Please note: Every link on this page opens in a new window. If your "Pop-up killer" is too efficient it can also stop new windows. When this happens, please press "Ctrl" and click on the link you want.

Definitions

Virus

.

A computer virus is a file infecting other files. Those I have received have been 150-250 KB, but that includes what else is included in the message. The viruses mostly come to you by e-mail.

Worm

.

A worm is a program. It does not infect any files but makes copies of itself and can overwrite some of your program files, thus making them non-operational. The one I received was itself only about 6 KB while the file in which it was embedded was about 570 KB.

Smart Worm

.

A smart worm is a targeted worm. Usually it seeks itself vulnerable networks within a certain sector, for instance municipal schools, hospitals etc - or some specific professional network like lawyers, doctors, etc.

Rootkit

.

A rootkit is a program designed to hide processes, files, or registry entries. In "modern" worms it's used to hide the worm from the computer user.

What is Virus Vulnerability ?

Virus vulnerability means a weakness, i.e. a "hole" in a certain program through which a virus or worm can enter your computer.

I would divide those vulnerabilities (weaknesses) into two very different groups. There are what can be called critical vulnerabilities. These are "holes" or "bugs" or "faults" in some program that lets current viruses and worms get access to your computer. If you don't have any antivirus software at all then your computer is at a high risk.

Then there are vulnerabilities for potential viruses and worms. These are openings or possibilities for viruses or worms to enter but haven't been explored yet. In other words, there isn't any virus or worm written for these weaknesses yet.

Very many virus "alerts" concerns the second kind of vulnerability. It doesn't, however, mean you can disregard them. If there is a possibility, one day - may be next week - somebody will use it to exploit your computer.

Once you have antivirus software installed and you are careful, may be you wont catch any viruses for a long time. That's no reason to stop being careful. Carefulness is how and why your computer survives in the Internet jungle.

In September 2007 some vulnerabilities were reported even in Wordpress. These can be used to insert scripts and for SQL injection attacks. Users are urged to up-date to new Wordpress versions.

Panda security report December 03, 2007, stated 28% of protected computers and 41% of unprotected computers were infected by one or several viruses or malware.

More info on vulnerabilities with tips on how to increase your computer security in report from SANS (Win, Linux, Mac).

Viruses

There are e-mail viruses and email borne ( carried ) viruses. "File" viruses infect executable files by inserting their code into some part of the original file so that it ( the virus ) can be executed when the file is accessed or then they overwrite the file entirely ( Mac, UNIX, Linux, DOS, Windows ). Overwriting viruses causes irreversible damage to that file and the program file has to be re-installed again.

email viruses.
Usually the virus gets into your computer via somebody's email address book. Once there it starts multiplying itself and sends the copies (clones) to every address in your address book. The normal behaviour for viruses is they attack and destroy other files in your computer, sometimes the virus will read certain files and send copies of them back to whomever sent it to you.

When embedded in an attachment you have to open the attachment first before your computer gets infected. If an attachment is not awaited or expected, be suspicious. Ask the sender first if he/she has sent you an attachment. Do it before you open it. It happens the sender's name and/or address is faked. Just knowing the name or the address of the sender is not enough.

email borne viruses.
These will activate when you open an email without any attachment.

The best way to avoid viruses, in addition to having a virus detection program, is not to open any file or mail coming from an unknown person. Even if the senders name is familiar, it's better to open the file - if you are curious - on a public computer. Public computers are usually better protected than private ones - for them it's a business and therefore they can afford higher priced protection.

Some email messages can come with an invisible picture embedded in the message. When you open the message, the code in the hidden picture will automatically open the attachment and activate the virus or worm. To avoid this you need to change to plain text email. Get advice on how to secure your email.

Postmaster's Messages.
When you send an email and make a typing error in the receiver's address, the message is returned to your email box as undeliverable by "Postmaster". Of course it's good to know when one's messages hasn't been delivered, isn't it?

This works also in a negative way. The Postmaster can also bee "fooled" into sending a virus to you by faking your email address as sender and then sending the virus message to a non-existing address. Never open a "Postmaster's" message on your own computer, it can be an email borne virus.

It's easy to use a "spamming spider" to collect email addresses and then use these addresses to fake a sender address for the worm. Therefore you should always hide your email address from all spider programs.

Mobile Phones
Once when I opened my email on my friends computer I noticed a message from "Postmaster" returning a text message to a local mobile phone number (in the Philippines) - for me an unknown number. May be the text message had been sent from my email box. This was before I emptied all my email address books. Later my friend's wife told me she had got a virus in her email. Whether it was that one that sent the message or not, I don't know. She didn't remember the name of the virus.

As soon as somebody figures out how to make money out of mobile phones it is expected the real worms for mobile phones will start spreading. What still restricts the virus writers is that the mobile phone programs are very secret and nobody has so far managed to get any economic gain out of these.

Download F-Secure or Avira Mobile Antivirus software

Boot sector viruses.
The boot sector is a list of contents on a hard disk telling where each file can be found. These viruses spread mainly through infected floppy disks. Especially when a diskette (floppy) is left in the drive, then when the PC is started again the virus can get over on the hard disk. A boot sector virus can put the entire operation of that computer at risk.

What above is said about floppy disks applies as much to "flash drives" ( removable computer memory ). If you are using such one instead, treat it same as you would a floppy disk - do a virus scan before using it - and don't forget to include program disks too ( especially games ).

Instead of spreading by email, many viruses nowadays enter the computer directly based on the connection IP number.

Most common viruses.
See virus headlines at the bottom of this page. Common virus file extensions: .bat, .exe, .pif, .src, .vbs. See list of extensions to be suspicious about. For detailed info on individual viruses go to the Virus Encyclopaedia or Kaspersky's Virus Encyclopedia. There is also a world-wide list of current active viruses. The most common viruses last month are in the Virus News list at the bottom of this page.

Every now and then there pops up a new fake anti-virus program - they all try to get the victim to pay unnecessarily for new anti-virus software. You have to be extremely careful when deciding whether to download any unknown anti-virus programs. Before you decide to buy an anti virus program you should do a free online virus scan of your computer. You can get another virus scan at Panda Labs. Never try to delete a virus by yourself - always use anti virus software.

List of virus information sources:

Antivirus Computer Associates F-secure (English, Swedish) McAfee Panda Virus Encyclopaedia Secunia Sophos Stiller Research Symantec Virus Bulletin "Panda's Twitter" - NEW ! Free Personal Anti Virus Software: AVG free, Win, Linux. Free personal virus protection, in English or German (Win, Linux). Avast (Win), (20.7 MB) free personal anti virus for home use, removes some spy- and adware. Avast for Linux

After you have installed anti virus software you can check the installation was properly done by downloading The "Eicar" File. You can copy the text string and paste it into Notepad. Save the file as eicar.com and as "All files".

If your antivirus software is working properly you should get an alert as if it would be a virus with suggestion not to allow or to delete straight away. If not, then you have to run a virus scan. If the virus scan doesn't report anything, either you have saved the file in the wrong way or your anti virus isn't working properly. In the latter case get new software immediately.

During the second half of 2008 the virus distributors started using "videos on You Tube". Each "video" requires a piece of code to be downloaded first. What you really download is the virus / Trojan worm instead.

Download free 15 tips on staying virus free from Panda Soft Ware.

Browser Vulnerabilities

All browsers have weaknesses that can be used for attacking a computer and especially the antivirus programs you have. In most cases this concerns the use of JavaScript, either in e-mail systems or on malicious websites. ( both Windows and Linux )

A malicious website / webpage causes the automatic installation of software without the user's knowledge or consent.

At Secunia you can test your computer for some of these vulnerabilities. If your browser is affected you either have to up-date it or try to find a better one. See Don Pedro's Browsers. Nowadays (2007) most browsers are affected so the best you can do is to be very careful when surfing the Internet.

Starting Oct. 2006 Security patches are supplied only for Explorer 6 when on XP SP2, service pack 1 isn't supported any more. Internet Explorer 7 was released on Oct. 18, 2006. It still had some vulnerabilities reported already earlier in Explorer 6. Very end of Oct. 2006 Secunia found a 2 year old vulnerability still in Explorer 7 even with full security patches for SP2.

Recommended additional action: disable active scripting for trusted sites. Go to "Tools" --> "Internet Options" --> "Security". Click on "Trusted Sites" icon, then you remove all trusted sites, if there are any. In addition you can go to "Advanced" and click off the two instances of "Enable install ...", then click "Apply" and "OK".

When you fill in a form online or go to a password protected webpage, the browser offers to either save your personal data ( "Autocomplete" ) or just the password ("Remember me"). This is information you should not keep in your computer. Trojans can and will copy these and forward them to their master. Get tips on how to disable the function: Explorer (IE), Firefox, and Netscape Navigator.

In March 2007 Panda Labs discovered a Virus - "Therat.B" - that can steal passwords stored in auto-complete function of Internet browsers used to complete user names and passwords when filling in forms (Panda Labs newsletter, March 30, 2007).

In June 2008 Secunia reported on virus vulnerabilities in Firefox 2.0.x and 3.0. Recommendation is to up-date to Firefox 3.1.

Special for Windows Users

Windows comes with several programs everybody doesn't need. You cannot delete them but you can disable those you don't need. If you are using Internet Explorer or some other browser you can disable MSN Explorer, which is built in to all Windows systems. When you are at it disable Outlook Express as well. You will then close a few ways viruses and worms can get into your computer.

To disable any of the Windows components (in XP) Go to "Start" --> "Settings" --> "Control Panel" --> "Add or Remove Programs" --> (at the left side) "Add/Remove Windows Components". Click on that and you get a list of those you can disable. Those you don't need you click off.

Instant messaging.
If you are using instant messaging you should treat every message as an email, may be you should be even more suspicious about these messages. On home computers the "Instant Messenger" is completely unnecessary but at the same time it offers inroads for viruses and worms. You can therefore disable the Messenger.

In August 2007 Panda Labs discovered a Trojan password stealing worm creating tool, which is distributed for free on some Internet forums. The tool is very easy to use and that of course means a possible multiplication of the number of password stealing worms attacking your computer. These are spreading by using Instant Messenger. Once this Trojan has invaded your computer it will display a screen, "a control panel" to it's creator, who then can modify and/or give new commands or specifications on what personal data to steal. The tool is called "Shark 2" and was still in use at end of 2008.

Yahoo informed as well in August 2007 also Yahoo Messenger have some vulnerabilities.

In January 2010 Microsoft patched ( out of schedule ) for a "virus" called Aurora. This comes usually in file attachments ( PDF or Flash ) or as links to malicious websites in e-mail or other electronic messages. It affects most versions of IE. The first versions came out of China but later also from other countries.

The purpose is to access data in your PC or to control it, for instance to further spread the virus Aurora by itself. If you don't want or cannot get the patch, there are two things you can do to increase your protection:

1. In Windows XP you go to "Settings" --> "Control Panel" --> Internet Options". Once there you select "Security", then you go to "Custom Level ...". Scroll down the list and everywhere you see ActiveX you either disable it or click off that option. When you are finished click "OK" This should protect you when the virus comes in a Word or Flash document.
   
2. Open Adobe Reader. In the toolbar you go to Edit --> "Preferences" --> JavaScript. Click Off "Enable Akrobat JavaScript", Click "OK".

For more info on this see Security Overview.

Don't click on any link in any message before you are sure your friend really sent it.

Macros.
Macros are pieces of code attached to Word, Excel, and PowerPoint documents and files. For instance to instruct the computer to add all amounts in a column and then print out the total below (Excel spreadsheets). These can be used by a skilled programmer to hide his code and when you open the document or file the "Macro" Virus or Worm can take over your computer. When you get a world document by email and really want to check it out, what to do?

You can save the document or file as Rich Text Format (.rtf) instead of opening it. When you do this and the document have Macros hidden you will get an alert: "Macros will be deleted", click on "Continue", and both Macros and viruses disappears.

Flash runs on "Active-X", which can open a back door for Trojan Worms. Active-X was switched on by default before but not anymore in IE 7. The "Wine Var" worm is one that exploits the "hole" in Active-X, it has been around since 2002.

In April 2008 Secunia reported on new vulnerabilities in Adobe Flash Player - I myself don't use Flash at all, neither on any one of my webpages nor on my own computer either.

Active-X was originally intended for intranet use only ( i.e. a company internal network ) and should never be used on the Internet. Also Yahoo! Messenger relies on Active-X. Still in September 2007 Secunia reported on new vulnerabilities found in ActiveX.

Viruses with JPG-Format Pictures.
In September 2004 Microsoft released patches for a vulnerability in JPG files. It can be exploited from malicious websites or via email. The problem lies with processing malformed ( purposefully corrupted ) .jpg picture files. It allows the attacker to operate the computer system with same rights and access as the currently logged in user. The system's file concerned is called "GDIPPlus.dll".

A new development of the same kind of image handling weakness was discovered in Dec. 2005, utilizing Windows Meta File. Microsoft has released a security patch (excluding Win 98). The first versions of this "model" were in connection with spyware and adware. The Win Meta Files' vulnerabilities were still being exploited in 2007.

Automatic Up-dates.
When you download a new program, never accept "automatic update". If you download something from the Net it's always on your own risk.

After you have downloaded a new program do check for possible viruses or other "malware" before you install the program. Don't download programs that will start automatically, only those for which you have to close down and restart your computer or those you can download ( for instance on your back-up disk ) and scan separately before installation.

Especially Windows XP users should be aware "Automatic up-date" is a default option when installing this Operations System. To turn it off you:
- Right-click on "My Computer" icon on your screen,
- Go --> "Properties" -->  "Automatic up-date",
- TURN it OFF, then Click "Apply" and Click "OK".

In September 2008 Microsoft gave a reminder how dangerous Automatic Updates can be. Windows XP / Service Pack 3 ( SP 3 ) was released and many people got problems with their computer after SP 3 was installed automatically ( even if installed manually ). The new service pack was released with several bugs and Microsoft has published Steps to take before you install Windows XP Service Pack 3, which includes recommendations to make a system restore point and to back up all files before installing the service pack.

Do not keep automatic updates switched on. If your computer is running nearly OK now then you know what you already got. If you let Microsoft install SP 3 you don't know in advance what you get. The support for SP 2 will continue until end of 2010 and may be by then there's some new option available.

Felgall has reported a fault in Windows XP (SP2). The firewall included in the package stores information on which programs are allowed to access Internet in the registry. It means Trojan worms can write their own permission into the registry and then have free access out from your computer without you being aware of it. Independent firewalls store their information in a special folder, which is encrypted.

Haxdoor.NJ is such a backdoor Trojan collecting passwords. Among other things it registers itself in Windows firewall settings as an authorized application (program). (source: Panda Software, newsletter, Oct. 13, 2006)
See about firewalls below.

Normally Microsoft releases "safety patches" once per month, i.e. every second Tuesday each month. Other antivirus and spyware vendors give updates at least every week.

On Tuesday Aug. 8, 2006, Microsoft released a security patch MS06-040. Within one week a new worm exploiting this vulnerability was found by Panda Software. If you haven't got that patch yet, do download it, and avoid "Automatic Updates".

The worm is called OskarBot.KD. It searches for computers still having this vulnerability unfixed. When finding one it causes a buffer overflow on the system and executes it's code. The worm then downloads itself (a copy) in a file called wgareg.exe. The worm can also use AOL instant messaging system as well as spread via shared drives.

OskarBot allows a remote controller to run all types of software on the "hijacked" computer or launch attacks on other computers with the same vulnerability (see "Zombie PC"). Further it disables Windows firewall (Source: Panda Software, Newsletter Aug. 2006).
The security patch MS06-042 in fact introduced a new vulnerability.

In 2007 Microsoft was still patching their office programs from 2000 and 2002. The vulnerabilities have been found in Word, Excel, and Power Point [.doc, .xls, and .pps]. Even if you get such an document from a trusted friend, do save the document without opening it on your hard disk. Then you scan it both for viruses and spyware before opening.

Subscribe to "Window's Secrets" and get tips on how to keep your programs up-to-date.

Both Windows and Linux users.
On June 10, 2008, Secunia reported a vulnerability in Open Office, versions 2.0-2.4. Solution is to up-date the program to 2.4.1. Go to Open Office "Writer", --> Tools --> Update --> Update All.

Special for Linux users

Computer viruses do indeed attack also Unix or Linux users. Even if the majority of viruses targets Windows also Unix / Linux users need protection. As the number of Linux users increases the possibilities to exploit also those computers turns economically viable.

Especially if you have the "wine-program" to run some special windows based programs with your Linux system, the computer is vulnerable to both Windows and Linux viruses.

Linux Slapper worm, explicitly exploits weblog and website traffic software programs ("Visitor statistics"). The worm opens a backdoor on the server. Search for file "/tmp/lupii". If found, delete the file.

There are some vulnerabilities in Mozilla products, which can be exploited only on Unix or Linux based computers.

The Opera browser, versions 7.x and 8.x have some vulnerabilities, which can be exploited only in Unix or Linux based computers. Recommendation is to up-date to version 8.51.

Computer Worms

The definitions above are not universally adopted. Generally worms are included in lists and descriptions of viruses. To make a difference regular viruses are often called "file virus" compared with worms, which are programs. Of course, programs are also "files" in a strict sense.

Except for English there are also German and Spanish language messages containing worms, and the "Zafi" worm comes in several other languages. Regardless of what language you use they will still attack your system (even if you are using or ).

Trojan worms.
Sometimes also called just "Trojans", the name coming from the "Trojan horse" in Greek mythology. Usually these create a "back door" entrance either for new up-loads / up-dates or for hackers to enter a certain network. The latter are also called "Rats" ( Remote Access Trojan ). Some capture passwords and user ID's found in the computer and sends them back to their "master".

There are some worms that stay inactive in your computer until you access the website of a bank listed in their program. The worm then copies down your user ID and password as you type them and sends them back to its "Master". The only way to avoid this is to use a bank whose name isn't included in the URL and that uses "one-time-pads" for the passwords. This is a list of random passwords delivered to you by "snail mail". Each password is used only once and in the sequence given.

Trojan "Agent AD" copies your keystrokes ( user ID and passwords ) and takes screen shots. These are then forwarded by e-mail to the Trojan's "Master".

Some South American banks are using a "keyboard" on the screen. You then "type" your ID and password by clicking on the letters and/or numbers on that "screen keyboard". Then some Trojans take a "screen shot video", which they send to whoever made the worm. And the Trojan's owner proceeds and empties the bank account.

Some European banks have developed a small electronic wireless device, about same size as a wireless "car key". Once you are on the bank's login page you punch in your access code, point the device to the screen and push a button. The small screen on your device will show a control number when everything is OK. As you don't use the keyboard to put in your access code, and no code is shown on the screen, there is nothing for the worm to copy and send anywhere.

Most Trojans are developed with one objective only in mind: to steal confidential information.

Downloader Trojan is a self-updating code (program) that will download new files and change itself ("mutate") so it's more difficult to find. Since end of 2006 the number of worms spreading by e-mail has declined, they tend now to come into your computer either directly or from a malicious website you are trigged to visit.

More and more often, instead of the virus-worm appearing as an attachment to an email, it comes as a link to a malicious website. The message can look like spam email. When you click on the link to delete your address from the mailing list, you will download a virus-worm instead.

Conflicker - the worst one so far ?

The original Conflicker, also known as Downaup or Kudo has come up with a new version: Conflicker.B ( Conficker ), which is really bad. It can come as an Trojan, through downloading an infected program / file / video etc, through Windows Admistrator's account, through a removable disk / flash drive / CD or any external drive. When you plug in, for instance your "USB stick" the virus / worm automatically opens itself - by running "autorun" - and your computer is infected.

Microsoft released a patch already on October 2008 - the one outside ordinary "Tuesday patches" [ MS 08-067, KB 958644 ]. If by some reason it's not possible for you to download the Microsoft patch directly to your computer you can download the patch onto your flash drive / removable memory and then transfer it over to a suitable folder in your computer and install it. Go to Microsoft Download centre and get up date KB958644.

Of course you must also get rid of the Conflicker. This you can do with Microsoft's Malicious Software Removal Tool. If any problems with downloading it, proceed as suggested above for the safety patch. After that - or even before - you need to stop autorun from any external plug ins.

"In the beginning" the Conflicker was called a "0-Day vulnerability", according to Secunia Blog the Adobe Reader is also vulnerable to this.

Middle of March 2009 Secunia reported still a new variant of the Conflicker - called Conflicker.D. This version up-dates itself every day by downloading a slightly different code from webpages that continuously change their URL so you can't block it.

And then came April Fool's Day with warnings about extra additional attacks of all kinds of viruses, including Conflicker.C ( "Conficker" !). There came a fast spreading rumour of a Conflicker hoax worm "something". But nothing really happened - nothing extra ordinary, that is. May be the rumour was the hoax.

As of April 12, 2009, there's been no confirmation from any anti-virus software vendor on any new Conflicker or any hoax connected with it. I have had a look around "a little bit", and here is some info I found like from the top:

- Elite Hackers - Free Computer Advice - Gorilla Geeks

- Conflicker Scanner, McAfee - Conflicker Removal Tool, Symantec - Online scanner ( B & C ), Univ. of Bonn

In August 2009 Panda Security reported a new USB flashdrive using worm: Harakit.D. To stop this and others of the kind you can stop the autorun as advised above in connection with the Conflicker worm or you can download Panda USB Vaccine, a tool that vaccinates USB devices to prevent these threats.

Worms, Spyware, and other Malware

Malware is a constriction of the words Malicious Software. With today's "definitions" it can be a virus, worm, spy ware, or anything intended to cause harm either to your computer or yourself. Personally I would include only those files and programs that cause nuisance or problems to me and not those causing damage to my computer.

Spyware are programs, which install themselves on computers without user's permission. The foremost reason for spyware is financial gain. The most common ways for malware to spread nowadays (2008/2009) is via downloads especially of games and music or by visiting malicious websites. See McAfee Report June 2007.

Since year 2006 most spyware ( malware ) have had one purpose only: to copy and forward credit card numbers, online banking user IDs and passwords, or other confidential information. These are then forwarded to somebody who will use them for his personal economic gain. When people keep these numbers and data details on their internet connected computers it's very easy to steal the information.

Antivirus software is not designed to deal with regular "Spy ware". Some new versions ( from 2006 and later ) of anti virus software do detect also spyware. You can get tips on how to remove spy ware.

Of course, some of these can cause harm to a sensitive person, like "mental stress" ("nervous breakdown") as well as economic "pain". Especially after you have closed and restarted your computer and the same pop-up, which you can't close, is there again. May be you start feeling like throwing the computer out of the window. And may be that's what's intended. A direct economic loss = new computer and new window!

Advice:

1. To close that non-closable pop-up press "Alt" + "F4".
   
2. Get a pop-up stopper killer.
   
3. With a booby-trapped website you can't get away from, close and restart your computer. Open internet from "Start" --> "Programs" --> "Browser", click on " "Stay Offline". Then you go to "Tools" --> "Internet Options" --> and click on "Clear History". This clears the cache, where that annoying site was stored. Never go back to that site again.

Google is co-operating with Badware Organization and should give a warning when somebody by mistake wants to go to a "bad" or malicious website. Get advise from the organization on how to check and secure both your server and your website.

Malware and spyware writers are developing new techniques, for instance the worm Zcodec installs a rootkit on the computer so the users cannot see what's going on. It can change the settings in the browser so that when you click on a link in a search engine's result page you will be taken to a different page. The creator profits via pay-per-click payments or alternatively you are taken to a page designed to steal confidential data.

The same worm can in addition download other malicious programs to perform more theft. This way of combining several different techniques in the same worm is getting more common.

TelnetOn.A worm creates an Administrator account, stops antivirus and firewall software as well as other malware programs [Panda Software Newsletter, Nov. 17, 2006]. The competition between different password and ID numbers stealing spyware is getting fierce, new ones appear daily.

Conycspa.AJ, a Trojan, downloads 9 (nine) malicious codes including a file sending out spam about medicine from your computer. This Trojan will also redirect your browser to websites about medicine (for instance, Viagra).

In July 2007 Panda Labs (Report July 20, 2007) discovered a new kind of worm, ransomware. It was a Trojan, Sinowal.FY, which encrypts user's files so they cannot be opened and then demands a USD 300 ransom to send a tool to decrypt the files!

During 2008 the same Sinowal family of Trojan worms were changing names to Torpig and later to Mebroot. The code itself being changed regularly with 60-80 new variants per month. The Trojan stays stand-by until the victim visits one of 2.700 banks or e-commerce sites. Then suddenly Sinowal can ask for personal information like Social Security number or bank account password, etc. All stolen data is then forwarded to the Trojan's maker.

In 2008 well over 100.000 bank account access details were stolen. Most antivirus software have great difficulties finding this worm. The best protection is not to keep any personal details in the computer and not to use a bank with fixed login password.

The same report described a virus / worm / Trojan, Pahooka.A, which shows itself to the computer user by putting a multi coloured star on a blue background on the desktop. This one is a really bad one. First it copies itself to all drives. It eliminates the content of folders in certain anti-virus programs plus changes the registry to hide Search and Run options in the Start menu.

After that Pahooka.A. hides Folder options, Control Panel options, Network connections, Printers and Faxes options. It also prevents the users from using System Restore settings and disables the registry editor and the Task Manager. After all this it periodically connects to certain webpages to download more malware. In fact it controls the computer more than the legitimate user can do.

Before it could take a week or two of surfing on the net before I got some spy ware into my computer. After August 2005, however, the spy ware and malware distributors have got more aggressive, in 2006 half hour was enough to get at least five of them. I'm using DSL-Broadband connection. During September 2006 only, over 4.000 new malware were discovered.

Because of the strong increase of new spy- and malware many removal software has turned commercial. This means you can scan your computer for free, but when you want to remove what was found you have to pay first. According to Secunia in March 2008 there are found about 200 new viruses / worms every week.

In March 2008 I got myself a very bad virus / worm, it showed up under different names in my scanning:

• W32 / Autorun.lk.worm and also as,
  
• XMSS.exe ,
  
• Funny UST Scandal.a..

My computer hard disk is partitioned into "C" and "D", with only programs on C and only data files and installers on D disk. I got it first on the D disk from where it migrated to the C disk by itself. It was enough I opened my computer and tried to up-date my antivirus software and suddenly this worm was all over. In the end it stopped my computer from running, couldn't access control panel or settings. Neither was it possible to access Internet either. I ended up with re-installing XP and re-formatting my D-disk.

List of Free Spyware removing Software

Spyware Begone, 3.8 MB

Spybot, Free spyware and malware detection and protection software, 15.6 MB.

Panda Antivirus 2008 Beta, free for home use, removes also malware [ Win, Mac, Linux ]

About 90% of all email messages sent are either error messages or containing malware-spyware. Less than 10% of all email is normal and legitimate. Most of the spam or junk came before from USA but starting 2006 from P.R. China, South Korea, and Spain, which are fast catching up. Most of the malware and spyware is targeting messaging services and network portals (Kaspersky, July 2006 newsletter).

A searchable and indexed archive of scams received by email. You can check every email you are suspicious about against the archive. You can also include the scam search in the Google toolbar - if you have the toolbar.

What is a Zombie PC ?
During the last week in July 2005 I helped my friend to install protection into his computer. He had a modem dial-up connection so his computer was not so vulnerable to attacks as if he were using broadband. He had no protection at all before.

First we installed Spybot, closed down and restarted. Spybot immediately reported "Your computer is being hijacked". That worm was destroyed and while next downloading a firewall Spybot reported again "Hijacking attempt discovered and destroyed". Once he got some more protection installed no more hijackings have been reported.

When somebody "hijacks" your computer it means somebody plants a worm that can for instance start sending out copies of the same worm to other unprotected computers from your computer without you knowing about it. Of course your connection is legitimate so the hijacking Trojan worm could be traceable to your computer. It's same as if the computer would be "living dead" because somebody else have control over it. That's why it's called a zombie PC.

What if website gets hijacked ?
This is getting more and more common all the time. The best you can do is to prevent it from the beginning by being extremely careful when choosing your website hosting company. You can get some tips on that on my page How to Change Domain Without Loss.

The most common hijackers are those selling Viagra or something similar. If someone can insert hidden redirecting content and hidden links into your server code, they theoretically ( and practically ) have full control over that website. You ( or the server tech support team ) have to stop the hackers before they get in to the server. Once your website has been hijacked once, it can happen again and again until you close down your website forever.

Usually the bad links and/or content is inserted into or through ".htaccess". If you have a webhost with an active and friendly tech support team, then it's very much possible those nice guys are keeping the server secure also. Or you can be compelled to change webhost and experience all those extra and new problems, which arise from such a move.

To check if it has happened to your website you can download a Firefox extension and switch user agents. That way you can see exactly what "Googlebot" ( Google's spider / robot ) or any of the other search engine spiders will see when they download your webpages. There is a list of user agents you can use in combination with the Firefox extension. Once you find something bad, copy it and send it complete to your server's tech support team and require them to fix the security. Or change webhost.

FTP Sniffing Malware

Many major websites have been infected and spreading this further through Internet Explorer. The malware goes by different names: Gumblar, JSRedir-R, Maruz, and Beladin.

Very many webmasters use FTP to upload and make changes to their webpages. Most FTP programs save user ID and password for faster access to the server. Once this information has been sniffed out and stolen the malware can edit itself into a website's pages.

The hacker code then tries to get the user to open infected PDF and Flash documents / files. These will then install further malware on the computer and re-write Google's search engine results pages in IE so links point to sites full of infected files. Firefox and other browsers are safe from the re-writing. There are some steps you can take to protect your computer. The best way I know and what I practice myself, is to re-install my FTP program every time and then to un-install it after use.

Fake Anti Virus Software

There has appeared fake anti-virus programs regularly for several years. Names like XP-Shield, Antivirus XP 2008, XP Antivirus 2009, SaveSoldier, etc. come to one's mind.

In November 2008 a new fake antivirus started spreading via social networks such as Facebook and MySpace - the AntivirusPro 2009 adware ( worm ). The worm presents itself as a trial anti spyware program. Once you perform a scan it makes you believe your computer is infected, but to remove what it reports, you have to pay for the full version first. This is not the only one of it's kind circulating the net.

In March 2009 one more fake antivirus software - Malewaredefender 2009 - reported to scan for free and always finding several non-existing malware infections. The victim is invited to buy the pay version to remove these non-existing ones. ( Panda Security.com March 13, 2009 ).

Beginning of August 2009 there came the "Registry Optimizer". End of August 2009 Panda Labs reported on new fake anti-virus software circulating. This one is same as all the others before. The new one is called Total Security 2009.

New ones continue popping up: September Personal Guard 2009, Alpha Antivirus; October: SafeFighte, SafetyCenter, General Antivirus, WinEnterpriseDefender. Somebody must be making money on these as they continue with new ones all the time.

The fake anti-virus software programs all try to trick the user into believing their computer is infected by one or several bad viruses by faking / simulating a virus scan. To "delete" this non-existing virus the Internet user must pay a fee to the program vendor. He/she then gets an "activation key" to insert in the program. Once this is done all found "viruses" are reported as deleted / destroyed. Additionally when paying for the new "Antivirus" the robbers get your credit card details as well.

These programs can reach an user's computer through links in spam messages, download from a malicious website, etc. Never visit a shopping site by clicking a link in a spam message. Even if the message claims to be pitching a reputable product, such as one from Symantec or ZoneAlarm, the link may actually take you to a counterfeit site. There is a comprehensive report on these fake anti-virus programs: The Business of Rogueware English,   El Negocio de los falsos antivirus Español   .

Sources for Safe Antivirus Downloads:

CNET's Free Download PCWorld.com downloads

ZDNet Downloads Tucows.com's security section

Get long list of Fake / rogue / suspect Anti-Spyware products and websites. If you don't find a certain anti-virus software listed, it doesn't by itself mean that software is trustworthy. Many of these continue to live on through shameless re-branding.

Malware Example

To avoid by mistake getting in on a "bad" site you can download Netcraft's toolbar for free (2.9 MB). It will block your browser from accessing web sites characterized as malicious so you won't get there by mistake. The toolbar also shows in what country a server is located and who owns the server. It needs IE on Windows 2000/XP or Firefox 1.0+.

On the other hand, imagine you add a link from your webpage to an innocent looking webpage with relevant and reasonably good content. Netcraft's toolbar doesn't report any risk because there isn't anything bad on that website.

On the webpage where your link points there could be a short simple HTML string, which gets your visitor's browser to download another piece of code from a third unrelated webpage. Now, may be, that string refers further to a JavaScript, which in its turn downloads a Trojan Downloader on your visitor's computer.

There is an example of something similar explained in connection with "Spy Bye", which is a program, that tries to detect such bad linking chains. To use the "Spy Bye" tool you need your own server. Even if you don't have that, it's worthwhile to read the explanation. Because:

"Today's malware (and spyware) can and will render your computer useless and at the same time empty your bank account."

In the beginning of 2007 most common worms (like Spamta.VK) attacked by sending e-mail containing a Trojan (Spamtaload.DT) downloader that downloads the Spamta.VK worm. And the process starts again in a new computer. (Panda software, April 6, 2007). Most worms work in steps and arrive in different ways. As they are split up and contain many different functions they are more difficult to spot.

In April/May 2007 Google researchers studied about 4.5 million websites picked out from search engine results pages ( SERPs ). They found about 10% of those websites capable of installing malicious code on visitors' computers and a further about 15% had some suspicious code. In many instances the webmasters are not themselves aware of these pieces of code as they can be included in banners, counters, or other scripts from other websites.

The original "Google report" states that in the past a popular way to gain control over a user's computer / system was to find vulnerable network services and remotely exploit them, for instance via worms. After 2006/2007 this strategy became less successful ( and less profitable ), mainly because of firewalls and other protection made it difficult to exploit services on users' computers.

Later attackers, after 2007, try to attract users to connect to malicious servers by using, for instance, JavaScript ( ActiveX ), Visual Basic, or Flash. The report indicates the majority of malware is no longer spread via remote exploitation but rather through web-based infection, i.e. by the user visiting malicious websites / webpages.

Test your Website for Malware

In May 2008, Google announced, the launch of "Safe Browsing Diagnostic", an online tool that is meant to provide information about Google's automatic detections and investigations of suspicious websites. This service is now fully functional and free. It is showing near accurate data according to Google.

All you have to do is, you type in your browsers address ( location ) or search bar:

"google.com/safebrowsing/diagnostic?site=example.com" (without quotation marks)
For the site you check you use neither "www" nor end slash (/). You'll be presented with detailed results about the malware detection on that particular website. You can alternately use google toolbar for direct access. Of course, it's not restricted only to your own website. You can test any website, for instance before giving a link to a website. Especially if you are feeling little bit suspicious about that site.

Below is the report for this website when still at the old location (on May 29):

What is the current listing status for donpedrowebdesign.netfirms.com/?
This site is not listed as suspicious.

What happened when Google visited this site?
Google has not visited this site within the past 90 days.

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, donpedrowebdesign.netfirms.com/ did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

You can compare the result with a more simplified version.

Very often when you download and install something you want, you get some "extras" - usually something you wouldn't install by yourself. There is a list of websites adding or including such unwanted add-on software.

Report Spam and Phishing

"Phishing" is a scam (fraud) in which the "attacker" sends an email simulating to be from a legal and valid business enterprise. Password stealing worms, ID theft, or money "phishing" (fraud), could be included in both malware and hoaxes. See articles on "spam". Many of these appear at first glance to be quite legitimate.

You can report any "phishing", spam, identity theft (fraud) to anyone of the following sources:

• Phishing: Forward complete email message to: reportphishing@antiphishing.com
  
• In USA you forward the email to FTC: spam@uce.gov
  
• Or you can file a complaint to Internet Crime Complaint Center, especially if you have lost something - even a small amount only. Don't be shy or ashamed, you are definitely not the only one.

In 2006 the total global fraud activity doubled regardless how one counts. Whether number of malicious websites, number of spam e-mail, or amount money lost.

Using Public Computers

I estimate more than 50% of people using public computers (Internet Cafés, Public Libraries, etc.) use them for checking their email or playing games. As up to 15-20 different people can be using the same computer every day, the possibility of finding a virus on a public computer is much greater than finding it on your own. Even if those places can afford better virus protection it is statistically impossible to get 100% protection with such massive uncontrollable use.

More and more people are playing on-line games on public computers. According to reports, games and other "technical toys" are most dangerous and containing worms.

This means that when you open your email on a public computer the risk for you to get a virus into your email box is really great. The very first thing you should do before opening your email on a public computer is to empty your address book completely. You can keep your friends' last message in your in-box and then just click on "Reply" when you want to send him/her a message. Even after you have done this you should use an email system with built-in virus protection.

Because of the great risk for viruses on public computers I would suggest you use these only to open your email. Then you send your messages and answers from your own virus free computer. If you transfer files or email with a floppy disk (diskette) or a "flash drive" scan it for viruses first before you open it on your own computer.

Firewalls

A firewall is a program that checks everything coming into and going out of your computer with the intent of stopping attempts to damage your computer files and programs. Together with a virus protection program it should make your computer almost safe to connect to the Net.

Once you have your firewall installed and running you can test the efficiency on-line for free.

Be very careful if you download free software or "shareware". Many of those sites are ripe with viruses, use only free sites recommended by an trusted authority. According to a report from May 2006, the most unsafe sites are "Digital Music" and "Tech Toys" (games).

Multi-user Systems

When you use a computer with a multi-user account system (i.e. several users with limited accounts) there are some additional risks to be aware of. When (not if!) you get a worm while surfing the Net and you are using the computer as Administrator it is very much possible this worm goes in on an other persons account, folder, or files with administrator's rights.

Then when the other user opens his/her account before you have scanned the computer for viruses, that worm can activate. It will now be active with administrator's rights and, in other words, can very well start deleting or overwriting some files.

Only way to reduce this possibility is to avoid using the Internet as an administrator. Better open a new limited account for yourself in an other name and with a different password. Then when you get a worm yourself it will be limited to your own files only, hopefully there are no important files in that "surfing account".

Changing Virus Threats

Before and still during 2004 it was common many viruses targeted the computer system. It could be, for instance, a "frustrated teenager" spreading his virus just because he could do it". Sometimes it was may be simple jealousy of Bill Gates and Microsoft. Now those early virus writers (1990s) have grown older (not grown up?) and are professionals writing viruses and worms for economic gain.

The target is not so often the computer system any more but is turning to your wallet. Especially if you keep your banking passwords and ID document numbers on your computer you are at a great risk. Only protection is to be vigilant. Stop being "lazy" - instead sacrifice some convenience in exchange for better security.

The trend in 2005-2006 was more and more towards viruses / worms attacking anti-virus and firewall products instead of computer operating systems. This risk increases when the computer user installs several different "protective" programs. You cannot know whether your combination has been tested for vulnerabilities or not. The chances are it has not.

According to Kaspersky newsletter May 2006, a total of 565 people were arrested around the world since March 01, 2005, in "Operation Global Con" targeted at individuals carrying out mass marketing fraud on the Internet. US Department of Justice co-operated with authorities in Central America, Europe, Africa, and Australasia.

Total number of known victims was close to 3 million people with average monetary losses of about 300 USD per person.

In Oct./Nov. 2006 four spyware distributors in USA were sentenced to fines and ordered to cease their operations (Kaspersky, Newsletter Nov. 23, 2006).