FAKE WINDOWS PATCH IS A WINDOWS KILLER

We had a genuine worm outbreak two weeks ago, but this week’s top threat is a fake patch for it called a phish (pronounced ‘fish.’)

What is a phish? Here’s a short definition:

Phishing is a type of a social engineering scam, which attempts to gain your bank details, usually by presenting you with a form that looks identical to a popular bank’s website.

Banking officials and computer security experts are predicting that the recent wave of cyber scams targeting the financial services sector will soar in 2005-6 as the industry braces for a new onslaught of fraud schemes. Identity theft is spiraling out of control, with an estimated 7 million cases of identity theft in 2004 and even more this year.

Most phishing attacks are quick hacks, but some put some effort into their programming. One such example is this phony “Windows update.”

What it does: Downloader.EJD is a Trojan horse program that uses an updated version of an old trick: It’s a false Microsoft security patch.

The actual Trojan horse program is separate from the mass-mailing that has been used to spread it, and it’s the mailing that is most interesting. The From: address is spoofed as [email protected]. The Subject is What You Need to Know About the Zotob.A Worm. This is the body:

What You Should Know About Zotob
Published: August 14, 2005 | Updated: August 19, 2005 Severity VirusGreen

What the levels mean

Supported Software Affected
Windows All Version
Microsoft Security Advisory 899588
Zotob.A
Zotob.B
Zotob.C
Zotob.D
Zotob.E
Bobax.O
Esbot.A
Rbot.MA
Rbot.MB
Rbot.MC

Zotob is a worm that targets All Windows computers and takes advantage of a security issue that was addressed by Microsoft Security Bulletin MS05-039. This worm and its variants install malicious software, and then search for other computers to infect.

Importan:t If you have installed the update released with Security Bulletin MS05-039, you are already protected from Zotob and its variants. If you are using any supported version of Windows, you are not at risk from Zotob and its variants.

Use the Microsoft Windows Malicious Software Removal Tool to search for and remove the Zotob worm and its variants from your hard drive.

This tool checks for and removes infections from Zotob.A through Zotob.E as well as Bobax.O, Esbot.A, Rbot.MA, Rbot.MB, and Rbot.MC. It also checks for and removes all versions of malicious software that the tool has been updated to remove.

The attachment is named MS05-039.EXE. It is 21,229 bytes and is compressed with the MEW program.

When the attachment is executed, it first downloads a second Trojan program, Agent.AII, and executes it.

This program downloads additional malware which logs keystrokes and accesses multiple web sites. It also attempts to modify the settings of security programs on the user’s computer.

None of these programs display anything that the user can look for, so this attack is difficult to recognize.

How to avoid it: Never open attachments from strangers, and only do so when you are expecting one. Microsoft never distributes updates through e-mail. To make sure you have all the appropriate updates installed for Windows go to the Windows Updates site.

How to remove it: Damage from this Trojan can be extensive and not easily repaired. Use antivirus software to remove it if the anti-virus software is still functioning properly. Then confirm that all security software is still properly configured. Many users will be better off reinstalling Windows.

I also recommend a new MSN add-in that aims to reduce phishing.

Microsoft released two new add-ins for its MSN Search toolbar, one aimed at fighting identity theft and the other designed to help people find their favorite MSN online games more quickly.

(I suggest you avoid the online games add-in, unless you enjoy wasting time and watching your career go down the tubes.)

The filter will block customers from submitting personal data to sites that are known to be fraudulent. If the site is suspicious but not known to be a fraud, the user will be warned of the risk and offered the option to not continue.

As the program encounters new fraudulent sites, it automatically forwards address information to the online database, which is then available to protect other customers.

Where do you get the MSN add-in? Go to http://addins.msn.com/.

Jerusalem Post Toolbar

Certain websites, such as news sites, offer phishing add-in protection. This gives me an opportunity to talk about the Jerusalem Post’s site. While I touch on political subjects rarely, I guess that most To The Pointer’s are supporters of Israel. Among those who are, the mainstream press is probably making you steam.

One of these weeks I’ll devote a column to the vast wealth of net resources advocating Israel’s case. Today I’ll just mention a resource that came into existence last Friday, September 09, 2005.

The Jerusalem Post is a center-right daily newspaper, the only English newspaper of any size in Israel. Two years ago it was strongly in the National camp under the guidance of editor Bret Stevens. Mr. Stevens is now on the editorial board of the Wall Street Journal.

Under new ownership, David Horowitz is now the editor. While pretty much in the center, he hasn’t purged the staff of those like Caroline Glick and Sarah Honig, solidly in the National camp. It’s your best bet for keeping up with the news in Israel, and avoid the Palestinian apologists.

Open the Jerusalem Post, http://www.jpost.com. Click to open the first (or any) article you see.

And note the icons right beneath the topic title.

FYI, the left-most icon is ‘print this article.’ Next in line are ‘mail this article’, ‘subscribe’, ‘SMS Alerts’, ‘Jpost Toolbar’, and ‘Jpost ePaper’. SMS and ePaper I may discuss another time.

Click ‘Jpost Toolbar’.

Note Jpost has a toolbar for Firefox as well as for IE.

By coincidence I discussed RSS last week. You’ll have more than enough choices from the Jerusalem Post with this toolbar. Don’t waste your time, as with internet games, chat rooms, and Instant Messengers. (Incidentally, I have no contacts in my MSN Messenger. I use it only for alerts to Microsoft developer newsgroups).

Select only a few feeds that’ll give you the information you want. Don’t be shy to uninstall the toolbar if the news is distracting.

Double-click the installation icon after downloading. You’ll navigate through a typical installation. Afterward, you’ll have the toolbar on your browser.

Now this is a very long page. You might get mislead into downloading the wrong thing, like the MSN toolbar that you already have.

Instead, scroll down a bit, and download, save, and install the phishing add-in.

Restoring Your Explorer Windows After a Reboot

Now that we’ve talked about add-ins, here’s an add-on to this column. It’s a small but a widespread problem. I find it often in the XP forums. Here’s an creative description of the difficulty.

“Sometime in the early Middle Ages, soon after the fall of the Roman Empire,
I remember that I could preserve my open folders through a reboot. I’d
reboot and they’d reopen. However, it doesn’t seem possible in XP. Or is there a way?”

There is a way. Here was my answer, same as always:

Hi,

Control Panel/Folder Options/View tab, check the line "restore previous
folder windows at logon". Click apply/ok.

Best of Luck,

Dennist685

See you next week.

Dennis Turner