If you see this in your email inbox just say NO! (And delete the email).

Starting around March 29, 2007 this email was spammed to the Internet, inviting the recipient to download Internet Explorer beta (testing) version 2. In fact the link connects to a file named ie7.0.exe which if executed installs a trojan program on your computer.

We received a copy of this email last evening (03/29/07), captured the trojan file using a Linux machine and sent a copy to Sunbelt Software’s research team.

Their blog entry regarding this trojan.

Malware Scan from VirusTotal.com

Following up to see what this little package of delight contained I uploaded the archive containing the file IE7.0.exe to the malware testing utility at virustotal.com with the following results. To understand the results this list shows if a given anti-virus product identified the malware and if so as what. For example the antivirus product “BitDefender v. 7.2″ (line 6 of the results) identified the malware as “Win32.Grum.A”

As of the end of December 2006 we’re seeing a new wave of emails attempting to spread the Luder trojan via file postcard.exe. When executed, postcard.exe installs software that is in combination:

1. an e-mail worm
2. a dropper for a trojan downloader
3. a file infector

This malware (malicious software) is known variously by the following names:

• Luder
• Email-Worm.Win32.Luder.a
• Trojan-Downloader.Win32.Tibs.jy

In addition as of Jan. 3, 2007 our clients and research systems have received emails pretending to be from a legitimate online electronic greeting card service, All-Yours.net. Note that All-Yours.net has nothing to do with this and are being exploited by those attempting to spread this trojan. (See an example of this email at the bottom of this post)

Attempts to spread the same trojan using a Happy New Year greetings have recently been on the Internet.

As always the best prevention against these attacks are:

1. Have a high quality anti-virus program installed that has an active subscription to receive signature updates.
2. Have a high quality anti-spyware program installed that has an active subscription to receive signature updates.
3. DO NOT open emails or follow links received from unknown sources.
4. Do not download and execute any files from unknown sources.

Additional Information on Luder Trojan

1. Spyware database information for Trojan.Win32.Luder.A (Nuwar)
2. This Trojan can be removed with Spyware Doctor.

Example of the email that will install the Luder trojan.

If you receive an email like this just delete it. DO NOT click on any of the links.

1. Firewall
2. Anti Virus software

While each of these is essential and may offer some protection against the effects of spyware neither a firewall nor most anti-virus software provide direct protection against the dangers of spyware nor do they remove it once your machine is infected.

After over five years of working to protect computers from spyware and other malicious software we believe that PC Tools Spyware Doctor is simply the best all-round defense and recommend you give it try. A link for a free trial download is available below.

Here’s the challenge!

1. If you’re running another product here’s a chance to run a free test and see how your current product stacks up against our choice for the top protection in the industry.
2. If you don’t have an anti spyware program installed I really suggest you skip down to step 2 and install the free Spyware Doctor trial.

Either way we’ll bet you’re in for a surprise. Here’s how to run your own test:

Part 1 : Run your current anti spyware program.

Update your current anti spyware software to get the latest files. In SpyBot Search & Destroy for example just connect to the Internet, open the SpyBot program and click on the “Search For Updates” button. If any are found they will be listed in the window. To install the updates make sure all the check boxes are checked and then choose “Download Updates” from the top menu.

Run a full scan of your computer to see if any spyware is present. Again using SpyBot as an example click on the “Check for Problems” button.

Delete the spyware that was found. Your computer should now be “clean” of spyware.

Part 2 : The Test or “Is Your Current Anti Spyware Program Really Working?”

Download and install from the links provided below. Don’t worry about having more than one anti spyware software installed. Unlike anti virus programs having multiple anti spyware programs installed is fine. I’ve been doing that for years. Note that for your safety these links download directly from the vendor sites.

• Download free trial of PC Tools Spyware Doctor

The downloads take about 15-30 seconds on a broadband connection (DSL or Cable) and the install is a snap. Double-click the downloaded file and click through the several screens and you’re done.

Run a full scan: For Spyware Doctor simply start the program and click the “Start Scan” button on the left side menu, then choose the “Full System Scan” option under “Select Scan Type” and click the “Start Scan” button at the bottom left (directly below the “Select Scan Type.”

Part 3 : Test Over!

If you’re existing anti spyware software is doing a good job this test should find little or no spyware, particularly spyware considered of a more malicious nature. I’ve conducted this test on numerous machines. It’s rare that Spyware Doctor don’t find a rather large amount of spyware that the other programs are missing. Give it try. In less then a few minutes you can find out how well you’re protected.

Uninstall: If you decide you’re satisfied with your existing solution and want to uninstall Spyware Doctor simply go to the control panel (Start -> Control Panel OR Start->Settings->Control Panel depending upon your version of Windows and your settings) and use the “Add or Remove Programs” option.

We would note here that most of the more involved instructions involve editing the Windows registry and removing files. It’s important to understand that these are for more advanced computer users and shouldn’t be attempted unless one is very familiar with backing up and editing the Windows registry.

Those not experienced with this are best advised to first try one of the top rated anti-spyware programs. This will let you update the anti-spyware definitions directly from the company’s server and see first hand what spyware it detects on your computer.

The same search engine offers Advanced Local Search features.

Give it a try! The search page opens in a new window so you won’t lose your place here. Click here to try advanced local search.

The centerpiece of this site is a searchable database of over 8600 known spyware and related malware (malicious software) items. Included in this are descriptions of the spyware program and tips on removal.

The site is being upgraded and edited continuously to add new features and additional content.

We hope you find the site to be a useful tool and we welcome your participation, thoughts and comments on !

Mike Shafer

User’s that heeded the anti spyware software’s advice to remove the item are unhappily surprised to find that their Norton anti virus software has been sufficiently crippled as to be disabled. The repair is a bit tedious as it requires editing the registry which always carries a bit of risk.

We’ll cover this further, if warranted, when more details emerge.

In the interim we bring this to the attention of any folks running the Microsoft Anti-Spyware as a reminder that beta software shouldn’t be in use on production systems.

More on spyware and anti-spyware software here.

Given that I had a full day of work in the office today I decided to conduct
a bit of testing to access the current state of the Internet Arms Race. Arms
Race, you say? That fizzled out in the early 90’s with the end of the cold war
era, didn’t it. Well THAT one did only to be supplanted by the one currently
conducted on the Internet.

I’m referring to the one between computer criminals
and the highly skilled programmers they employ and the equally skilled developers
at the firms whose business it is to provide software defenses against the computer
criminals. Firms that produce such software as anti virus and anti spyware for
example. Make no mistake in discounting the condition of malicious intent among
certain groups on the Internet. IT IS an arms race and the stakes are personal
and high.

TEST MACHINE:

Today’s assessment started with one of my test machines being installed on my
test network which I would note is strongly separated by firewall devices and
other protections from my business network. WARNING: I make this point as I do
not recommend trying these tests unless you’re sure of what you’re doing and
have a test computer you can use. It’s quite possible visiting web sites known
to be attempting to compromise your machine could result in damage to your computer.

The test machine used is a 500 mhz Pentium III with 256mg of RAM and a 9gb hard
disk setup with a clean (new) install of Windows XP with Service Pack 2 installed.
From there a visit to the Microsoft update site made sure that ALL patches to
bring the machine current as of today (January 20, 2006) where installed. It’s
also important to note that the test machine is on an internal LAN (Local Area
Network) that is protected by an Astaro Gateway Security appliance (firewall,proxy etc.) that only allows the following ports to communicate with the Internet:

1. Port 20/21 FTP - File Transfer Protocol : File transfers
2. Port 25 SMTP - Simple Mail Transfer Protocol : For sending E-mail
3. Port 53 DNS - Domain Name System : How internet names are resolved
4. Port 80 HTTP - HyperText Transfer Protocol : Standard for web pages
5. Port 110 POP3 - Post Office Protocol 3 : For receiving E-mail
6. Port 443 HTTPS - Secure web sites

I make this somewhat technical point as:

1. These are standard ports that virtually any computer on the Internet has
   to allow to be of use.
2. Given that all other ports are blocked the spyware / malware infections
   that occurred did so over standard ports (services) such as browsing web
   pages on the standard port 80 for the HTTP protocol.

ANTI SPYWARE SOFTWARE INSTALLATION:

To start the testing it’s necessary to infect the system with some random bits
of spyware as occurs naturally from surfing the web. To insure that the machine
is infected I used a random selection of 20 sites from a list I have of known
troublesome web sites. These sites range from the obviously seedy to those that
appear professional and perfectly legitimate. To simulate surfing I clicked “yes” on
several pop ups (to simulate an accidental or intentional condition) but clicked
no on the great majority.

Also to see how the anti spyware software would do with one of the more dangerous
items I went to an Internet site that sells software used for clandestine information
gathering and downloaded their free key logger ostensibly intended for parents
to use in monitoring the computer usage of their children. (Or is it the tech
savvy teenagers monitoring what mom and dad are doing!?)

With the machine exposed to this random surfing and several intentional installations
it was time to start the software testing. All anti-spyware programs were downloaded and installed using Internet Explorer by choosing the “RUN” option each time. This makes for the simplest installation and is a common approach. Following installation all update routines
were run to ensure the latest files for spyware / malware detection where in
place. After updating all programs were instructed to run a complete scan.

RESULTS:

Not surprisingly there was a fair bit of variation in the items found by each
package. The problem with comparing the logs for each anti spyware package highlighted
the following:

1. There’s no absolute standard for naming the various thousands of items
   of spyware present on the Internet. Each package has its own naming system.
   I would note that the anti virus developers have the same problem with any
   given virus often ending up with anywhere from 4 or more names.
2. Software packages for the Microsoft Windows platform install a combination
   of files and registry entries. The anti spyware programs found to varying
   the degrees the components that make up a given malicious program. Some standard
   would have to be set to decide if a malicious software package by removal
   of some of its components had been rendered sufficiently inoperable to be
   considered “removed.”

SUMMARY:

Not with standing the issues of comparison noted in the previous section the
wide variation in items found substantiated our long held feeling that spyware
removal is still a moving target (as it most likely will always be) and that
no one package does it all. This modest experiment re-enforced our “gut feelings” and
experiences in removing spyware for the past four years as to these three points.

1. The two commercial packages did better than the non-commercial offerings.
   This point shouldn’t be hard to understand in that the modest purchase price,
   when multiplied by many users, generates the revenue that allows the hiring of highly skilled research and development staff.
2. The wise user will run at least two anti spyware packages with at least
   one being one of the commercial products and the other one of the non-commercial
   ones.
3. The threat from Spyware, while ranging from the just plain obnoxious to
   the highly threatening, is very real. Recall that this test computer is running
   Windows XP Professional with Service Pack 2 and all updates installed. Even
   in this completely current state within 10 minutes of surfing our test machine
   was infected with numerous items of spyware. If you are not running an anti
   spyware package we strongly suggest you take action now! At a minimum install
   SpyBot Search & Destroy. While be don’t believe this one package provides
   sufficient protection we’re certain that some protection against spyware
   and related malicious software is better than none!

Cheers!

Mike Shafer