Fake BitDefender 2011

21 APRIL 2011

Overall Risk Level:

Fake BitDefender 2011 is a misleading security software that will mimic the legitimate program in order to deceive computer users. Sometimes called as the Fake Bit Defender 2011 virus, this one was included in the lists of rogue security applications that were created specifically to be sold via unfair marketing method. The real BitDefender 2011 can be downloaded from bitdefender.com web site and must be installed manually, while the rogue one’s will be dropped on to computers and be installed without users consent. Also the legitimate one is offered in two variants namely BitDefender Antivirus Pro, BitDefender Total Security 2011 and BitDefender Internet Security 2011. These variants offers different levels of protection.

It is good to know that fake BitDefender 2011 can penetrate a computer without being detected. This is because it uses a technique that will hide itself on the system by injecting a code on legitimate Windows process. A Trojan is also responsible why the fake BitDefender 2011 can manipulate a system without hindrance from any security applications installed. Modifications can be performed on the registry that will allow itself to run when Windows is started. Removing BitDefender 2011 virus is the best idea to prevent further harm it may cause to compromised computer. Use only legitimate anti-malware programs to scan the computer and remove fake BitDefender 2011 together with all the files residing on the system.

Screen Shot Image:

Alias: Bit Defender 2011

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

BitDefender 2011 Virus Removal Procedures

Manual Removal:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “BitDefender 2011″. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
(random characters).exe

2. You need to update your installed antivirus application to have the latest database.
3. Thoroughly scan the computer and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to BitDefender 2011 Virus.
4. Registry entries created by BitDefender 2011 must also be remove from the Windows system. Please refer below for entries associated to the rogue program. [how to edit registry]
5. Exit registry editor.
6. Get rid of BitDefender 2011 start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
(random characters).exe

7. Click Apply and restart the computer.

BitDefender 2011 Removal Tool:
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.

Using Portable SuperAntiSpyware:
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and runSuperAntiSpyware Portable Scanner.

Technical Details and Additional Information:

Malicious Files Added by Fake BitDefender 2011:
c:\Program Files\BitDefender 2011\
c:\Program Files\BitDefender 2011\bitdefender.exe
c:\Documents and Settings\All Users\Start Menu\BitDefender 2011\
c:\Documents and Settings\All Users\Start Menu\BitDefender 2011\BitDefender 2011.lnk
%AllUsersProfile%\Start Menu\BitDefender 2011\Uninstall.lnk
%UserProfile%\Desktop\BitDefender 2011.lnk
%Temp%\srvED4.ini
%Temp%\srvED4.tmp

Fake BitDefender 2011 Registry Entries:
HKEY_CURRENT_USER\Software\MonEC2
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = ‘0′
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “BitDefender 2011″ = ‘C:\Program Files\BitDefender 2011\bitdefender.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe “Debugger” = ‘msiexecs.exe -sb’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “WinNT-EVI 21.04.2011″

Thanks to http://www.precisesecurity.com

Clean This

20 MARCH 2011

Overall Risk Level: 

Clean This or also known as the CleanThis virus is believed to be another variant of widely-spread rogue application called Think Point. Clean This will be introduced as a real anti-virus application on web sites that were created for promotional purposes. An associated Trojan is also propagated earlier to infect web sites and build them to automatically run a virus scan on visitors computer. This online scan will provide fake detection and advise users to download and install a copy of Clean This program. Innocent users may not easily identify it as a threat because it will pretend to care for the system and was created to have a pleasant graphical user interface. Most of all it may turn out that it was part of the Windows operating system.

Victims may suffer from obstruction in using the PC when Clean This virus starts to display excessive alerts and taskbar warning messages. It will also block any programs from running and declared that the file is infected. An advise to clean the computer will constantly pop-up, if executed, a new browser window will open and suggest to buy the registration key of Clean This by paying using credit card information. Don’t get deceived by this rogue application, start scanning the computer with the recommended security application below. This was known to remove any forms of malicious software including Clean This virus.

Screen Shot Image:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

CleanThis Removal Procedures

Manual Removal:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “CleanThis”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
(hotfix.exe)

2. You need to update your installed antivirus application to have the latest database.
3. Thoroughly scan the computer and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to CleanThis Virus.
4. Registry entries created by CleanThis must also be remove from the Windows system. Please refer below for entries associated to the rogue program. [how to edit registry]
5. Exit registry editor.
6. Get rid of CleanThis start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
(hotfix.exe)

7. Click Apply and restart the computer.

CleanThis Removal Tool:
In order to completely remove the threat from a computer, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer.

Using Portable SuperAntiSpyware:
To thoroughly clean a computer, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and runSuperAntiSpyware Portable Scanner.

Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool and start scanning with Norton Power Eraser.

Technical Details and Additional Information:

Malicious Files Added by CleanThis:
%UserProfile%\Application Data\gog.exe
%UserProfile%\Application Data\cleanthis.exe
%UserProfile%\Application Data\install

CleanThis Registry Entries:
HKEY_CURRENT_USER\Software\PAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “cleanthis”
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = “%Documents and Settings%\[UserName]\Application Data\gog.exe”

Thanks to 

http://www.precisesecurity.com

Security breaches serve as a warning

Some big IT security breaches since the start of the year three involving EU institutions, and two possibly affecting me serve as warning that this is the era of the professional hackers and cyber thief.

When large, supposedly well-protected systems can be successfully attacked, then every business and organisation should consider themselves vulnerable. There is no skimping on spending on more protection and smarter IT security.

Data theft is becoming more common TripAdvisor told me recently, in an email from its CEO informing me that “an unauthorised third party” had stolen part of the online travel company's member email list. The company shut down the vulnerability and noted that no passwords were stolen. It warned that I could receive some more spam as a result of the theft.

“The reason we are going directly to you with this news is that we think it's the right thing to do,” the company's CEO said. “As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously.”

Then this week I was told by Hilton Hotels that their loyalty programme had been broken into and not to “open e-mails from senders” I didn't know.

Both breaches fortunately has a very minor impact, if any, on my data. However, I would rather that such disclosures from companies become the norm, and even a legal requirement.

A bigger impact was felt across Europe in January this year, when the EU had to shut down its innovative carbon trading market, which allows companies to buy and sell their carbon emissions quotas.

The shutdown occurred after cyber thieves stole credits worth about $9.4 million from the Czech Republic's registry. They also broke into the EU Emissions Trading System in Austria, Poland, Greece and Estonia, raising the amount to $43 million.

The Wall Street Journal said that the Czech break-in occurred after an anonymous bomb threat was made by telephone to police, claiming there were explosives at the registry's location in Prague.

The building was cleared and no devices were found. During the time the register was unmonitored, its computer system was broken into and the thieves executed the illegal trades.

According to other reports, the police are unlikely to catch the thieves as the money had been funnelled away through a maze of accounts. Three months later, 24 national registers have re-opened with supposedly even better security -- but how long will they be able to withstand a new onslaught? The system has an annual turnover of $127 billion.

Last month, the European Commission was itself attacked. It had to fight off a sustained digital attack on its e-mail and intranet systems on the eve of a summit of EU leaders. The European Parliament's separate system also suffered a similar cyber attack, which started on 24 March.

Parliament found out only after it examined its systems in the wake of the attack on the Commission. Its IT security noticed “abnormal levels of webmail activity, particularly overnight, when we wouldn't expect such activity”. Parliament had to shut down its webmail and some other external services. No one could access their accounts from outside.

The lessons for all IT security experts from these incidents are: be honest with clients, have a emergency contingency plan to shut down systems in case of a staff evacuation, and continually monitor your networks.

Finally, companies must keep spending to upgrade their systems and force your staff to continually follow security procedures, even annoying and mundane ones as changing their passwords.

The current “LisaMoon” attack on one million website pages is more common. The hijack redirects visitors of those websites to a fraudulent software sales operation. Most security companies say such attacks happen often, and those redirected should now know better than to input their credit cards when asked to pay for security software a fake company claims they need.

The attack inserted malicious code in the websites by gaining access to the servers behind them. Often, the vulnerability is due to websites not updating their backend. If you own a website and have not updated the backend in years, now is the time to do so.

Thanks Goes To,

Ahmed ElAmin and http://www.royalgazette.com

Beware of ‘LizaMoon’

Beware of ‘LizaMoon’

MANILA, Philipines -- A lawmaker Tuesday cautioned the public against a new malware hitting millions of Internet users worldwide.

Sen. Edgardo Angara, chairman of the Senate Committee on Science and Technology, said the malware, discovered in late March, now seems to have victimized at least four million individual websites.

Web users who stumble upon the malware are unwittingly redirected to a site called “LizaMoon” and then asks the user to install needless anti-virus software.

“We must not wait for these kinds of viruses to hit the Philippines and cause harm before establishing security measures – with the speed and pervasiveness of the Internet, this particular malware can reach the country in no time,” said Angara.

Angara had earlier filed Senate Bill No. 52, which seeks the passage of the Cybercrime Prevention Act of 2010.

The measure’s goal is to protect Internet users from illegal online activity such as fraud, identity theft, hacking, and virus attacks, among others. Violations carry a maximum of P50,000 fine and imprisonment.

“Nowadays, the vast majority of Filipinos have access to the Internet. We must be diligent and set safeguards to protect them from malicious entities wanting to take advantage,” Angara said.

Thanks To,

 HANNAH L. TORREGOZA  ,  http://www.mb.com.ph