With the much awaited new operating system from Windows getting released yesterday many consumers are asking them-self one of many questions. Do I upgrade to Vista?

Not to mention, am I compatible to even upgrade or is it really safer?

Well to start of the rounds of Vista polls here at Security Cadets our first poll is as follows:

Just incase you have been living underneath a rock or something. The next version of windows will be released to the public along with office 2007.

January 29, 2007

1:45 p.m. PST / 4:45 p.m. EST

From Times Square in New York City, join Microsoft Chairman Bill Gates for a live web-cast celebrating the worldwide launch of Windows Vista and the 2007 Microsoft Office System. The celebration pays tribute to the millions of Microsoft customers, partners and product testers around the world who provided input and feedback on these products — helping Microsoft transform the way people communicate, create and share content, and access information and entertainment in the new digital age.

So Bill Gates will celebrate the worldwide general availability of Windows Vista and the 2007 Microsoft Office System.

I have mixed feelings on this. In one way it is about time there was a new platform released. But on then on the flip-side. This will be a field day for malware-writers. But I guess time till tell. I haven’t got a copy of Vista so I cannot comment how good or bad it is.

Anyway you can also view the web-casts:

• 500K
• 220K
• 100K

Do you run Vista? Have any comments so far? Let us know here!

Update - Some useful sites to bookmark for Vista and Office 2007:

• Windows Vista Home Page
• Office 2007
• MSDN
• TechNet

….and I will come down on you like a ton of bricks!

It’s amaizing what spammers do, can do. And how their stupidity shines through. However this one really takes the biscuit.

Imagine this! One spammer registers … spams a topic which already excists … normal spamming right? Well no simply because this spammer replied to this topic! A topic about a legit tool that helps remove malware.

More to the point, the content it posted. Rather than spamming links to p0rn or vi4gra. It goes on to say:

“Rogue Remover (RogueRemover) by MalwareBytes.org - AVOID THIS VIRUS PROGRAM.

This program is a virus as it deletes PC security programs on a user’s PC under false and made-up claims such as this anti virus program was found to be rogue and should be removed.

The user then gets conned into thinking that the purchased or free anti virus tool they are running is bad or malicious or rogue, and uses the rogue remover to remove their legitimate anti virus program.

This Makes RogueRemover from MalwareBytes.org gain the ability to get rid of most (currently more than 300+ antispyware, anti-adware, anti-virus, anti-trojan, and other security legitimate programs) from the user’s machine making their machine vulnerable to the installations of adware, spyware, key loggers, trojans, worms, viruses and other internet born threats. Rogue Remover from MalwareBytes.org is also made by the creators of known hacker tools and viruses on the web.”

…LOL right?

Well it also goes on to say that it removes ligitimate programs unlike the rogues it does remove. Plus for comedy value also goes to explain the whois for malwarebytes.

This spammer has been doing this for sometime as you can see at SiteAdvisor. My advice is to ban the following name on your forum: KayKaspers

RogueRemover is just another legit tool that removes the rogues. And not legit anti-malware programs. If you wish to know what tools we recommend using then visit our Security & Software Updates forum.

Discuss the ways of spammers and more about this article here.

As I’m ‘playing around’ with Zlob-installing programs, like the fake codecs, and blogging about the most exceptional ones like this, this and this one, I wanted to write about something else …

I really tried to … honestly! And I almost succeeded …

So, here is the story of the “Wannabe a Zlob-installer”-fake codec called VCodec2007.

It even uses one of the webpage-layout of EstDomains.

But EstDomains is not the service-provider. Click Media takes that honour. And it doesn’t try to install a Fake Malware-scanner … or does it.

After downloading and installing VCodec2007.exe, there will be 2 new folders:

• - VideoBox, with just a uninstallation-file.
• - WinAntSpyPro, with 3 files; mstss32.ini, mstss.exe and plugin.exe.

The 3 files in the WinAntSpyPro (what’s in a name) are the files that maintain a hijacking of the search-functions of Internet Explorer.

That causes you to go to all kind of malware-containing sites (and can even send you on a rollercoaster-tour to several sites of Fake Malware-programs like WinAntiSpyware, ErrorSafe, DriveCleaner and more of those fakers), every time you use those hijacked search-functions.

There even is a fake malware-warning in the taskbar, like we see them with a real Smitfraud-infection!

For me, looking back at my first article about VCodec2007, remains the question WHY.

Why does anyone, with all his/her marbles counted for and in the right order, want to mimic a fake codec-site?

Is it someone that wishes to annoy EstDomains? Or Is it a prankster, playing a sick joke on us?

Or is EstDomains itself trying to be funny?

I have no idea, yet. But I have the feeling, that this won’t be the last we hear of fake EstDomains-sites.

… and I can assure you that I will follow the events and tell my stories time and time again.

Anyway, you can read my full story here.

If you want to talk with us about this fake fake-codecs, fake codecs or fake malware-scanners (in general), you’re very welcome too in our forum.

If you think or know that you have VCodec2007 on your computer, then we be more then glad to help you getting rid of it in our HijackThis-section.

Disclaimer:
“Security Cadets and myself, jahewi (the author of the article), write these blogs to warn people about fake malware-scanners, like VirusBursters, and other fake, malware-installing programs, like the fake Codecs.

Let me be absolutely and perfectly clear about them;

• Those programs are wicked and must be considered dangerous!
• We are not responsible for those fake scanners and we are certainly not the owners.

Please, read these blogs with this statement in mind and never ever install or buy VirusBursters or any other program, wich we are warning you about. “

..Not the nature kind. Just the one we blogged about the other day. It is slighty modified and has new subject names and attachment names to look out for as F-Secure report.

New subject lines researched by F-Secure include:

• Russian missle shot down Chinese satellite
• Russian missle shot down USA aircraft
• Russian missle shot down USA satellite
• Chinese missile shot down USA aircraft
• Chinese missile shot down USA satellite
• Sadam Hussein alive!
• Sadam Hussein safe and sound!
• Radical Muslim drinking enemies’ blood.
• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• U.S. Southwest braces for another winter blast. More then 1000 people are dead.
• Venezuelan leader: “Let’s the War beginning”.
• Hugo Chavez dead.
• President of Russia Putin dead
• Third World War just have started!
• The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
• The commander of a U.S. nuclear submarine lunch the rocket by mistake.
• First Nuclear Act of Terrorism!

The new attachment names are as follows:

• Video.exe
• Full Video.exe
• Read More.exe
• Full Text.exe
• Full Clip.exe

F-Secure say this malware creates a peer-to-peer botnet via port 7871/UDP or 4000/UDP when it is run. And they also detect this as Trojan-Downloader.Win32.Agent.bet.

As always we recommend you do not open any e-mail called like any of the subjects and attachments above. Make sure your spam filter is adjusted correctly.

And as always you can receive free professional help in our forum if anything does happen or for a general check up if you think you opened a suspicious e-mail. Or discuss it here in more detail.

It takes events in this day and age for spammers to release an infection. Like the world cup trojan.

Whilst most of Europe got batterd by storms. In some places, like Poland, upto 124 mph. The Internet has got a new infection … Small.DAM Trojan. And has been hit too by spamming this trojan.

According to F-Secure (keep their web blog bookmarked, it rocks), this latest attack was in full swing in the early hours of Friday European time.

Subjects:

• 230 dead as storm batters Europe.
• A killer at 11, he’s free at 21 and…
• British Muslims Genocide
• Naked teens attack home director.
• U.S. Secretary of State Condoleezza…

Attachments:

• Full Clip.exe
• Full Story.exe
• Read More.exe
• Video.exe

You can read more at TechWorld. And of course we advise that any suspicious attachment or looking e-mail to be deleted rather than opened full stop.

Failing to do so and you think you may have been a victim of an infection caused by spam e-mail. Visit our forum for free help in the HJT area. You can also discuss this matter here in more details.

Andy already blogged about forum-spam from EstDomains in this article.

Since I have been disecting forum-spammers and spam-messages for more then a month now, I found that Estdomains is, over a total of around 60 spambots, responsible for 20 of those. And as I searched through Estdomains’ fake members, I found that a number of them are very harmfull.

So, again, it’s time to go head to head with fake Codecs-sites and other Zlob-installing software.

So, Estdomains is responsible for 1/3 of the spambots, at this moment. That isn’t really surprising, because Estdomains have it’s business in all corners of malware spreading and internet fraud. But what I didn’t expect, are forum spammers that have a website in their profile wich lead to fake codecs installing websites like USE-PORN.COM and BIGVIDEOSONLINE.COM, which show XXX pictures.

Clicking those pictures send you to a page on ONLYFREEXMOVIES.COM, which seems to be a download page for the video-clip of choice, however pictures on that site will give you the following oh so familiair message and, sometimes even without clicking any button, the download starts of the first of many trojans and other malware.

Let’s not go into the installation of a fake codec, again. You can refresh your memory here.

But wait! It gets even worse.. I ran into another spam-member with a Zlob installing site in it’s profile. This time it is freemoviegroup.info.

This link really sends you to the site …

As you can see, this site doesn’t fool around. As soon as you open it, it starts to download Zlob.FWR, and the downloader for the rest of the Zlob-junk to come!

In my opinion this is as bad as they can possibly get! However, the second surprise is the Sponsoring Registrar for the domain freemoviegroup.info, as I was totally convinced it would be Estdomains. But it isn’t! It’s Direct Information Pvt. Ltd. d/b/a PublicDomainRegistry.com

I’m confused … to say the least!. And at the same time, I think that forum owners, all over the world, should be even more concerned about forum spammers then they already were!

If you want to discuss Estdomain spammers in general and spammed Zlob sites in particular, then feel free to join us in our forum … in this topic to be precise ;-)

…Well they did a day or so ago on ours.

After some clever research … errr … searching a few domains that got posted it came up with our number one buddy, ESTDOMAINS. The ones behind the rogues!

maciejpienkala is the username to look out for! Research that name and you will see many hits for it, most on IPB forum like ours.

The e-mail service used is also eastern european. For security reasons we will not be posting it. Only in hidden forums so others can ban it on their respective forum if they wish.

I’ve never really known this russian organisation to spam. However it is very possible they have in the past as one of my posts last year keeps getting spammed more than ever!

So keep an eye out for the name above and ban/slash or whatever you do with a spammer. Also stay tuned for a more in depth article later about forum spammers!

…I have been promised it rocks!