free trojan horse virus removal tool Spyware Removal

Virus & Spyware Removal

noreply@blogger.com (Mandy) — Thu, 25 Feb 2010 06:07:00 +0000

The Best Way to Remove Viruses, Spyware and other Malware from your home PC computer.

The first rule of removing spyware is not trying to rely on an anti virus software, but rather using an anti spyware application instead.
Because spyware is different from viruses, you need to use a different program to remove the spyware infection. Here are my suggestions of the top anti-spyware programs that are not only free to use, but they actually help you clean your PC.

SpyBot Search and Destroy
Freeware spyware removal and detction program for Windows.

Microsoft Windows Defender
Windows Defender is a free software from Microsoft that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software.

MalwareByte
Malwarebytes Anti-Malware is considered to be one of the best malware spyware detection and removal software and its free.

SpywareBlaster
Free windows program which protects against spyware: prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox, restricts the actions of potentially unwanted sites in Internet Explorer.

What is Spyware?

Spyware can be defined as computer software which is secretly installed on a personal computer to spy or take total control over the user's computer activity without his/her consent off course. A spyware can also take over the user’s activities and install additional unwanted software, re-direct the browser activity and similar actions that can make a computer prone to further attacks and virus infections.

Latest Virus Threats

W32.Gammima.AG!gen4

Discovered: February 23, 2010
Updated: February 24, 2010 5:10:48 AM
Type: Virus
Systems Affected: Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

W32.Gammima.AG!gen4 is a heuristic detection used to detect threats associated with the W32.Gammima.AG family.

Threat Assessment

Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Medium

Distribution

* Distribution Level: Low

Internet Explorer CVE-2010-0249 'srcElement()' Remote Code Execution Vulnerability

noreply@blogger.com (Mandy) — Fri, 29 Jan 2010 02:20:00 +0000

Risk
High
Date Discovered
January 14, 2010

Description
Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the browser. Successful exploits will compromise the application and possibly the computer. Failed attacks will cause denial-of-service conditions.

Technologies Affected

* Avaya Meeting Exchange - Client Registration Server
* Avaya Meeting Exchange - Recording Server
* Avaya Meeting Exchange - Streaming Server
* Avaya Meeting Exchange - Web Conferencing Server
* Avaya Meeting Exchange - Webportal
* Avaya Messaging Application Server
* Avaya Messaging Application Server MM 1.1
* Avaya Messaging Application Server MM 2.0
* Avaya Messaging Application Server MM 3.0
* Avaya Messaging Application Server MM 3.1
* Microsoft Internet Explorer 6.0
* Microsoft Internet Explorer 6.0 SP1
* Microsoft Internet Explorer 7.0
* Microsoft Internet Explorer 8

Recommendations
Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.

Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
Do not follow links provided by unknown or untrusted sources.
Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
Set web browser security to disable the execution of script code or active content.
Since a successful exploit of this issue requires malicious code to execute in web clients, consider disabling support for script code and active content within the client browser. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.
Implement multiple redundant layers of security.
Memory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
A vendor advisory and updates are available; please see the references for more information.

References

* BugSec - 21.01.10 Internet Explorer CVE-2010-0249 Remote Code Execution Vulnerability
* Microsoft - Advisory 979352 Update for Monday January 18
* Microsoft - Further Insight into Security Advisory 979352 and the Threat Landscape
* Microsoft - Internet Explorer Homepage
* Metasploit - Reproducing the 'Aurora' IE Exploit
* Microsoft Security Response Center - Security Advisory 979352 – Going out of Band
* Microsoft Security Response Center - Security Advisory 979352 Released

Credits
This issue was discovered in the wild; Microsoft credits Meron Sellem of BugSec.

Backdoor.Tidserv.K virus Trojan horse how to remove

noreply@blogger.com (Mandy) — Fri, 29 Jan 2010 02:18:00 +0000

Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Backdoor.Tidserv.K is a Trojan horse that opens a back door on the compromised computer.

Protection

* Initial Rapid Release version January 28, 2010 revision 022
* Latest Rapid Release version January 28, 2010 revision 022
* Initial Daily Certified version January 28, 2010 revision 025
* Latest Daily Certified version January 28, 2010 revision 025
* Initial Weekly Certified release date February 3, 2010

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Low
* Payload: Opens a back door on the compromised computer.

Distribution

* Distribution Level: Low

Writeup By: Robert X Wang

how to remove W32/Conficker.worm.gen.d virus

noreply@blogger.com (Mandy) — Mon, 28 Dec 2009 23:08:00 +0000

Overview -

This detection is for a worm, which exploits the MS08-067 vulnerability in Microsoft Windows Server Service which may allow for remote code execution. This flaw lies in the improper handling of specially-crafted (malicious) RPC requests and was patched on October 23, 2008.
Aliases

* Net-Worm.Win32.Kido.js [Kaspersky]

* W32.Downadup.E [Symantec)]

* W32/Confick-D [Sophos]

* Worm:Win32/Conficker.D [Microsoft]

* Worm:Win32/Conficker.gen [Ikarus]

* WORM_DOWNAD.E [Trend]

Characteristics
Characteristics -

When executed, this worm connects to one of the following sites to check the date and time:

* myspace.com
* msn.com
* ebay.com
* cnn.com
* aol.com

Further execution of this worm will continue only if the date is before May 3rd 2009.

On successful execution, the worm drops the following file:

* %system%\RandomFileName.tmp [Already detected as W32/Conficker.sys]

It creates a service with a random file name using the above file. Once the service is created, the worm deletes the above ".tmp" file.

The worm then patches the following system file in the memory:

* %System%\drivers\tcpip.sys

This is done to remove the limitation set on the maximum number of TCP connection attempts that can be made by the infected machine.

Note:

* %System% is a variable that refers to the System folder
By default, this is C:\Windows\System32 for Windows XP

This worm creates the following mutex to ensure only one instance of the worm is running in memory:

* Global\[Random Name]

The worm Connects to one of the following URLs to find the IP address of the infected machine:

* whatsmyipaddress.com
* ipdragon.com
* findmyip.com
* ipaddressworld.com
* findmyipaddress.com
* myipaddress.com
* checkip.dyndns.com
* checkip.dyndns.org

The worm then starts an HTTP server on a random port on the infected machine to host a copy of the worm. It then continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Symptoms
Symptoms -

* Files, registry, and network communication referenced in the characteristics section

Method of Infection
Method of Infection -

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.

This worm may also be downloaded unintentionally by users visiting malicious sites. Distribution channels could include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal -
Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. Avert recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Stinger - A standalone removal tool has been released to assist in detecting and repairing this threat.

how to remove Worm.Win32.Netsky virus spyware

noreply@blogger.com (Mandy) — Mon, 28 Dec 2009 23:04:00 +0000

* Warning
o Most of the people follow a common spyware removal technique. They delete the directory C: \ Program Files \ Worm.Win32.Netsky using Windows Explorer and registry key HKEY_LOCAL_MACHINE \ Software \ Worm.Win32.Netsky using regedit.exe without knowing that the spyware might leave some files in Windows System directory using which it can either repair itself or start generating system error notifications usually when Windows starts. We highly recommend to try Windows Add / Remove tool to uninstall the desired malware if found, use a good spyware cleaner / remover or get help from a professional.

* Recommendation
o In order to clean your PC by removing Worm.Win32.Netsky infection which might require you to manually detect the malware that can be in the form of an EXE , DLL , REGISTRY KEY , BROWSER HIJACK , TOOLBAR , LSP, PROCESS and/or BROWSER PLUGIN , we recommend you to DOWNLOAD our FREE Worm.Win32.Netsky FINDER SOFTWARE. Using our FREE DETECTION TOOL not only you will be able to find Worm.Win32.Netsky tracks but this will also help you to find other spyware , adware , trojan and virus infections in your PC containing the leftovers from your previous Anti-Spyware.

* Note
o This Worm.Win32.Netsky info page will not only provide manual removal instructions but also help you to get information about what is and how to remove or get rid of Worm.Win32.Netsky.

Delete the following directories

Worm.Win32.Netsky does not create any directories

Delete the following files

PK_ZIP0.LOG PK_ZIP1.LOG %windir%\PK_ZIP2.LOG PK_ZIP3.LOG PK_ZIP4.LOG PK_ZIP5.LOG PK_ZIP6.LOG PK_ZIP7.LOG %windir%\PK_ZIP8.LOG %windir%\PK_ZIP9.LOG %windir%\Jammer2nd.exe %windir%\pk_zip_alg.log \Jammer2nd.exe \pk_zip_alg.log

Delete the following cookies

Worm.Win32.Netsky does not create any cookies

Delete the following registry keys

Worm.Win32.Netsky does not create any registry keys

Delete the following registry values

Jammer2nd Jammer2nd

How to Remove the Backdoor.Tidserv!inf virus spyware

noreply@blogger.com (Mandy) — Mon, 28 Dec 2009 22:53:00 +0000

How to Remove the Backdoor.Tidserv!inf Trojan, spyware

What's about Backdoor.Tidserv!inf

The purpose of Backdoor.Tidserv!inf trojan is installing other computer parasites on a compromised machine.

It modifies Windows Registry and puts itself on startup list. Backdoor.Tidserv!inf is also able to corrupt essential system files; it should be deleted upon detection until it hadn’t done much damage.

Backdoor.Tidserv!inf is dangerous infection for several reasons. This trojan is able to corrupt important system files; this way it can do much damage if it isn’t removed in time. Backdoor.Tidserv!inf also downloads and installs other malware automatically on the infected machine.

Tidserv!inf trojan is difficult to spot and to remove because it runs secretly in a background and it sets itself to run every time a computer boots.

How to clean the Backdoor.Tidserv!inf virus

Please download XDelBox from Here to your Desktop.

**Note: In the event you already have XDelBox, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Close any open browsers. Close/disable all antivirus,HIPS and anti-malware programs so they do not interfere with the running of XDelBox,visit here for how to temporarily disable your anti-virus and/or anti-malware programs.

Run XDelBox.exe with a simple click "Start Scan"

download Regace for other Registry repairing, cleaning errors and problems to optimize your PC. It is an amazing program that I use!

How to remove Adware virus Zwunzi

noreply@blogger.com (Mandy) — Mon, 28 Dec 2009 22:48:00 +0000

what’s about Adware.Zwunzi

Zwunzi or Adware.Zwunzi as detected by some antivirus program is another potentially unwanted application that will install itself as a Search plugin for Internet browser. Zwunzi toolbar search was known to infect Internet Explorer and Mozilla Firefox only.

How to get rid of the Zwunzi Adware virus

Step1: Please download XDelBox from Here to your Desktop.

**Note: In the event you already have XDelBox, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

Step 1: If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Step 2:Close any open browsers. Close/disable all antivirus,HIPS and anti-malware programs so they do not interfere with the running of XDelBox,visit here for how to temporarily disable your anti-virus and/or anti-malware programs.

Step 3:Run XDelBox.exe with a simple click "Start Scan"

Step 4:Waiting less than 5 minutes after scan finished.

Step 5:Click "Fix Checked" to remove spyware or malware threats.

Step6: download Regace for other Registry repairing, cleaning errors and problems to optimize your PC. It is an amazing program that I use!

How to Remove the W32.Badtrans.13312@mm Worm Virus from Your Computer

noreply@blogger.com (Mandy) — Wed, 09 Dec 2009 06:24:00 +0000

Also Known As: W32/Badtrans-A [Sophos], W32/Badtrans@MM [McAfee], BadTrans, I-Worm.Badtrans [KAV], WORM_BADTRANS.A [Trend], TROJ_BADTRANS.A [Trend], Win32.Badtrans.13312 [CA], Pws-AV Trojan, W32.Badtrans.13312@mm, Trojan.Psw.Hooker
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References: CVE-2001-0154

Because W32.Badtrans.gen@mm affects different operating systems in different ways, how you remove this worm depends on your operating system. Follow the instructions in the order given.

To remove the worm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Badtrans.gen@mm. What you do next depends on whether NAV was able to delete files that it detected as infected with W32.Badtrans.gen@mm:
* If NAV was able to delete all the files that it detected as infected, do one of the following:
o If you are running Windows 95/98/Me, skip to the section To edit the Win.ini file.
o If you are running Windows NT/2000 and NAV was able to delete all the infected files, you are finished.
* If NAV was not able to delete all files that it detected as infected, go on to the next section and see the instructions for your operating system.

To remove files that cannot be deleted by NAV:
Follow the instructions for your operating system only if NAV could not delete files that it detected as infected with W32.Badtrans.gen@mm.

* Windows 95/98/Me
1. Restart the computer in Safe Mode. For instructions on how to restart in Safe Mode, see the document How to restart Windows 9x or Windows Me in Safe Mode.
2. Run the scan again, and delete any files detected as W32.Badtrans.gen@mm.
3. When the scan is finished, skip to the section To edit the Win.ini file.

* Windows NT/2000/XP
1. Press Ctrl+Alt+Delete one time.
2. Click Task Manager.
3. Click the Processes tab.
4. Click the "Image Name" column header two times to sort the processes alphabetically.
5. Scroll through the list and look for inetd.exe. If you find the file, click it and then click End Process.
6. Scroll through the list and look for Kern32.exe. If you find the file, click it and then click End Process.
7. Close the Task Manager.
8. Right-click the My Computer icon on the Windows desktop, and click Explore.
9. Do one of the following:
o If you are running Windows NT, click the View menu and click Options.
o If you are running Windows 2000/XP, click the Tools menu and click Folder Options.
10. Click the View tab.
11. Do one of the following:
o If you are running Windows NT, click "Show all files," uncheck "Hide file extensions for known file types," and then click OK.
o If you are running Windows 2000/XP, click "Show hidden files and folders" and uncheck "Hide file extensions for known file types."
12. In the left pane of Windows Explorer, right-click drive C and then click Find (Windows NT) or Search (Windows 2000/XP).
13. In the In the "Named" or "Search for..." box, type--or copy and paste--the following file names:

inetd.exe kern32.exe hkk32.exe hksdll.dll
14. Click Find Now or Search Now.
15. When the search is finished, write down the names and locations of the files that are displayed.
16. Click the Edit menu, and click Select All.
17. Hold down the Shift key down, and press the Delete key. Continue to hold down the Shift key until you are prompted to confirm the deletion. Click Yes. (Holding the Shift key while pressing the Delete key bypasses the Recycle Bin.)
18. Close Windows Explorer.
19. Go on to the section To edit the registry.

To edit the registry:

CAUTION: We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to back up the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce
4. In the right pane, delete the value

Kernel32 KERN32.EXE
5. Navigate to the key

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
6. In the right pane, delete the value

run \Inetd.exe
7. Exit the Registry Editor.
8. Restart the computer.
9. Run the scan again, and delete any files detected as W32.Badtrans.13312@mm. This completes the removal procedure for users of Windows NT/2000.

To edit the Win.ini file:
If you are running Windows 95/98/Me, you must also do the following:

1. Click Start, and click Run.
2. Type the following and then click OK:

edit c:\windows\win.ini

NOTE: If you installed Windows in a different location, make the appropriate substitution.
3. In the [windows] section, locate the run= line. It will look similar to the following:

run=c:\windows\inetd.exe
4. Remove the text to the right of the = sign, so that the line now reads

run=
5. Save your changes, and exit the MS-DOS Editor.

Writeup By: Peter Ferrie

How to remove w32.virut.cf Virus

noreply@blogger.com (Mandy) — Wed, 09 Dec 2009 06:21:00 +0000

W32.Virut.CF (also referred to as W32/Virut.n) is a virus that will attempt to infect executable files such as .exe, .scr and other Portable Executable (PE) file formats. W32.Virut.CF will inject an iframe into the body of the web-related files such as .html, .php and .asp, in order to further harm your computer. The most challenging thing about W32.Virut.CF is the fact that it can bypass antivirus program detection and evade the scanning process by using Entry Point Obfuscation (EPO).

W32.Virut.CF Manual Removal Instructions
Backup Reminder: Always be sure to back up your PC before making any changes.

Step 1 : Use Registry Editor to Remove W32.Virut.CF Registry Values
Locate and delete "W32.Virut.CF" registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List

Read more on How to Remove W32.Virut.CF Registry Entries

How to remove w32 ircbot.worm

noreply@blogger.com (Mandy) — Wed, 09 Dec 2009 06:18:00 +0000

Symptoms -

If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it may reboot.
Method of Infection
Method of Infection -

This threat scans for MS05-039 exploitable systems. When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8594. Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow is not prevented.

Removal -

AVERT DATS
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

McAfee Intrushield
Sigsets released on Aug 9th, 2005 will detect this as:

DCERPC: Microsoft Plug and Play Service Buffer Overflow (0x47602000)

Stinger
Stinger has been updated to help detect and repair this threat.

McAfee Managed VirusScan
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems.

McAfee Entercept
McAfee Entercept prevents the vulnerable system from being exploited with Level 1 protection enabled.

McAfee VirusScan Enterprise 8.0i
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems. Additionally, systems running VirusScan Enterprise with the "Prevent creation of new files in the System32 folder (.exe)" access protection rule set to "Block access" will be protected from infection, though the buffer overflow may still occur on unpatched systems.

Note: this rule if set to all processes will also block legitimate updates to files in the Windows directory, such as when applying security patches, so will need to be disabled while such legitimate activity is occurring.

The User-defined Detection feature of the Unwanted Programs Policy can also be used to prevent replication of the worm, by adding a detection for wintbp.exe as shown below

How to remove w32.spybot.worm

noreply@blogger.com (Mandy) — Wed, 09 Dec 2009 06:17:00 +0000

Also Known As: Win32.Spybot.gen [Computer Associates], Worm.P2P.SpyBot.gen [Kaspersky], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend]
Type: Worm
Infection Length: Varies.
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
CVE References: CVE-2001-0876, CVE-2002-1145, CVE-2003-0109, CVE-2003-0352, CVE-2003-0533, CVE-2003-0717, CVE-2003-0812, CVE-2004-0120, CVE-2005-1983, CVE-2006-2630, CVE-2007-0041, CVE-2008-4250

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan, and delete all files detected.
4. Delete the value that was added to the registry.
5. Delete any zero-byte files in the Startup folder.
6. Reenable the SharedAccess service (Windows 2000/XP only)

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

* How to disable or enable Windows Me System Restore
* How to turn off or turn on Windows XP System Restore

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

* Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to Virus Definitions (LiveUpdate).
* Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to Virus Definitions (Intelligent Updater).

The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.

3. To scan for and delete the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
* For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
* For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
2. Run a full system scan.
3. Note any files detected, click Delete.

Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

1. Click Start > Run.
2. Type regedit
3. Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

4. Click OK.

5. In the Registry Editor, navigate to the following subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE

6. In the right pane, delete any values that refer to the file names that were detected.

7. Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger

8. In the right pane, reset the original value, if known:

"Start" = "4"

9. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

10. In the right pane, reset the original value, if known:

"restrictanonymous" = "1"

11. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\
parameters

12. In the right pane, reset the original values, if known:

"AutoShareWks" = "0"
"AutoShareServer" = "0"

13. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

14. In the right pane, reset the original value, if known:

"DoNotAllowXPSP2" = "1"

15. Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

16. In the right pane, reset the original value, if known:

"EnableDCOM" = "N"

17. Navigate to and delete the following subkeys, if present:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV

18. Exit the Registry Editor.

5. To delete the zero-byte files from the Startup folder
Follow the instructions for your version of Windows:

Note: There may be legitimate files on your system that start with "tftp." Delete only the zero-byte files from the Startup folder.

To delete zero-byte files in Windows 95/98/Me/NT/2000

1. On the Windows taskbar, click Start > Find (or b) > Files or Folders.
2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
3. In the "Named" or "Search for..." box, type, or copy and paste, the following file name:

tftp*.*

4. Click Find Now or Search Now.
5. Delete the files that are zero bytes in size and contained within any folder whose name ends with "Startup."

To delete zero-byte files in Windows XP

1. On the Windows taskbar, click Start > Search.
2. Click All files and folders.
3. In the "All or part of the file name" box, type, or copy and paste, the following file name:

tftp*.*

4. Make sure that "Look in" is set to "Local Hard Drives" or to (C:).
5. Click More advanced options.
6. Check Search system folders.
7. Check Search subfolders.
8. Click Search.
9. Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup."

6. To reenable the SharedAccess service (Windows 2000/XP only)
The SharedAccess service is responsible for maintaining Internet Connection Sharing and the Windows Firewall/Internet Connection Firewall applications in Windows. (The presence and names of these applications vary depending on the operating system and service pack you are using.) To protect your computer and maintain network functionality, re-enable this service if you are using any of these programs.

Windows XP Service Pack 2
If you are running Windows XP with Service Pack 2 and are using the Windows Firewall, the operating system will alert you when the SharedAccess service is stopped, by displaying an alert balloon saying that your Firewall status is unknown. Perform the following steps to ensure that the Windows Firewall is re-enabled:

1. Click Start > Control Panel.

2. Double-click the Security Center.

3. Ensure that the Firewall security essential is marked ON.

Note: If the Firewall security essential is marked on, your Windows Firewall is on and you do not need to continue with these steps.

If the Firewall security essential is not marked on, click the "Recommendations" button.

4. Under "Recommendations," click Enable Now. A window appears telling you that the Windows Firewall was successfully turned on.

5. Click Close, and then click OK.

6. Close the Security Center.

Windows 2000 or Windows XP Service Pack 1 or earlier
Complete the following steps to re-enable the SharedAccess service:

1. Click Start > Run.
2. Type services.msc

Then click OK.

3. Do one of the following:
* Windows 2000: Under the Name column, locate the "Internet Connection Sharing (ICS)" service and double-click it.
* Windows XP: Under the Named column, locate the "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service and double-click it.

4. Under "Startup Type:", select "Automatic" from the drop-down menu.

5. Under "Service Status:", click the Start button.

6. Once the service has completed starting, click OK.

7. Close the Services window.

Writeup By: Douglas Knowles

How to remove w32.downadup.b

noreply@blogger.com (Mandy) — Wed, 09 Dec 2009 06:14:00 +0000

W32.Downadup.B is a worm that propagates and infects computers by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. W32.Downadup.B will reduce security settings of compromised computer by ending security-related process and blocks them from accessing computer security websites.

Alias:

* Worm:W32/Downadup.AL
* Win32/Conficker.B
* W32/Confick-D
* WORM_DOWNAD.AD
* Net-Worm.Win32.Kido.ih
* Conficker.D

Damage Level: High

Systems Affected: Windows
W32.Downadup.B Removal Tool

1. Download the Downadup removal tool and save it on Desktop.

2. Double click on downloaded file, chose “Extract all files…” from the File menu, and follow the wizard’s instructions. You can use any other archiver, like WinZip. This will create a folder called bd_rem_tool.

3. Double click on the file “bd_rem_tool_gui.exe” (or just “bd_rem_tool_gui”). Make sure that all files have been extracted from the zip archive, because all the contents are required for the removal tool to run. Follow the tool’s instructions.

4. If you have Restricted Acccess (not Admin) on Windows Vista and XP, right click the “bd_rem_tool_gui” program and choose “Run as Administrator”. Enter the computer Administrator Username and Password when prompted.

5. Reboot your computer when scanning is finished.

how to remove w32.ackantta.b@mm

noreply@blogger.com (Mandy) — Wed, 09 Dec 2009 06:12:00 +0000

W32.Ackantta.B@mm is a self-replicating computer worm. It spreads by exploiting vulnerabilities in operating systems. Usually, it creates a copy of itself and infects numerous files on compromised system. Then W32.Ackantta.B@mm gathers emails from the infected computer and mass-mail itself as an email attachment with scam messages. This worm has been designed only to spread without making damage to the system. However, it is strongly recommended to remove it from the system as soon as possible after detection.

W32.Ackantta.B@mm manual removal:
Kill processes:
javale.exe

Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″ = “%System%\javale.exe”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List\%System%\”javale.exe” = “%System%\javale.exe:*:Enabled:Explorer”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”javastation1.1″ = “02″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”ultrasparc1.1″ = “25″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”CheckExeSignatures” = “0×1″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”RunInvalidSignatures” = “no”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\”LowRiskFileTypes” =

Delete files:
javale.exe

How to remove W32.SillyFDC

noreply@blogger.com (Mandy) — Wed, 09 Dec 2009 06:11:00 +0000

Description:

W32.SillyFDC is a common detection process for files that are infected with W32.Silly. It propagates by copying and renaming itself on removable media devices and root of local and remote drives.

HOW TO REMOVE W32.SillyFDC

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Download Ewido Micro Scanner and save it to your Desktop. Do not scan yet

3. Reboot computer in SafeMode [how to]

4. End malicious Process

- Press Ctlr+Alt+Del

- Click Process tab

- End the process if present: password_viewer.exe, CALC, calc, mscalc.exe, startupfolder, config_
startupfolder.com, config_.com

5. Delete the autorun files

- Go to Start > Run, type "cmd"

- At the command prompt, type "cd\", this will bring you to C:\

- Type "attrib" (C:\>attrib), it will display files with attributes. Take note on attribute of autorun.inf. Usually it has SHR.

- Type “attrib -s -h -r C:\autorun.inf”, it will remove System, Hidden and Read-Only attribute

- Type "edit autorun.inf" it will open DOS Editor and display contents as follows

=======================

[autorun]
open=file.exe
shell\Open\Command=file.exe
shell\open\Default=1
shell\Explore\Command=file.exe
shell\Autoplay\command=file.exe

=======================

take note of the file/path that it runs. Ex: open=file.exe where file.exe is the filename of the file that autoruns.

- Exit DOS Editor.

- Back at the command prompt type "attrib -s -h -r file.exe", where file.exe is the file that was called on DOS editor to autorun. Ex: C:\>attrib -s -h -r file.exe. If it is located on different directory include the path. Ex: C:\>attrib -s -h -r c:\Windows\file.exe

- Type "del file.exe". If it is located on different directory include the path.

Ex: C:\>del c:\Windows\file.exe

- Type "del autorun.inf"

- Type "del c:\Windows\autorun.inf

- Type "del c:\Windows\password_viewer.exe

- Type "del c:\Douments and Settings\(Your User Name)\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf

- Exit command prompt by typing "exit"

6. Run Disc Cleanup

- Go to Start > All Programs > Accessories >System Tools, click Disc Cleanup

- Check the following: Downloaded Program Files, Temporary Internet Files
, Offline Webpage, Recycle Bin and Temporary Files.

7. View hidden files and folders.

- Open Windows Explorer

- Go to Tools > Folder Options

- Go to View Tab

- Mark "Show hidden files and folders"

- Click Apply, then OK

Note: If unable to change the settings, please click here.

8. Update and scan with your installed AntiVirus. Quarantine/Delete infected files

9. Search and delete other files.

- Go to Start > Search

- Find and delete files : password_viewer.exe, calc.exe (not the one located on \system32\calc.exe), mscalc.exe, startupfolder.exe, config_.exe, startupfolder.com and config_.com

10. Scan with Ewido

- Double click the downloaded Ewido_Micro

- It will download Signature Database before scanning
- When update is completed, disconnect computer from Internet (Turn Off Modem or unplug RJ45 jack)
- Click “Start scan” to begin. It may take time for the process to finished
- Click “Remove Infection” to delete infected files.

- Restart computer and do another scan with Ewido

11. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

How to Remove The Sasser worm - W32.Sasser.Worm

noreply@blogger.com (Mandy) — Wed, 09 Dec 2009 06:03:00 +0000

What is the Sasser worm?
The Sasser worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines along with Windows NT and Windows Server 2003.

1. Disconnect your computer from the local area network or Internet.
2. Click Start > Run, type:
shutdown -i

and press Enter.
In the Remote Shutdown Dialog that opens, change 20 seconds to:
9999
and click OK.
3. Reconnect the network/Internet connection, click Start > Windows Update to install all necessary patches automatically.
4. Terminate the running process.

Press CTRL+ALT+DEL to open Windows Task Manager, then select the Processes tab. Scroll down the list and search for the following processes:
* avserve.exe
* avserve2.exe
* skynetave.exe
* any process with a name consisting of four or five digits, followed by _up.exe (eg 64354_up.exe).

If you find any such process, click it, and then click End Process. Exit the Task Manager
5. Disable System Restore (Windows XP)
6. Remove the registry entires.
Click Start > Run, type 'regedit' and click Ok.

Navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the following entries:

"avserve.exe"="%Windir%\avserve.exe"
"avserve2.exe"="%Windir%\avserve2.exe"
"skynetave.exe"= "%Windows%\skynetave.exe"
Close the Registry Editor.
7. Search for and delete the following files:

avserve.exe
avserve2.exe
skynetave.exe
8. Update your antivirus tools virus definition and run a thorough scan on your system.

Complete List of Free spyware virus melware antivirus Removal Tools to clean your PC

noreply@blogger.com (Mandy) — Fri, 04 Dec 2009 02:33:00 +0000

Running two anti virus products on the same computer can cause system instability, degraded performance and maybe the inability to identify a virus correctly. I have even heard of a case where someone managed to install as many as 3 anti virus on his computer and yet no problems. I would say he is just plain lucky and one day the anti virus will conflict and give so much trouble that he will not be able to recover Windows from the crash. It is very important that any previously installed anti virus software is uninstalled from your system before proceeding with the installation of the next anti virus that you would like to install.

The standard method of uninstalling an anti virus is from Add or Remove Programs but sometimes the uninstaller process would hang and you will not be able to remove the anti virus from your system. When this happen, you can try using the removal tool provided by the anti virus company to remove the installed anti virus. I always have a list of uninstallers for anti virus software on my USB flash drive. Here I am sharing with you guys my list and perhaps it could help you uninstall an anti virus program that you are having trouble uninstalling..

Most of the uninstallers below are very straight forward. Just download, run the file and click a button to proceed with the uninstaller. Some is a little more complicated and requires more steps which I have noted.

1. Avast Download avast! Uninstall Utility

2. AVG Download AVG Remover 32-bit | 64-bit

3. Avira Download Avira RegCleaner

4. BitDefender Download BitDefender Uninstall Tool 32-bit | 64-bit

5. Computer AssociatesDownload CA SupportBridge for 2008 | 2009 products

6. ESET Download NOD32Removal

7. F-Secure Download F-Secure Removal Tool

8. Kaspersky Download Kaspersky Anti-Virus Remover

9. McAfee Download McAfee Consumer Product Removal Tool

10. Windows Live OneCare Download Windows Live OneCare Cleanup Tool

11. Norton / Symantec Download Norton Removal Tool

12. G DATA Download G DATA AV-Cleaner

13. Panda Security Download Panda Security Uninstaller

14. Trend Micro Download Trend Micro Diagnostic Toolkit 32-bit | 64-bit

15. AppRemover Download AppRemover

Blocking Unwanted Parasites with a Hosts File

noreply@blogger.com (Mandy) — Fri, 04 Dec 2009 02:31:00 +0000

What a host file does
The Hosts file contains the mappings of IP addresses to host names, this file is loaded into memory at startup then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local (your) machine. Another feature of the HOSTS file is its ability to block other applications from connecting to the Internet, providing the entry exists.

You can use a HOSTS file to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the connection(s) that supplies these little gems.

Example - the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by that DoubleClick Server to the web page you are viewing. This also prevents the server from tracking your movements. Why? ... because in certain cases "Ad Servers" like Doubleclick (and many others) will try to open a separate connection on the webpage you are viewing.

For XP SP2 users you should see a Security Center prompt about allowing this connection. [screenshot]
Simply click No and continue. Yes the prompts can be annoying but at least you'll know, however you should not see these prompts if these entries are included in the HOSTS file.
Note: this prompt only occurs if (example) *.doubleclick.net is included in the "Restricted Zone".

UAE Blackberry update was spyware

noreply@blogger.com (Mandy) — Fri, 04 Dec 2009 02:22:00 +0000

An update for Blackberry users in the United Arab Emirates could allow unauthorised access to private information and e-mails.

The update was prompted by a text from UAE telecoms firm Etisalat, suggesting it would improve performance.

Instead, the update resulted in crashes or drastically reduced battery life.

Blackberry maker Research in Motion (RIM) said in a statement the update was not authorised, developed, or tested by RIM.

Etisalat is a major telecommunications firm based in the UAE, with 145,000 Blackberry users on its books.

In the statement, RIM told customers that "Etisalat appears to have distributed a telecommunications surveillance application... independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user's smartphone".

It adds that "independent sources have concluded that the Etisalat update is not designed to improve performance of your BlackBerry Handheld, but rather to send received messages back to a central server".

The concern over this unauthorised access only came to light when users started reporting problems with their handsets.

After downloading the update, users across the country noticed significantly reduced battery life, poor reception and in some cases, handsets stopped working altogether.

Users have complained that the firm's customer service is unable to provide information on the problem. Initial advice led many users to simply buy new batteries.

'Surveillance solutions'

The update has now been identified as an application developed by American firm SS8. The California-based company describes itself as a provider of "lawful electronic intercept and surveillance solutions".

It is not clear why Etisalat wanted to include the software in the download.

The firm issued a brief statement last week, calling the problem a "slight technical fault", saying that the "upgrades were required for service enhancements".

Etisalat told BBC News that it stands by last week's statement and has not yet responded to further requests for comment.

"There may be a good reason they wanted to install the software," said one Blackberry user in Dubai who did not want to be named.

"But my biggest problem is that my phone won't work. If you call customer service you either can't get through, or they don't know what to tell you. I don't know what to do."

RIM has now issued its own update allowing users to remove the application. Customers of the country's rival service, Du, have not been affected.

Packed.Generic.270

noreply@blogger.com (Mandy) — Fri, 04 Dec 2009 02:20:00 +0000

Discovered: November 29, 2009
Updated: November 30, 2009 5:58:30 AM
Type: Trojan, Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Packed.Generic.270 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from antivirus software.

This heuristic detection is used to detect threats associated with the following families:

* Infostealer.Banker.C
* Trojan.Dropper

Protection

* Initial Rapid Release version November 29, 2009 revision 048
* Latest Rapid Release version November 29, 2009 revision 048
* Initial Daily Certified version November 30, 2009 revision 004
* Latest Daily Certified version November 30, 2009 revision 004
* Initial Weekly Certified release date December 2, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Low

Distribution

* Distribution Level: Low

Packed.Generic.271

noreply@blogger.com (Mandy) — Fri, 04 Dec 2009 02:19:00 +0000

Discovered: November 30, 2009
Updated: November 30, 2009 11:18:21 AM
Type: Trojan, Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Packed.Generic.271 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from antivirus software.

This heuristic detection is used to detect threats associated with the following families:

* Infostealer.Banker.C
* Downloader

Protection

* Initial Rapid Release version November 30, 2009 revision 005
* Latest Rapid Release version November 30, 2009 revision 005
* Initial Daily Certified version November 30, 2009 revision 004
* Latest Daily Certified version November 30, 2009 revision 004
* Initial Weekly Certified release date December 2, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Low

Distribution

* Distribution Level: Low

AntivirusSystemPro

noreply@blogger.com (Mandy) — Fri, 04 Dec 2009 02:19:00 +0000

Updated: November 30, 2009 3:32:18 PM
Type: Misleading Application
Name: Antivirus System Pro
Risk Impact: Medium
Systems Affected: Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Behavior
AntivirusSystemPro is a misleading application that may give exaggerated reports of threats on the computer.

Protection

* Initial Rapid Release version November 30, 2009 revision 017
* Latest Rapid Release version November 30, 2009 revision 025
* Initial Daily Certified version November 30, 2009 revision 022
* Latest Daily Certified version November 30, 2009 revision 040
* Initial Weekly Certified release date December 2, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Trojan.Vundo!gen2

noreply@blogger.com (Mandy) — Fri, 04 Dec 2009 02:18:00 +0000

Discovered: December 2, 2009
Updated: December 2, 2009 11:57:16 AM
Type: Trojan
Systems Affected: Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Trojan.Vundo!gen2 is a heuristic detection used to detect threats associated with the following family:
Trojan.Vundo

Protection

* Initial Rapid Release version December 2, 2009 revision 008
* Latest Rapid Release version December 2, 2009 revision 008
* Initial Daily Certified version December 2, 2009 revision 024
* Latest Daily Certified version December 2, 2009 revision 024
* Initial Weekly Certified release date December 2, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Medium

Distribution

* Distribution Level: Low

W32.Mabezat.B!dam

noreply@blogger.com (Mandy) — Fri, 04 Dec 2009 02:18:00 +0000

Discovered: December 2, 2009
Updated: December 2, 2009 4:38:12 PM
Type: Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

W32.Mabezat.B!dam is a detection for corrupted files that are infected with W32.Mabezat.B.

Protection

* Initial Rapid Release version December 2, 2009 revision 022
* Latest Rapid Release version December 2, 2009 revision 022
* Initial Daily Certified version December 2, 2009 revision 024
* Latest Daily Certified version December 2, 2009 revision 024
* Initial Weekly Certified release date December 9, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Medium

Distribution

* Distribution Level: Low

Adware.Zwunzi

noreply@blogger.com (Mandy) — Fri, 04 Dec 2009 02:17:00 +0000

Updated: December 3, 2009 12:59:34 AM
Type: Adware
Name: Zwunzi
Version: 1.0 build 128
Publisher: zwunzi.com
Risk Impact: High
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Behavior
Adware.Zwunzi is an adware program that installs itself as a Browser Search Plugin for Internet Explorer and Mozilla Firefox.

Protection

* Initial Rapid Release version December 2, 2009 revision 039
* Latest Rapid Release version December 3, 2009 revision 036
* Initial Daily Certified version December 2, 2009 revision 050
* Latest Daily Certified version December 2, 2009 revision 050
* Initial Weekly Certified release date December 9, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

W32.SillyFDC.BBX

noreply@blogger.com (Mandy) — Fri, 04 Dec 2009 02:17:00 +0000

Discovered: December 2, 2009
Updated: December 3, 2009 5:45:23 AM
Type: Worm
Infection Length: 705,283 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

W32.SillyFDC.BBX is a worm that spreads by copying itself to removable and mapped drives. It also drops more malware, attempts to download files, lowers security settings, disables certain system software and alters certain system settings.

Protection

* Initial Rapid Release version December 2, 2009 revision 025
* Latest Rapid Release version December 2, 2009 revision 025
* Initial Daily Certified version December 2, 2009 revision 024
* Latest Daily Certified version December 2, 2009 revision 024
* Initial Weekly Certified release date December 2, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Low
* Modifies Files: Modifies certain files, replacing them with a copy of other malware.
* Compromises Security Settings: Lowers security settings.

Distribution

* Distribution Level: Medium
* Target of Infection: Removable drives

Writeup By: Fergal Ladley and Jarrad Shearer