Brought to you each week by the PC Gurus, a loose collection of volunteers from around the Kentuckiana region.
You can interact with the team via chat room or BBS at www.thepcgurus.com. There are usually members present in the chat room after 8:00 PM every evening and you can post computer questions, comments, rants etc. on the bulletin board 24/7.
If you’re new to the Newsletter you can read back issues at Team member JP Durbin’s website at http://www.jpdurbin.net. There are links to all the old 84 Online issues as well as the new GuruNews missives.
The WHAS Crusade for Children provides year round support for needy children throughout the Kentuckiana region. Visit http://www.whascrusade.org to make donations online.
5-5-05
It’s malware week here at Guru Central with a new fast spreading variant of the Sober worm and some interesting spyware information. We’ll start with Sober since it’s the most dangerous topic de jour.
Panda’s Oxygen virus newsletter said this about Sober.V yesterday:
“Madrid, May 4,
2005 - The Sober.V worm has taken first place in the ranking of the malicious
code most frequently detected by ActiveScan, Panda Software's free solution for
detecting and eliminating malware.
Within less than 48 hours after it was
fist detected, this worm has managed to spread worldwide, with a particularly
high level of propagation in USA, Netherlands, Mexico, France and
Spain.”
Trend Micro’s newsletter from Monday, when the virus was first found in the wild, said:
“The email it
sends out has the following details:
From: (any of the following)
.
Admin
. hostmaster
. info
. postmaster
. register
. service
. webmaster
Subject: (any of the following German subjects)
.
Glueckwunsch: Ihr WM Ticket
. Ich bin's, was zum lachen ;)
. Ihr
Passwort
. Ihre E-Mail wurde verweigert
. Mail-Fehler!*
. WM Ticket
Verlosung*WM-Ticket-Auslosung
(or any of the following English subjects)
. Re:
. Your Password
. Registration Confirmation
. Your email
was blocked
. mailing error “
Note the “From” addresses. As a group we’ve seen hundreds of these emails from addresses like info@yahoo.com, admin@aol.com and I even got one from postmaster@microdome.net. This virus likes the From names that sound familiar or important like admin and tacks on domain names culled from the infected user’s address book or web cache.
All of the upper tier AV companies have updated their definitions to include this critter so make certain you have the newest definitions available.
If you think you may already be infected Panda has a free removal tool available at http://www.pandasoftware.com/download/utilities/ (thanks for the link Art). You’ll have to enter some information like name and email address to get the tool, just be sure to uncheck all the newsletters and advertising options you don’t want.
Other vendors are sure to follow with free removal tools that are virus specific but make sure the file you get is for the virus you have or suspect you have. This particular outbreak points out a very real problem in the AV community that they need to address, which is the naming convention for these things.
Panda calls this one Sober.V, Trend calls it Sober.S, Norton calls it Sober.O, Sober.N for Sophos and eTrust, Sober.P for McAfee and F-Secure. The problem is obvious… which is it? Analysts for the various companies will sometimes classify a virus variant to a different “family” than other vendors so the scheme gets all out of whack and one virus, like this one, will have a half dozen different names depending on who you talk to. That’s a subject for discussion in a future issue but I wanted to make sure our readers were aware of it.
This is running long so I’ll hit the spyware news in a condensed fashion ;)
First, the good news. CNET’s www.download.com site has adopted a new zero-tolerance policy toward bundled spyware/adware (http://tinyurl.com/cj4b2) and from now on will test each and every piece of software they host, ensuring no bundled adware at all. Next time you get an odd hankering to install WeatherBug you’ll have to look elsewhere.
Now for the bad news. El Reg (http://tinyurl.com/a4ja5) reports that research firm Goldman Sachs pooh-poohs Yahoo’s profit from spyware companies Claria and Intermix Media as immaterial. While I admit that $20 million in revenue from spyware associations is a tiny amount of Yahoo’s total bottom line in a year, but it’s still $20 million made by bogging down users’ PCs and secretly recording information about their online activities.
If Yahoo is bad
apparently Ask Jeeves is Evil Incorporated (http://tinyurl.com/8k5lq). It would seem fully two thirds of their
search traffic originates from spyware sources, and they target kids through
child-friendly sites and bundling their toolbar with video games. I don’t recall Mr. French ever tricking
the children like that.
And Google’s
new Web Accelerator software looks pretty scary to me, but I haven’t had time to
dig into it yet. I would strongly
suggest you avoid downloading this until more information about what exactly it
does is available.
Bottom line,
the search engines you thought you could trust may be a little shadier than you
thought. Maybe I should go back to
www.ixquick.com.
Kevin Mefford,
Editor
Just when you
thought you'd heard everything there was to hear about
phishing, PC World
tells us that the next generation of phishing scams
is out there:
http://www.pcworld.com/news/article/0,aid,120679,00.asp
Got
Firefox? You're not alone: mozilla.org has announced that
the
free browser has been downloaded more than 50 million times:
http://www.thewhir.com/find/articlecentral/story.asp?recordid=1285
If
you think that only Microsoft products are prone to hackers,
guess
again---even the big names in anti-virus software are invited to
the
party:
http://www.vnunet.com/news/1162824
Panda
Software announced TruPrevent 2.0 on Wednesday with a claim that
no one else
can yet make: 100% prevention of viruses based on
behavior, not
definitions:
http://www.sci-tech-today.com/news/Panda-Software-Claims-Zero-Day-Virus-Defense/story.xhtml?story_id=01000146YO0G
Copy
us on the good stuff ;-)
Matthew Dattilo
thepcgurus@gmail.com
www.opaquelucidity.com
If you have a gaggle of MP3 files stored on your hard drives with all kinds of oddball names, especially if you ripped them from CD or downloaded them from a pay service or P to P software, you will love this week’s download.
The GodFather from http://users.otenet.gr/~jtcliper/tgf/ is a free and sweet little tool that matches the tags embedded in all your MP3 files to online music databases and renames the files to a common name structure that you define.
If you’re music junkie with a messy collection you really need to try this program out.
Q: I was looking at a friend's computer
yesterday that was running slow
and installed AVG antivirus. After updating
AVG found 7 trojan horse
files and deleted them but they keep replicating
themselves after a
reboot. (this machine is using WindowsME). Does system
restore keep
saving the files? I dont know how to proceed now; in the past
AVG
would just put the files in the vault and that would solve
the
problem. One of the files was in C:\\RESTORE.
A: From the looks of it, AVG is reading
this from an infected file in
your System Restore (yes, if system restore is
turned on it does save
a copy of the infected files).
Disable your
System Restore and run AVG again. That should clear it
up. Once it does, go
ahead and re-enable your System Restore.
If you don't know how to disable
your System Restore, you can go
here: http://www.brohm.org/SystemRestore.htm
Good
Luck!
-Tam Cavadias
If you have tech support
questions or ideas and/or submissions for our newsletter please submit them by
visiting www.thepcgurus.com and click
on the “Email the Team” icon.
Copyright 2005, The PC
Gurus. All rights reserved.
Publication, rebroadcast or storage is prohibited without prior consent,
however you may freely forward this publication to friends as long as A) it is
forwarded in its entirety and B) no fee is charged.
Information provided in this
publication is provided "as is" without warranty of any kind, either expressed
or implied. Although the
information provided is known to work on most systems, it may not work on ALL
systems. Make use of any
information supplied at your own risk.
The PC Gurus are a group of
volunteers who provide support for the PC, Mac and Linux users in the
Kentuckiana region.
To unsubscribe from this newsletter send an email to microdome@seidata.com with the words “unsubscribe newsletter” (without the quotes) at the top of the body of the message.