn’t really expect the file was infected in the first place. These downloads of SpyHunter never are infected.

Now, how is it I am sure this is SpyHunter? Well just to confirm my suspicions, I ran the installer for Free-Spyware-Scanner-Install. Here’s what I saw:

Looks like the SpyHunter Setup License Agreement screen. Even says it’s SpyHunter. Copy of full End User License Agreement

The file I downloaded:

Free-Spyware-Scanner-Install.exe
File size: 3535408 bytes
MD5: e9870c6048dfc0524b426a31af4f3f17
SHA1: aec51c2b740bd35eea575fef9f279038e3f9dc08
packers: UPX
packers: UPX, BINARYRES
packers: UPX

Out of curiousity I wanted to see who claims ownership of Anti-Spyware-101, whois information:

Registrant:
   Domains by Proxy, Inc.
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: ANTI-SPYWARE-101.COM
      Created on: 13-Jun-06
      Expires on: 13-Jun-08
      Last Updated on: 

   Administrative Contact:
      Private, Registration  ANTI-SPYWARE-101.COM@domainsbyproxy.com
      Domains by Proxy, Inc.
      DomainsByProxy.com
      15111 N. Hayden Rd., Ste 160, PMB 353
      Scottsdale, Arizona 85260
      United States
      (480) 624-2599      Fax -- (480) 624-2599

   Technical Contact:
      Private, Registration  ANTI-SPYWARE-101.COM@domainsbyproxy.com
      Domains by Proxy, Inc.
      DomainsByProxy.com
      15111 N. Hayden Rd., Ste 160, PMB 353
      Scottsdale, Arizona 85260
      United States
      (480) 624-2599      Fax -- (480) 624-2599

   Domain servers in listed order:
      NS5.SECURESERVER.NET
      NS6.SECURESERVER.NET

Hm, nothing useful there. Another site registered through GoDadday, via Domains by Proxy.

Domains By Proxy® was conceived to deal with one of the biggest shortcomings of the Internet — the loss of privacy. We believe you should be able to keep your personal information private when you register a domain — and now you can, by switching your “public” registration to a “private” one, using our patented private registration process.

Now why in the world would you want to keep your identity “Private” if you are operating a legitimate service? I can’t think of a single reason, unless you are involved in some shady dealings. Looking around their site I could not locate any contact information what so ever. Again not really suprised by that. The about page lists the following:

About Anti-Spyware 101

Do you feel like you’re clueless when it comes to spyware? Is your computer the boss of you?

Spyware is the biggest threat that Internet users are facing today; therefore, it is important to know how to safely remove spyware, adware, trojans, keyloggers, worms and other malware from your computer.

Anti-Spyware-101.com is your guide to the latest news on spyware detection and removal. With Anti-Spyware-101.com, you will be directly linked to up-to-date spyware resources and tips on helping you remove pesky parasites.

Remember, only YOU can protect your machine from spyware!

Other articles listed on the site:

Latest Spyware Threats: SpyLocked | SpywareLocked | SpyLocker | SpyDawn | SpyAway | AntiVerminser | SpywareQuake | VirusBurst | AntiVermins | MalwareAlarm | MalwareWiped | AntiVermeans | Zlob | PopCorn.net | MovieLand | Antivirus Golden | SpySoldier | MalwareWipePro | VirusBlaster | TagASaurus | PestCapture | BraveSentry | AntiSpyware Soldier | DeluxeCommunications | Toolbar888 | VirusBurster | VirusBuster | Zlob.MediaCodec | SystemDoctor | VirusRescue | MalwareWipe | TitanShield | SpySheriff | Smitfraud | WinFixer | AntivirusGold | PestTrap | MediaCodec | AlfaCleaner | Mirar | DriveCleaner |

Other Spyware Threats: Starware | VirtuMonde | Seekmo | Trojan.Dropper-Delf | SafeSurfing | DyFuCA | Contextual Toolbar | KeenValue | ADWareBazooka | Adware.SideBar | Pest Trap | ISTBar | PopMonster | PowerStrip | Vx2/Transponder | SaveNow |

If you have any of the above listed applications or infections; do yourself a favor, don’t download this Free Anti-Spyware Scanner from Ant-Spyware 101, or similar sites. This is a tactic meant to scare you into paying for a “Full” version of SpyHunter. SpyHunter is not and never has been an effective tool at removing any of the above listed “Rogue” Applications or infections.

SpyHunter is engaged in “Deceptive” practices. This is a practice that got them originally listed on Eric Howes list of Rogue/Suspect Anti-Spyware Products & Web Sites maintained at Spyware Warrior.

Only seek help from reputable sites; like those lised at Alliance of Security Analysis Professionals.

If you find yourself infected by one of these applications please follow our generic Malware Cleaning Guide.

Start a thread in our Malware Removal Forum where one of our approved volunteers will be happy to assist you.

You must be a registered member of our site; in order to post in the Forums.

If you are not registered you may do so now, by Clicking Here!

Thunderbird 2 is the next generation release of the award-winning Thunderbird email client from Mozilla.

These Release Notes cover what’s new, download and installation instructions, known issues and end user support / feedback for the Thunderbird 2 release. Please read these notes and the bug filing instructions before reporting any bugs to Bugzilla.

Give us your feedback through this feedback form or join us in the Mozilla Thunderbird forums, hosted by MozillaZine.

What’s New in Thunderbird 2

• Message Tags: Create your own tags for organizing email. Messages can be assigned any number of tags. Tags can be combined with saved searches and mail views to make it easier to organize email.
• Visual Theme: Thunderbird 2’s theme and user interface have been updated to improve usability and maximize screen real estate.
• Session History Navigation: Back and Forward buttons allow navigation through message history.
• Advanced Folder Views: Customize the folder pane to show favorite, unread or recent folders.
• Easy Access to Popular Web Mail Services: Gmail and .Mac users can access their accounts in Thunderbird by simply providing their user names and passwords.
• Improved Support For Extensions: Extensions can now add custom columns to the message list pane in addition to storing custom message data in the mail database.
• Improved New Mail Notification Alerts: New mail alerts include information such as the subject, sender and message preview text.
• Folder Summary Popups: Mouse over a folder with new messages to see a summary of the new messages in that folder.
• Saved Search Folder Performance: Search results for saved search folders are now cached, improving folder loading performance.
• Find As You Type: Finds and highlights message text as you type.
• Improved Filing Tools: Recent folder menu items for moving and copying messages to recently used folders. Move / Copy again functionality.
• Updates to the Extension System: The extension system has been updated to provide enhanced security and to allow for easier localization of extensions.
• New Windows installer: Based on Nullsoft Scriptable Install System, the new Windows installer resolves many long-standing issues.
• Windows Vista Support: Many enhancements and fixes for Windows Vista.

The Rumbling Edge has a more detailed list of notable bug fixes.

System Requirements

Before installing, make sure your computer meets the system requirements.

Downloading Thunderbird 2

Mozilla provides Thunderbird 2 for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Thunderbird 2 here.

For builds for other systems and languages not provided by Mozilla.org, see the Contributed Builds section at the end of this document.

Virginia Tech Tragedy May Spawn Phishing Sites

added April 17, 2007

In recent years, US-CERT has received reports of an increased number of phishing sites set up in the wake of tragedies and natural disasters. US-CERT reminds users to remain cautious when receiving unsolicited email that could be a potential phishing attempt.

Phishing emails may appear as requests for donations from a charitable organization asking the users to click on a link that will then take them to a fraudulent web site that appears to be a legitimate charity. The users are then asked to provide personal information that can further expose them to future compromises.

Users are encouraged to take the following measures to protect themselves from this type of phishing attack:

• Do not follow unsolicited web links received in email messages.
• Contact your financial institution immediately if you believe your account and/or financial information has been compromised.
• Verify the legitimacy of the email by contacting the company directly through a trusted contact number.
• Visit the Anti-Phishing Working Group for more information on known phishing attacks.

For additional information regarding phishing, US-CERT recommends reading the following documents:

1. Technical Trends in Phishing Attacks
2. Recognizing and Avoiding Email Scams
3. Avoiding Social Engineering and Phishing Attacks

Produced by US-CERT, a government organization.

Normally when I receive Spam mail in my admin account for the site, I simply delete it; but today one particular spam mail caught my attention. Subject: Spyware Alert!, text of the message was simply AbuseReport with 2 attachments: AbuseReport.gif and patch-2135.zip.

OK, now you have my attention.

patch-2135.zip contains patch2135.exe

Using a password protected archive is a fairly common tactic for slipping Malware past email AV scanners.

Complete scanning result of “patch-2135.exe”, received in VirusTotal at 04.12.2007, 20:46:37 (CET).

Yep, Storm Worm and a new variant.

W32.Worm.Nuwar.Gen

The Subject of the email, so far, states:
“Worm Alert!”
“Worm Detected”
“Virus Alert”
“ATTN!”
“Trojan Detected!”
“Worm Activity Detected!”
“Spyware Detected!”
“Dream of You”
“Virus Activity Detected!”

There are two attachments, one being is an image with ‘panic-worded text’, and the other is a password protected zip file, whose password is revealed in the image.

The zip file names, so far:

“patch-<random 4 or 5 digit number>.zip”
“bugfix-<random 4 or 5 digit number>.zip”
“hotfix-<random 4 or 5 digit number>.zip”
“removal-<random 4 or 5 digit number>.zip”

If you have received one of these email messages and have fallen prey to their tactics and are now infected. Please see our Malware Cleaning Guide and post in our Malware Removal Forum. There is a RootKit element of this infection that will require special handling to remove.

You must be a registered member of our site; in order to post in the Forums. This is a Free service to all. Registration is simply required to keep the spam bots from flooding the site.

SpyHunter by Enigma Software Group (ESG) has been receiving quite a bit of attention in the security circles of late.

Spyhunter finds & removes Spyware, Adware, Keyloggers. Prevent credit card theft due to Spyware. Protect your privacy and secure your computer. …

This is what ESG claims SpyHunter can do.

SpyHunter was once listed as a “Rogue” Anti-Spyware Application by Eric Howes on his
Rogue/Suspect Anti-Spyware Products & Web Sites list; here is what was said:

Enigma’s SpyHunter anti-spyware application was listed on this page primarily because of the company’s history of employing aggressive, deceptive advertising. The company was also known for exploiting the name “spybot” in its domain names and online advertising. These objectionable business practices were employed primarily from late-2002 to mid-2004.

Sometime during summer of 2004 the company halted the most obnoxious and objectionable aspects of its online advertising. It also unloaded all the “spybot” domains (which were promptly picked up by Paretologic for its XoftSpy anti-spyware application).

While there are still unresolved allegations that SpyHunter transmits the Windows Product ID from users’ PCs, we can no longer classify this application as “rogue/suspect.” Nonetheless, SpyHunter — at least in its current state — cannot be recommended because of its mediocre performance as an anti-spyware scanner. Testing indicates that it does not recognize some well-known spyware installations and has difficulty removing critical spyware/adware files even from those it does recognize. Given the many excellent competing anti-spyware applications that are available (some for free), users would do better looking elsewhere for trustworthy anti-spyware protection.

Domains: enigmasoftwaregroup.com, spywareremove.com, uninstallxupiter.com

In recent days it has come to light that someone has been posting spam links to SpyHunter. Individuals from 411-spyware.com have posted on several forums, misleading people seeking help in removing SpyLocked and similar rogue applications, with links to this FreeSpywareScanner. When you go to install the FreeSpywareScanner it becomes readily apparent that the tool being installed is the former “Rogue” Anti-Spyware Application SpyHunter.

It is precisely this type of behavior that got SpyHunter listed as a Rogue Application in the first place. Well it seems that the makers of Spybot Search & Destroy think SpyHunter is Malware. As of 11 April 2007 with the release of Spybot S&Ds updates SpyHunter is now listed as Malware and is targeted for removal.

Updates	11. April 2007
2007-04-11 Adware ++ Zango.AntiSpamBar ++ Zango.Seekmo Keylogger + Perfect Keylogger (2) ++ WideStep Malware ++ Free-Key-Logger + InetLoader + Smitfraud-C. (2) + SpyDawn + SpyHunter ++ Win32.Agent.ahd ++ Win32.Optix.b Trojan + 1und1Bill.Fake + Hupigon + NumbSoft + Win32.Lager.aq ++ Zlob.MovieBox + Zlob.PrivateVideo + WarezP2P Total: 373599 fingerprints in 64879 rules for 2804 products

To answer my own question: SpyHunter, should this be listed as a Rogue Anti-Spyware Application?

YES

For further coverage of this story:
411-spyware.com - The new forum spammers?
Spyware Help: Intent Matters Alot:Part 2

Microsoft Security Bulletin MS07-022

Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784)

Published: April 10, 2007

Version: 1.0

Summary
Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should apply the update at the earliest opportunity

Security Update Replacement: This bulletin replaces a prior security update. See the Frequently Asked Questions (FAQ) section of this bulletin for details.

Tested Software and Security Update Download Locations:

Affected Software:

Non-Affected Software:

The software in this list has been tested to determine whether the versions are affected. Other versions are either past their support life cycle or are not affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.

Aggressive advertising well known forums and public boards such as yahoo under the domain 411-spyware.com claiming to remove rogues such as SpyLocked and previous ones. The tool they claim that removes these rogues is non other than SpyHunter, Enigma Software Group. Advice from these spammers acting as real users should be avoided at all costs!

read more | digg story

The RogueNET™ analysis center allows you to view statistics about the most dominant rogue products in the world. Below is a list of all rogue objects detected wordwide. There have been a total of 972 objects detected and removed by RogueRemover since 4/8/07.

read more | digg story

Ultimate Fixer, brought to you by the makers of Ultimate Cleaner and Ultimate Defender; Nous-Tech Solutions Limited.

This newest Rogue Application finds it’s way onto your system via a “Fake” Codec, in this case Video Access, and most probably isn’t the only infection vector. Video Access is one of several Fake Codecs that are actually the Trojan Zlob downloader. Once Video Access has been installed on the system you will begin to receive “Fake” Security Center warnings. These warnings will prompt you to download and install Ultimate Fixer to correct the errors that have been falsely reported on your system. Trojan Zlob will also drop a Vundo infection onto the system, located in the System32 folder.

Running the Ultimate Fixer installer, does not present you with the expected install box. Instead you are presented with a window warning you that several system errors have been found on your system.

Clicking continue will open the Ultimate Fixer application itself:

Allowing Ultimate Fixer to fix what it has report, will not result in it fixing anything. Instead Ultimate Fixer will interfere with the legitimate protection applications installed on your system. Ultimate Fixer will disable your firewall and other security applications.

Whois Information for Ufixer:

Registrant:

   Domains by Proxy, Inc.
   DomainsByProxy.com
   15111 N. Hayden Rd., Ste 160, PMB 353
   Scottsdale, Arizona 85260
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: UFIXER.COM
      Created on: 17-Jan-07
      Expires on: 17-Jan-08
      Last Updated on: 

   Administrative Contact:
      Private, Registration  UFIXER.COM@domainsbyproxy.com
      Domains by Proxy, Inc.
      DomainsByProxy.com
      15111 N. Hayden Rd., Ste 160, PMB 353
      Scottsdale, Arizona 85260
      United States
      (480) 624-2599      Fax -- (480) 624-2599

   Technical Contact:
      Private, Registration  UFIXER.COM@domainsbyproxy.com
      Domains by Proxy, Inc.
      DomainsByProxy.com
      15111 N. Hayden Rd., Ste 160, PMB 353
      Scottsdale, Arizona 85260
      United States
      (480) 624-2599      Fax -- (480) 624-2599

   Domain servers in listed order:
      NS5.SECURESERVER.NET
      NS6.SECURESERVER.NET

EULA states “This agreement shall be governed by the laws of Russia.”

Privacy Policy gives company contact info as: Nous-Tech Solutions Limited, Ifigeneias, 7 4th floor, Nicosia, 2007, Cyprus.

Wow, registered with GoDaddy here in the United States, for a company that appears to operate from Cyprus, but whose EULA is governed by the laws of Russia. Territorially confused, I’d say.

This is classified as a blended threat and will put your system at a high risk of compromising sensitive personal information. If you find yourself with Ultimate Fixer on your system and would like for us to remove it for you; please follow the steps outlined in our Malware Cleaning Guide and start a thread in our Malware Removal Forum.