Noob blogger...

Beware to all Paypal users!

2011-12-10T05:13:00.001-08:00

I just found a fake email having the below message:

From: Paypal

Subject: Suspicious Payment

PayPal Customer,

You Made A Payment to www.thetattooshop.co.uk .

Your £5.00 GBP payment is in proccess.

If you are not redirected within 10 seconds.

Log In To

http://www.paypal.co.uk

To receive a refund.

PayPal ,

Purchase Protection Department.

This is the usual view of most emails in which the sender's email address is not shown. So how can we say it is fake? Please do the standard procedure of verifying the email.

1. Before panicking, make sure to verify who or what really is the sender's email address. In this case, I find the sender not directly from Paypal: spprtppdptm@ppal.com

2. Before clicking any URL from the email message body, make sure it does not contain hyperlinks that points to different site. In this fake email, the http://www.paypal.co.uk contains the hyperlink that points to the site: http://andybrwny.altervista.org/evl/index.html

You can mouse over to the URL from the email message body BUT WITHOUT CLICKING IT:

Mousing over the URL will show where the hyperlink is pointing at the bottom left of the browser.

The said site pretends to be a Paypal site to steal your Paypal credentials, you can see below image:

Please note the URL which is not really the Paypal site.

3. If verified to be a fake email, please report it to help others.

4. In case you clicked the URL and logged in to the fake Paypal site. Login to the real Paypal site and change your password ASAP before it's too late... or maybe you can call Paypal Customer Service to report it.

That's it for today and hope this helps... Thanks for reading!

Facebook Likejacking attack 3

2011-03-18T16:46:00.000-07:00

Another Likejacking found on Facebook a minute ago...

I found the below post from my news feed and the play image seems suspicious.

After clicking the link from the facebook post, it will be redirected to the below site:

http://video25.info/pan/

I'm not going to explain how it works but if you need details, the technique is the same as my previous blog.

The below shows how many users that were tricked by this attack as of this writing. And it continue to increase every refresh of the page.

If you suspect you've been infected by this attack, just go with the below link and click the UNLIKE button (note: If there's no UNLIKE button, DO NOT CLICK THE LIKE BUTTON)

http://www.facebook.com/plugins/like.php?href=http://video25.info/pan/

Autorun Malware Protection for Win7

2011-03-15T05:57:00.000-07:00

My mistake that I haven't updated the previous blog on Autorun Malware Protection which is not applicable in Windows 7. So I decided to create another write up about it.

Below is the steps on how to totally disable the Auto Play feature of Windows 7.

1. Open the Local Group Policy Edit via the below instructions:

1.1 Click Start or Hold windows key from keyboard and press R

1.2 Then type gpedit.msc

2. A window will show up and browse the below items from the left side of the Local Group Policy Editor window:

2.1 Computer Configuration

-> Administrative Templates

-> Windows Components

-> Autoplay Policies

2.3 At the right side, you can see settings about the Autoplay policies same as below:

Figure A. gpedit.msc

3. Enable each one of the settings from the Autoplay policies and set it the same as the below:

Figure B. Turn off Autoplay

Figure C. Don't set always

Figure D. Turn off Autoplay for non volume devices

Figure E. Default Behavior

4. After the above mentioned settings, close the Local Group Policy Editor window.

5. Then go to Control Panel

6. Click on the Hardware and Sound

7. Click on the AutoPlay

8. Uncheck the Use AutoPlay for all media and devices

9. Then set all possible fields to Take no action same as below:

Figure F. Take no action

Note: This will disable the Autoplay on all media type devices. This is also needed to be disabled because there are malwares that tries to infect media type such as CDs, DVDs and etc.

If you find problems with the step by step instructions. Just let me know.

Japanese Tsunami event used in Likejacking Attack

2011-03-13T04:58:00.000-07:00

We all know what happened to Japan last friday and almost everyone is being curious and wanted to see pictures, videos and etc about the event.

While browsing my Facebook, I've seen the below post from my news feed.

Figure A. FB Post

I click the link from the above Facebook post and found the below site which is very suspicious.

http://spinavideo.com/

Figure B. The site

Then I started to analyze...... and I found out that this is another Facebook likejacking.....

Again, the same technique as before, it uses a hidden iframe to hide the liking of page...

Figure C. Hidden iframe

Then it contains code to make the hidden iframe follow the mouse where ever it goes so that once the user clicks the fake play image, the user will like the page without the user consent.

Figure D. Mouse event

As of this writing, the below shows the total likes of the site which means the total number of users were tricked by the site.

Figure E. The likes

If you think you were tricked by this site, just visit the below link and UNLIKE the page (Note: if you're not seeing the Unlike button just leave the page and DO NOT CLICK THE LIKE BUTTON):

http://www.facebook.com/plugins/like.php?href=http://spinavideo.com/

Be aware about these kind of attacks. Well, there are ways to identify if the site is suspicious specially in this site (Figure B). As you can see the site contains Youtube logo but it is not actually the Youtube website, from that point you should know that it may cause you trouble when you continue browsing the page.

DHL Delivery Notification

2011-03-10T03:40:00.000-08:00

I received an email from DHL saying that a parcel was sent to my home address and it includes an attachment which a malicious executable. If you also receive this email, please delete the email immediately or report to your Security Vendor. Below is the example of the Spam mail:

Figure A. The Mail

This kind of attack becomes popular these past year where the email address used to be the legitimate domain like example from Figure A, it uses infofuiwzuo@dhl.com which the user may believe that is actually from a DHL specially if the user who receives this email attack really waiting for a parcel from DHL.

Based on the message of the email, the attached file is a document. The truth is, it is an executable file that uses a PDF icon as shown in Figure B to fake the user that it is really a document. This is effective when the file extension is hidden. One problem is that hidden file extension is the default settings of Windows. So most users that uses this default settings has a high chance to be vulnerable in this Social Engineering attack.

Figure B. The Icon

File Information:

Filename: DHL_notification.exe

File size: 35,328 bytes

MD5: 64901CFDFB576D7C7C1D4F1F240315E2

SHA-1: B6C5A7D097CDCC9B71B010C7CFCEDDE6D0616E3F

File behavior:

Upon Execution it drops a copy of itself as the below filename:

%Application Data%\Adobe\AdobeUtil.exe

It attempts to create the below folders if does not exist:

%Application Data%\Adobe

%Application Data%\Adobe\plugs

%Application Data%\Adobe\shed

It also attempts to drop the below files:

%Application Data%\Adobe\AdobeUtil .exe

%Application Data%\Adobe\adb.cer

It attempts to create a shortcut of the copy of itself to Windows startup folder which serves as its Automatic execution technique:

%Startup Folder%\AdbUpd.lnk

Note: %Startup Folder% is usually %User's Folder%\Start Menu\Programs\Startup

It tries to download and execute the files from the below URLs:

http://62.122.73.203/548.exe - ThreatExpert File Analysis

http://d34ghqarfrgad.com/ftp/ftpplug2.dll

http://d34ghqarfrgad.com/lol.exe

http://erherg34gsafwe.com/ftp/base.bin

Another Facebook Likejacking Attack

2011-03-08T04:11:00.000-08:00

This will be fast, if you're not familiar with Facebook likejacking, please see my previous blog about it.

Just now, I found another site which have the facebook likejacking attack. Below is the screenshot of the site as of this writing (Figure A).

Website: http://video.findisuper.com/lol-dieser-frau-kann-man-keinen-wunsch-abschlagen/

Figue A. The Site

Well, the same technique used from my previous blog that contains code to make the hidden iframe follow the mouse pointer Below is the code.

Figure B. Mouse Event

The interesting part is instead of using the Facebook like plugin that is usually used from the previous likejacking attack that I know, in this site, it uses a script from Facebook and a certain Facebook API

Facebook Like Plugin (previously used):

http://www.facebook.com/plugins/like.php?href=

It uses the below code to have a hidden iframe which points to fbLike.html

Figure C. Hidden Iframe

The below code from fbLike.html shows the liking of page GUI in a different way (instead of Facebook Like Plugin). This will be hidden from the site because it is loaded via hidden iframe ( from Figure C).

Figure D. fbLike.html

I believe they are doing this new approach to avoid detection from Security Softwares because basically, the Facebook Like plugin is easy to detect that when it is hidden and added some additional filter, it can be tagged as malicious. But this time, since it doesn't use the Facebook Like plugin, I believe it will not be detected.

Once a facebook user has been attacked by this likejacking, A message on the user's facebook wall will be posted that the user likes the page, example below:

Figure E. User's wall

If you suspect you've been infected by this attack, just go with the below link and click the UNLIKE button (note: If there's no UNLIKE button, DO NOT CLICK THE LIKE BUTTON)

http://www.facebook.com/plugins/like.php?href=http://video.findisuper.com/lol-dieser-frau-kann-man-keinen-wunsch-abschlagen/

When I started this blog the users that liked the page as below:

Upon finishing the blog, see the below stat:

Thanks for reading. ^_^

Facebook Likejacking attack

2011-03-04T02:12:00.000-08:00

It’s been a while since I updated this blog. I’ve been busy in the past year so for now, I’m still finding a time to make one. ^_^

I want to share with you about the likejacking attack on Facebook. Basically, the likejacking is not new. It was publicly disclosed a long time ago maybe a year or so. I noticed that most likejacking attacks are not blocked by Security companies.

First what is likejacking?

Likejacking is a malicious technique of tricking users of a website into posting a Facebook status update for a site they did not intentionally mean to "like."^[1]

The term "likejacking" came from a comment posted by Corey Ballou^[2] in the article How to "Like" Anything on the Web (Safely), which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button.^[3]

~According to Wikipedia - http://en.wikipedia.org/wiki/Likejacking

And here is the example that I found today……….

I found the below post from my Facebook news feed.

Figure A

Clicking the link will open a new browser and go to the site miley-respect.info. When I analyzed the site, it contains code that several redirections takes place as below:

http://miley-respect.info -redirects_to- http://www.omg-girl.info/ -redirects_to- http://www.omg-girl.info/ -redirects_to- http://jerrynoob.info/np

Well if we think deeply there are several possible reasons why they are doing this kind of redirection chain.

1. Easy to change the end point of the attack.

2. Not easy to track if you only got the end point or before the end point domain.

3. And there’s much more… haha.

Then after the redirections and as of this writing, it will end up to the site http://jerrynoob.info/np

Below is the screenshot of the site.

Figure B

It is basically spoofing the Youtube. But that’s not it. What the users don’t know is the hidden agenda of this page. It has a hidden iframe that is not seen on the page using the below code:

If you’re not aware of this code, it basically hide the liking page of facebook example it hides the below gui:

Figure C

You will notice that this is not seen on the page (Figure A). The interesting part is the strategy use on how the user will like the page without knowing it. With regards the hidden iframe, it also contains code that the hidden iframe will follow the mouse pointer wherever it goes on the page. With this, since the user is aiming to watch the video, the user will just click the video play image and that makes clicking the hidden facebook like button (Figure C). Below is the code that does the trick on following the mouse pointer.

Moreover, after liking the site without knowing it there will be a new post on your Facebook news feed that you liked the page.

Figure D

In this case, your friends that saw the post that you liked the page may become interested and will do the same thing and get infected. This is like a WORM attack in Facebook that people get infected without their consent.

Well, that’s not all. After liking it there will be a popup of some kind a verification before viewing the video. As below.

Figure E

Well, most of these verifications end up getting your mobile phone number which may lead to a service subscription that charges your mobile account for money and the bad thing about it is it’s hard to unsubscribe which causes loss of money.

Figure F

This mobile subscription is legal, but as you can see, users finding it in a malicious way. So beware!

Another interesting part is after finishing this blog, there are more and more users liking it, yes that's means more and more facebook users are getting infected. As you can see in Figure C, when I started writing, it only has 2,619 likes. And now go on look below:

Figure G

Let see how it goes.

I believe there's more into this attack that myself is missing. Well, as of now, this is all I have.

BTW, If you think you are infected by this FB likejacking and want to remove the Facebook post from your news feed, go to the below URLs and click the Unlike button (Note: if you're not seeing the Unlike button just leave the page and DO NOT CLICK THE LIKE BUTTON):

http://www.facebook.com/plugins/like.php?href=http://miley-respect.info&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80

http://www.facebook.com/plugins/like.php?href=http://jerrynoob.info/np/&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80

Thanks for reading. ^_^

====================================

Update - March 4, 2011 4:58 AM PST

See below, after couple of hours more and more FB users were infected.....

====================================

Update - March 4, 2011 4:45 PM PST

See below, again more and more FB users getting infected.....

====================================

Update - March 5, 2011 2:45 AM PST

See below, Sigh... more and more FB users getting infected.....

====================================

Update - March 5, 2011 1:18 PM PST

No need to worry about it anymore, the site is now blocked by Facebok.

Thank you for sharing this blog with your friends and for your comments. ^_^

We've got FakeAV during Christmas

2009-12-25T06:11:00.000-08:00

Just found another popular FakeAV malware that is not yet detected by most AV vendors.

File information:
Filename: Start.exe
File size: 250,624 bytes
MD5: A0B4084581CD7C00C078532201CA1A14
SHA1: BD040DA889DA8333AE66C60B48B3E2951066834C
CRC-32: 4379A7A9

Upon execution, this FakeAV malware creates a random folder in Application Data folder of the current user, then it drops a copy of itself to the created random folder using a filename with 4 random characters plus the name "sysguard.exe"
Example: C:\Documents and Settings\winuser\Local Settings\Application Data\cdauwq\hfbesysguard.exe

It creates the following autostart registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
{random characters} = {Malware dropped path and filename}

example:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
bryeqfww = "C:\Documents and Settings\winuser\Local Settings\Application Data\cdauwq\hfbesysguard.exe"

This malware will then display the following message from windows taskbar.

It will then display a fake Antivirus software scanning in the affected computer.

It also displays a warning message indicating that the affected computer is infected.

Clicking the button "Yes, remove threats" will display the following

Clicking on the "Activate your Antivirus Software" will open an internet explorer that leads to the following url that makes you order the Fake Antivirus using a credit card transaction:
hxxp://platinum-soft.net/purchase?r=%Version%

note: %Version% is the version of the FakeAV malware.

This malware may also display the following image:

This malware is capable of stopping and terminating processes that is executed in the affected computer. Once the user executed any file, it will display a message indicating that process is infected.

This malware may open Internet Explorer to visit 1 of the following url:
-platinum-soft.net
-platinum-soft.microsoft.com
-91.212.127.236
-193.169.13.12
-www.viagra.com
-www.porno.org
-www.porno.com
-www.adult.com

This FakeAV malware also capable of removing files, services, registries and processes which are related to real malwares.
It kills processes and delete its file that contains the following process names:
pp1_.exe
ld__.exe
freddy__.exe
SYSDLL.exe
%sysroot%\DSSAGENT.EXE
regsvr32.exe
dhcp\svchost.exe
regsvr32.exe
dhcp\svchost.exe
%System%\sopidkc.exe
reader_s.exe
antit.exe
Temp\spoolsv.exe
Temp\csrss.exe
Temp\services.exe
nksmnz.exe
CSmileysIM
xpdeluxe.exe
fbtre_.exe
fbtre__.exe
mstre__.exe
mstre_.exe
braviax.exe
AntiVirus_Pro.exe
pav.exe
NetFilter.exe
gamevance32.exe
wmsdkns.exe
gav.exe
SiteRankTray.exe
RegMech.exe
pctsGui.exe
pctsTray.exe
pctsAuxs.exe
WindOptimizer.exe
mdmcls32.exe
cfgmng32.exe
hpoopm__.exe
m3SrchMn.exe
mwsoemon.exe
ALCXMNTR.EXE
PC_Antispyware2010.exe
gamevance32.exe
gamevance32.exe
psystem.exe
tsc.exe
AntivirusPro_2010.exe
rlvknlg.exe

Removing the following services:
dhcpsrv
sopidkc
pctsSvc.exe
sdAuxService
sdAuxService
sdCoreService
websrvx.exe
MyWebSearchService
mwssvc.exe
WinSvchostManager

deletes the following files:
%Startup folder%\ChkDisk.dll
%Startup folder%\ChkDisk.lnk
MWSOEMON.EXE
%System%\wmsdkns.exe

Deletes the following registry key:
HKLM\SOFTWARE\AntivirusPro_2010

deletes the following registry values:
HKCU\Control Panel\dont load "scui.cpl"
HKCU\Control Panel\dont load "wscui.cpl"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs"

Removes Browser Helper Object (BHO) with following CLSIDs:
{00000250-0320-4dd4-be4f-7566d2314352}
{00A6FAF1-072E-44cf-8957-5838F569A31D}
{07B18EA1-A523-4961-B6BB-170DE4475CCA}
{100EB1FD-D03E-47FD-81F3-EE91287F9465}
{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}
{13197ace-6851-45c3-a7ff-c281324d5489}
{15421B84-3488-49A7-AD18-CBF84A3EFAF6}
{15651c7c-e812-44a2-a9ac-b467a2233e7d}
{2BA1C226-EC1B-4471-A65F-D0688AC6EE3A}
{332BE9D8-025A-452e-BF78-A077F9D3F84A}
{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8}
{38101cce-5999-48eb-815b-d942e1f715c6}
{3937DEA7-2769-ADDF-B533-20E7D249A547}
{4D25F921-B9FE-4682-BF72-8AB8210D6D75}
{4e1075f4-eec4-4a86-add7-cd5f52858c31}
{4E3A97D3-9F15-4067-D0F9-241CC9CC9541}
{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}
{500BCA15-57A7-4eaf-8143-8C619470B13D}
{547395D9-934A-CED6-B851-F238C86079E5}
{549B5CA7-4A86-11D7-A4DF-000874180BB3}
{5929cd6e-2062-44a4-b2c5-2c7e78fbab38}
{5C255C8A-E604-49b4-9D64-90988571CECB}
{5dafd089-24b1-4c5e-bd42-8ca72550717b}
{5E5EFA8F-9F53-418E-B78E-44866667A404}
{5fa6752a-c4a0-4222-88c2-928ae5ab4966}
{622cc208-b014-4fe0-801b-874a5e5e403a}
{63F7460B-C831-4142-A4AA-5EC303EC4343}
{6c517f1e-249d-b518-be84-9995ecc10183}
{70FEAD04-A7FD-4B89-B814-8A8251C90EF7}
{7E853D72-626A-48EC-A868-BA8D5E23E045}
{85661731-3340-E784-488A-D053E986CF73}
{8674aea0-9d3d-11d9-99dc-00600f9a01f1}
{873D5AB4-47F5-401F-B9E0-B14A65D2BB53}
{965a592f-8efa-4250-8630-7960230792f1}
{9c5b2f29-1f46-4639-a6b4-828942301d3e}
{A3BC75A2-1F87-4686-AA43-5347D756017C}
{A57EE9D7-0534-496A-B2B0-E95866D0C1B0}
{A7327C09-B521-4EDB-8509-7D2660C9EC98}
{A77D3539-581D-450C-9E44-A84C415A6172}
{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}
{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
{B49699FC-1665-4414-A1CB-C4A2A4A13EEC}
{C5428486-50A0-4a02-9D20-520B59A9F9B2}
{C5428486-50A0-4a02-9D20-520B59A9F9B3}
{c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
{cf021f40-3e14-23a5-cba2-717765728274}
{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}
{fc3a74e5-f281-4f10-ae1e-733078684f3c}
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
{ffff0001-0002-101a-a3c9-08002b2f49fb}
{02478D38-C3F9-4efb-9B51-7695ECA05670}
{35B8D58C-B0CB-46b0-BA64-05B3804E4E86}
{CDBFB47B-58A8-4111-BF95-06178DCE326D}
{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
{07B18EA9-A523-4961-B6BB-170DE4475CCA}
{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}
{4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22}
{BEAC7DC8-E106-4C6A-931E-5A42E7362883}
{CB0D163C-E9F4-4236-9496-0597E24B23A5}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{F64619FF-E19F-4016-BF9C-147CFF821B46}
{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}
{201f27d4-3704-41d6-89c1-aa35e39143ed}
{ee57e883-3ec3-b6db-9f84-3122750c3c02}
{20c3c057-2213-48f9-bd6b-3ce3388e75ee}
{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
{CC3CD2A8-2892-4CC4-A30F-E25921AC65C0}
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}
{5CA3D70E-1895-11CF-8E15-001234567890}
{BA603215-23F2-42AD-F4E4-00AAC39CAA53}
{E8DAAA30-6CAA-4b58-9603-8E54238219E2}
{21608B66-026F-4DCB-9244-0DACA328DCED}
{A5DBD8CB-DF8A-4992-A655-B155216F6AFB}
{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}
{3041d03e-fd4b-44e0-b742-2d9b88305f98}

Although this FakeAV malware has capabilities to remove real malwares (which a real Antivirus capabilities), it still poses a fake infection report to the affected computer and asking the user to buy the software product to remove the threats in which may only expose Personal and Credit Card information to the malware writer.

As of this writing (12/26/2009), this FakeAV sample that was found is not yet detected by most legitimate Antivirus software (please click the image below). So beware.

Removal instructions:
1. Open the Search companion by pressing "Windows Start key+F" or Ctrl+F in my computer
2. In the search companion, click on the All files and folders
3. In the "Look in", browse for %root%\Documents and settings
4. Then click on the More advanced options and check the box "Search hidden files and folders"
5. Type the following string to the "All or part of the file name" text box:
*sysguard.exe

6. Then click search.

7. Once found, note the malware path and filename and rename the file to any filename.

8. Restart the computer (or you can logoff and logon so that services will not stop)
9. After restart (or relogon) browse for the renamed malware file, and delete it.

10. To remove the autostart registry, open registry editor or execute regedt32.exe
11. In the left panel, browse for the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
12. In the right panel, locate the data with the same as the noted malware path and filename.
13. Delete the registry value once found.

Online Video leads to FakeAV malware.

2009-12-08T05:49:00.000-08:00

I Just found a popular FakeAV malware from a certain site while browsing and searching for some anime series on the internet. When visiting the host site of the FakeAV malware, it will prompt you to install a fake Video ActiveX Object.

Clicking the continue button will download the FakeAV Malware. This FakeAV malware will come with the filename "install.exe".
File information:
Filename: install.exe
file size: 1,255,489 bytes
MD5: 6D4DCF6FAC03E32D6C26A8AF7FC9A060
SHA1: 9A45F91A2DDCD295472736E3C4B5C5F17541CF67
CRC-32: 372C2196

Once you download and execute the install.exe from the said site, it will pop up the following message box:

During execution, this FakeAV malware will create a random folder in the following folder:
%root%:\Documents and Settings\All Users\Application Data\

then, it will drop a copy of itself with a random filename in the created folder.
(example: C:\Documents and Settings\All Users\Application Data\23572019\23572019.exe)

Then it will create the following autostart registries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%random% = "%FakeAV path and Filename%"
(example: 23572019 = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\23572019\23572019.exe")

It will also create the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\%random%
FirstRun = hex:%random%

This FakeAV malware will then display a Fake scanning of Security tool.

If you close the fake Security tool window, it will display a message with an icon from the taskbar.

Once the fake scanning is finish, it will display a window that shows your system is infected by several malwares.

Clicking the "Remove all threats now" will display a window to activate this Fake Security tool.

If you click to activate this Fake Security tool, it will connect to 1 of the following site to display a payment method on activating this fake Security tool:
1. hxxp://invoicefish.com/buy2.php?affid=33220
2. hxxp://invoiceerica.com/buy2.php?affid=33220

Providing your credit card information is the same as giving it to the hacker.

Additional behavior
This FakeAV malware is also capable of dropping of shortcut in windows desktop with filename "Security Tool.lnk". This shortcut points to the dropped malware file.

It also modify the following registry value to change the wallpaper of the infected machine:

HKEY_CURRENT_USER\Control Panel\Desktop
From: Wallpaper
To: _Wallpaper

It is also capable of connecting to the following site:
hxxp://yourprotectiongroup.com/in.php?affid=33220&url=5&win=%windows version%+%FakeAVversion%

where %windows version% is 1 of the following which depends on the affected system:
-Unknown
-Windows NT 3
-Windows NT 4
-Windows 95
-Windows 98
-Windows ME
-Windows 2000
-Windows XP
-Windows 2003
-Windows Vista
-Windows Seven

Connection to the said site will report the version of windows OS and the FakeAV installed in the affected system to the malicious site. As of this writing (12/9/2009), the in.php contains code that may update a copy of the FakeAV malware by connecting to the following site:
hxxp://yourprotectiongroup.com/downloader.php?affid=00000

It also contains code that may display another fake infection report.

This is a technique by the malware writers to expose your user and credit card information.
Also, As of this writing (12/8/2009), this FakeAV sample that I found is not yet detected by most legitimate Antivirus software (please click the image below). So beware.

Click here for the original scan result

[12/9/2009 updates]
Another downloaded file that is not yet detected by most legitimate Antivirus software
File information:
Filename: install.exe
file size: 1,256,001 bytes
MD5: A8005F760480B1B7F20D2EEC30C7FF80
SHA1: 9DFC5084A749210FD76840DE49C376517FC34543
CRC-32: 7B203701

Click here for the scan result.

Master Boor Record (MBR) rootkit malware removal

2009-12-01T04:02:00.000-08:00

Trojan malwares nowadays are capable of writing their malicious code to the Master Boot Record (MBR) of a bootable drive. It’s another way of an auto start technique which includes hiding itself from users. MBR rootkit malwares usually comes with a driver rootkit component that contains all the payloads. The main goal of this MBR rootkit malware technique is to load the driver rootkit component before Windows starts. Security companies named this kind of malwares as MBR Rootkit, Mebroot or Sinowal.

How it works?
The MBR rootkit malware saves a copy of the original Master Boot Record (MBR) in other sector of hard drive, and then it writes its own malicious MBR to load its malicious routine together with the original MBR of the hard drive. Regarding the driver rootkit component, it is not dropped as a file, but it is written in a portion of the hard drive as its stealth mechanism technique. Another malicious code is written in some sector of the hard drive to load the driver rootkit component before loading Windows.

How to clean?
There are ways to remove this MBR rootkit malware, but be cautious on following the instructions, because we are dealing with the Master Boot Record of a hard drive which may damage the MBR and causes loss of data.

Anyways, here are the easiest and safe steps that I know to remove/clean your infected Master Boot Record:
1. Download the tool MBR rootkit detector from the below link:
http://www2.gmer.net/mbr/mbr.exe

-Mirror-
Note: The tool from the mirror link is compressed and password protected (password: novirus). Also, it may not be the updated tool but it is the tool that I use as of this writing.

2. Using the command prompt (cmd.exe), run the “mbr.exe”. Check if you are really infected.

3. Once your are infected, run the mbr.exe again but this time with the parameter “-f” to fix/clean your Master Boot Record, please see below command:
mbr.exe –f
You should see the message “original MBR restored successfully!”

4. Then restart your computer.

After restart, when you run the mbr.exe again, you should see the line “user & kernel MBR ok” and should not have the line “MBR rootkit infection detected!......”.

As long as you have the MBR ok message, just ignore the other messages, Some malicious code in your hard drive sector may still exist but rest assured that it will not run anymore because you already have a clean Master Boot Sector. ^_^

Restore deleted files

2009-11-30T06:40:00.000-08:00

I would like to share a very useful tool that I am using to restore deleted files (even emptied from recycle bin). I use this tool whenever I accidentally delete my files (for being stupid. haha).

This is a free tiny program that doesn't need to be installed.
Click here to download the tool
File information:
Filename: file_restoration.zip
File size: 164,299 bytes
MD5: B27AB9D8DF4BDA6E4D9D9FE280CD358E
note: the archive is password protected, password is: novirus

How to use:
1. Double click the Restoration.exe
2. Select a drive (location of the deleted file).
3. Input the filename of the file then click the "search deleted file" button.
4. Select a listed file.
5. Click "Restore by copying" button.
6. Specify the location you want to restore to.

Enjoy! ^_^

Multiple Yahoo Messenger

2009-11-30T05:52:00.000-08:00

Do you have 2 or more yahoo accounts that you need to use in yahoo messenger at the same time? No Worries! This can be done in 1 machine (using Windows OS).

A simple trick to run yahoo messenger multiple times so you can use multiple accounts at the same time. All you have to do is modify something in windows registry.
Here are the steps:
1. Open Notepad.
2. Copy the following in the opened Notepad:
REGEDIT4
[HKEY_CURRENT_USER\Software\Yahoo\pager\Test]
"plural"=dword:00000001
Note: just replace the dword:00000001 to dword:00000000 if you want to disable multiple instance of yahoo messenger.
3. Save the file as MultipleYM.reg.
4. Locate and right click on the file MultipleYM.reg and click on Merge
5. Click Yes on the Prompt.

This trick does not need to restart Windows, you can now run the yahoo messenger multiple times and login all your accounts.

Enjoy! ^_^

Autorun Malware Protection

2009-11-29T08:11:00.000-08:00

Windows has a feature known as AutoPlay and AutoRun. These features are designed to run applications automatically from devices such as disk drives, floppy drives, usb flash drives cd/dvd drives. This feature is dependent on a certain file "autorun.inf", which is a configuration file that contains information on application that will launch by Windows.

Example: Most disc installers uses the AutoPlay feature of Windows, it uses the file "Autorun.inf" so that once the disc is inserted in a cd/dvd drive, Windows will launch the setup of the installer from the disc automatically.

This feature is exploited by the malwares for its propagation routine, they usually drop a copy of itself in all drives (from A to Z) together with the file "Autorun.inf". Their objective is to infect the removable drives (such as floppy disk, flash drives, usb hard disks) so that when these infected drives are inserted to another machine with the AutoPlay/Autorun feature turned on, that machine will also be infected by the malware.

Here is the solution to block the autorun for all devices:
1. Open Notepad.
2. Copy the following to the Notepad:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\autorun.inf]
@="@SYS:DoesNotExist"
3. Save the file as DisableAutorun.reg.
4. Right click on the file DisableAutorun.reg and click on Merge
5. Click Yes on the Prompt.
6. Restart Windows to take effect.

For a brief explanation, this registry entry will make Windows tag the autorun.inf as not present in all drives, like it doesn't exist.

Well, this is only tested on Windows XP, I haven't tried it in Windows Vista or earlier version.

===========================================

Update - March 15, 2011 - 6:00 AM PST

This is tested only in Windows XP and is _NOT_ applicable on Windows 7.

For Windows 7 instructions please click below:

Autorun Malware Protection for Win7

Phishing on Facebook

2009-11-29T05:43:00.000-08:00

To all facebook users, beware if one of your friends post a message in your wall with links, there are several reports that malwares are using facebook to redirect a user to a phishing site to steal your facebook account's password.

Here's the example of the message with the malicious link that might be posted on your wall:

http://WWW.SHRINKURL%2EUS/ntrurpwkthx?2230

note: The message and link may change but it will still point the user to the phishing site.

Once you click the link, it will redirect you to a fake facebook site (phishing site), entering your email and password to this fake facebook site will expose your facebook account to the hacker (owner of phishing site).

Fake facebook website (Phishing site):

http://122.141.86.112/facebook.com.login.php

Please always check the address bar on your browser that the domain site you are viewing is from facebook before logging in. (it should be http://www.facebook.com/ _NOT_ http://-somethingelse-/facebook.com)