Thursday, September 16, 2010



A new phishing scam is targeting users of the Electronic Federal Tax Payment System (EFTPS), a free service provided by the U.S. Department of the Treasury since 1996. The recent fraudulent format uses an email message that claims to be a rejected tax payment and directs users to a fake website for additional information. Remember, don’t ever provide any personal or financial information to unsolicited email messages.

Our research found a set of these fraudulent websites created on September 12. All the URLs are associated with the same IP address and in the same country.

The scam message:
Your EFTPS Tax Payment ID has been rejected.

Report ID: ***. Your Federal Tax Payment ID: *** has been rejected. Return Reason Code R## – The identification number used in the Company Identification Field is not valid. Please, check the information and refer to Code R## to get details about your company payment in transaction contacts section: http://www.eftps*******

If you receive one of these messages claiming to be from the EFTPS or IRS, don’t open it or click any link. It’s safer to manually type the URL (web address) instead of clicking a link. To verify whether a government or financial institution is trying to contact you, call that agency. You’ll find useful tips for avoiding phishing scams in this McAfee publication.
World of Warcraft Spearphishing and Botting

Monday September 13, 2010 at 6:58 am CST
Posted by David Marcus

No Comments
Permanent Link

Over the weekend I had the chance to put some work into my lowbie dwarf paladin named Boulderbrain. I was at the Stormwind bank minding my own business when I suddenly get this whisper:

Targeted WoW Phishing Attack

Now normally I simply ignore most whispers I get in-game (other times I simply don’t notice them) but this one caught my attention. Zooming in I think you will see why:

WoW Phishing Closeup

This message is telling me that Blizzard suspects my account of using third-party tools to cheat and would I go to their website, login, and check my account settings. In actuality this is an “attacker” pretending to be a Blizzard GameMaster, and the website itself is a phishing site:

Fake WoW Login Page

This particular fake was hosted on an IP address that had a pretty questionable report. (HINT, HINT use our SiteAdvisor browser plug in!) World of Warcraft has millions of users worldwide, making attacks and techniques like this very common. Many players (myself included) have taken the additional step of using two-factor authentication (commonly called 2FA or simply tokens), which can add an additional layer of protection to your logon credentials:

WoW With 2FA

The addition of the 2FA pin makes it extremely difficult to break into or pop the account itself. (It’s like adding a secondary token to your bank logon.) OK, now granted I got the free Core Hound pup with it, but it also has a sweet iPhone app that generates the 2FA code!

Now what were those third-party apps the original phish may have alluded to? Bots most likely. As anyone who follows this blog is aware, bots refer to robots, usually malicious in nature, but they simply automate tasks. Some of the more popular bots for World of Warcraft are farming and leveling bots. They are designed for pretty much what you would guess: They automate the “farming” of a variety of materials (later sold for in-game gold) or even honor (honor points can be used to purchase in-game items). These bots can also automate the process of leveling your character. Some examples:

WoW Honorbot - Used for Honor and PvP Farming

and also:

GatheringBot - Used to Farm Materials Mainly

Should your account be found to be using any of these, it will get banned–as it violates Blizzard’s terms of service. Credential and logon theft is one of the biggest areas of malware we at McAfee Labs deal with on a daily basis. Make sure you stay updated, properly configured and be cautious of in-game messages!

And level-up old school–the account you save may be your own!
SpyPro Fake-Alert Malware Joins ‘Scareware’ Lineup

Sunday September 12, 2010 at 8:29 pm CST
Posted by David Marcus

No Comments
Permanent Link

Social engineering is probably the most common technique for to enticing unsuspecting victims to reveal information or purchase something of no value. In the anti-virus world we often see malware authors use scare tactics to sell rogue anti-virus or “fake alert” anti-virus software.

Rogue malware authors use various methods to fool victims into purchasing their products. Some of the most common methods:

* Creating links to malicious web pages in which common search terms in search engines bring these pages to the top of the list, a.k.a. search poisoning
* Disguising themselves as legitimate applications, especially under peer-to-peer and IRC networks
* Offering downloads as legitimate software using bit torrent protocol

Over the last couple of days McAfee Labs has seen an increase in submissions from customers with regards to one variant of the fake alert family classified as We’ll describe the characteristic behavior of this variant in this blog. We also have a comprehensive description of this malware in our Virus Information Library.

Once this malware is run on the local machine, it displays a warning indicating that the computer is infected with various types of malware and that the user needs to click to clean the computer.

When the user clicks the warning, it pops up a window and initiates a fake scan on the computer. It shows a number of detections and warns the user that the system is infected. To “clean” the malware from the computer, users must purchase the software from the website “antiv[removed].com”

If left to run, this software attempts to use Internet Explorer to open websites with pornographic content.

The fake alert software also makes a number of changes to the Windows registry so that it can load itself at startup and disables phishing filters on Internet Explorer.
When users attempt to run a legitimate executable, this malware pops up and informs them that the file is infected and if users want to run the anti-virus software to clean the infection.

Here are a few cleaning and remediation steps you can take to remove or keep this malware at bay:

* Ensure that you have a legitimate copy of anti-virus software installed on the machine
* Ensure that software is updated regularly
* Exercise caution when you click on links. Using software such as SiteAdvisor ( can help because it distinguishes between safe and risky sites.
* Do not be enticed into downloading legitimate software for free, especially from P2P, IRC, or bit torrent networks
* Exercise caution while clicking links in emails that look suspicious, even If they appear to come from a known contact

Widespread Reporting of “Here you have” Virus (aka W32/VBMania@MM)

Thursday September 9, 2010 at 12:12 pm CST
Posted by Craig Schmugar

Permanent Link

– Latest updates moved to the bottom –
McAfee Labs is currently investigating a new threat commonly referred to as the “Here you have” virus due to the email subject line the worm uses during propagation. It looks like multiple variants may be spreading and may take some time to work through them all to paint a clearer picture. Here’s what we know thus far.

Infectious email messages may have the following properties:
Subject: Here you have or Just For you


This is The Document I told you about,you can find it Here.

Please check it and reply as soon as possible.




This is The Free Dowload Sex Movies,you can find it Here.

Enjoy Your Time.

The URL does not actually lead to a PDF document, but rather an executable in disguise, such as PDF_Document21_025542010_pdf.scr served from a different domain, such as this URL is no longer active and the email propagation vector is believed to be crippled at this time (though already infected hosts may continue to spread email messages).

Here is some additional information on the threat behavior:
Generic.dx!tsp!2BDE56D8FB2D –
W32/VBMania@MM –

When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus. When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory). Once infected the worm attempts to send the aforementioned message to email address book recipients. It can also spread through accessible remote machines, mapped drives, and removable media via Autorun replication.

Accessible remote machines
The virus may be found at the following locations:

* c:\N73.Image12.03.2009.JPG.scr
* d:\N73.Image12.03.2009.JPG.scr
* E:\N73.Image12.03.2009.JPG.scr
* F:\N73.Image12.03.2009.JPG.scr
* G:\N73.Image12.03.2009.JPG.scr
* H:\N73.Image12.03.2009.JPG.scr
* New Folder\N73.Image12.03.2009.JPG.scr
* music\N73.Image12.03.2009.JPG.scr
* print\N73.Image12.03.2009.JPG.scr

Mapped drives and removable media
Other drives may contain an Autorun.inf file pointing to the created open.exe copy of the worm.

The virus attempts to stop and delete security services

* 0053591272669638mcinstcleanup
* AntiVirFirewallService
* AntiVirMailGuard
* AntiVirSchedulerService
* AntiVirService
* Arrakis3
* aswUpdSv
* Avast! Antivirus
* avast! Mail Scanner
* avast! Web Scanner
* AVG Security Toolbar Service
* avg9wd
* Avgfws9
* Gwmsrv
* Mc0DS
* Mc0obeSv
* McAfee SiteAdvisor Service
* McMPFSvc
* mcmscsvc
* McNASvc
* McProxy
* McShield
* mfefire
* mfevtp
* MSK80Service
* Panda Software Controller
* PavPrSrv
* prlo
* PSHost
* PskSvcRetail
* scan
* sdAuxService
* sdCoreService
* SfCtlCom
* TMBMServer
* TmProxy
* TPSrv

The virus attempts to download several files, such as:


These files were not available at the time of this writing, but files with these names include UPX packed password recovery tools (ChromePass, OperaPassview) and a UPX packed Sysinternals tool (PSExec) and a malicious HOSTS file.

Additional information is provided in the VIL: W32/VBMania@MM –

(coverage information moved to the bullets at the bottom)

McAfee Global Threat Intelligence File Reputation (aka Artemis / Network Security Heuristic) has coverage for at least the main variant at the Very Low sensitivity level or higher.

Emergency McAfee DAT files will be released later today have been released (6101). An Extra.dat file is available for this threat and may be downloaded here:

The McAfee Beta DAT files have been updated:

The McAfee Stinger stand-alone tool has been released for W32/VBMania@MM to detect and repair this threat:

A related Corporate KnowledgeBase article has been written: How to block mass emails containing a link to a virus infected .SCR file

– Updated Sep 15 –
The aforementioned email propagation information was associated with one variant. Many truncated and corrupted instances of the viruses were identified that are associated with the variant. Other variants that did not contain the same email propagation information have been identified. Reports of those variants are considerably less.

McAfee product coverage is as follows:

* DAT FILES Coverage is provided as “W32/VBMania@MM” in the 6101 DATs, released September 9. The McAfee Labs Stinger has also been updated to include coverage for this threat.
* VULNERABILITY MANAGER: The MVM/FSL release of September 9 includes a check to assess if your systems show signs of infection.
* WEB GATEWAY Coverage will be provided in the current Gateway Anti-Malware Database Update.
* REMEDIATION MANAGER Remediation Manager will run the McAfee Labs Stinger tool to scan hosts for possible infections.
* FIREWALL ENTERPRISE McAfee’s Global Threat Intelligence blocks this attack across multiple threat vectors using TrustedSource reputation, including the email message that delivers the link, the URLs associated with the malware, and the reputation of the malware file itself. This coverage extends to McAfee Email Gateway, Email and Web Security appliance, SaaS Email and Web Security Email Protection Service, McAfee Web Gateway, McAfee Firewall Enterprise, and a variety of other TrustedSource-enabled products.
* MCAFEE NETWORK SECURITY PLATFORM Versions with Artemis enabled will detect/block malware file transfers when downloaded over HTTP, without the need of signature updates. The UDS release of September 11 contains the signature “UDS-WORM: W32 VBMania@MM,” which provides additional coverage on the email messages containing malicious links.

Corporate KnowledgeBase
Adobe PDF Zero-Day Exploit Discovered in the Wild

Wednesday September 8, 2010 at 1:55 pm CST
Posted by Xiao Chen

No Comments
Permanent Link

Just after Adobe released its out-of-band patch for CVE-2010-2862, we discovered a malware exploiting a new zero-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this zero day occurs while Adobe Reader is parsing TrueType Fonts. We’ve analyzed and confirmed that the vulnerability affects the latest Adobe Reader, Version 9.3.4.

This zero-day vulnerability is a typical stack buffer overflow; exploitation of this issue is expected to be relatively easy. Although the latest version of Reader has been compiled with stack protection (/GS), the exploit uses an Return Oriented Exploitation (ROP) technique to bypass /GS protection and data execution prevention (DEP).

We saw a similar technique used to exploit an older Adobe TIFF parsing vulnerability. All this seems to point to the fact that ROP is gaining wider acceptance by malware writers to bypass DEP and existing stack protections.

McAfee Labs is coordinating with Adobe PSIRT, and we’ve provided them with additional details on the bug. The Adobe team is actively working on this issue, although there is no patch available at the time of writing this blog. Adobe Acrobat users are urged to update their security definitions for the various products.

McAfee protection to date:

* McAfee Network Security Platform: Coverage provided under the signature 0×40293c00, UDS-HTTP: Adobe Reader Unspecified Buffer Overflow
* DAT files: Coverage for known exploits provided in the 6099 DAT release under the signature
* Host IPS: Generic buffer overflow protection provides partial coverage
* Foundstone: The FSL package of September 8 includes a vulnerability check to assess if your systems are at risk

How Much Does My Identity Cost? (the Sequel)

Wednesday September 1, 2010 at 4:48 am CST
Posted by Francois Paget

1 Comment
Permanent Link

Two weeks ago, I posted a blog entry talking about the counterfeiting of legal documents. I have received many comments and requests for further data related to this type of fraud from various Eastern Europe countries, France, and even the United States. Aside from journalists, for whom it is their job, many people have contacted or attempted to contact me. Most of them were curious and friendly, but others flooded my mailbox:

The first request was for the URLs of the websites that provide the services. At McAfee, like at most of our competitors, we almost never disclose dangerous URLs apart from researchers in the business and law enforcement agencies. And in many cases we also employ some internal testing to avoid infection or compromise. When I wrote my blog entry, that URL was safe (no malware, no iframe), but this can change, especially if their owners know it will be visited by many inquisitive people.

The next question was that of the counterfeiters nationalities. No doubt they are Russian speakers.

Another request was related to the abundance of these offers. The site I visited actually contained a competitor blacklist with a dozen or so “disreputable” companies. As they were all restricted to drivers licenses, I carried on further investigations on the passport field. It was not difficult to find other offers with more attractive prices: less than US$1,000 instead of the US$4,000-$5,000 asked by the first one.

In this last offer, I noted the availability of diplomatic passports (price on demand).

If you are not a Google search ninja, you can just check YouTube. There, various well-phrased searches can direct you to the online shop you are looking for:

And regarding the payment methods? It seems they all prefer Western Union, but they are not very talkative on this subject. You have first to contact them via anonymous mailing services. (They specify: “no ICQ, no SMS, no phone call.”) However, I discovered another offer, with details about how to place an order.

At last, some people wished to know if these sites offered other materials or services. Some of them sell carding equipment to read/write magnetic cards, but the prices were exorbitant. They quoted between US$9,000 and $11,000; yet many of these devices can be found on Amazon or eBay for $500! Proving the relevance of our previous advice regarding what you toss into your household trash, one site offers fake French EDF (national electricity company) and British Telecom utility bills for £10. (In Europe, we frequently use these documents to prove our residency or proof of address.)

Even the envelope is supplied! Seemingly unimportant pieces of paper can interest today’s cybercriminals.
Zeus Botnet Attacks via FedEx Scam

Tuesday August 31, 2010 at 5:18 pm CST
Posted by Pedro Bueno and Adam Wosotowsky

No Comments
Permanent Link

Yesterday we discovered a new Zeus campaign.

Most of the messages associated with the new spam campaign are linked to the Asprox botnet. This time, the focus is on FedEx. Most of the attachments start with either FedExDoc[randomnumbers].exe or FedExInvoice[randomnumbers].exe. Those attachments are recognized as the Bredolab Trojan, which will download the Zeus component.

This Zeus variant has a control host on hxxp://, but also downloads from hxxp://

The targets of these samples are a large number of banks outside the United States. We still see common U.S. targets…

* Citibank
* Comerica
* USBank
* WellsFargo

and also some banks from Europe, the Middle East, Asia, and South America…

* Neue Bank (Liechtenstein)
* Arab Bank
* MyBank (Taiwan)
* BHI Bank (United Kingdom)
* NPBS (United Kingdom)
* Banco de Sabadell (Spain)

as well as several other banks.

Watch out for Zeus’ going global.
Labs Releases Whitepaper on Cooperative Anti-Malware on Endpoint and Gateway

Tuesday August 31, 2010 at 9:27 am CST
Posted by David Marcus

No Comments
Permanent Link

The Anti-Malware engine is a critical and core piece of the McAfee anti-malware solutions. As with any core technology, the engine must be rock-solid stable, fast, and functionally rich.

A new McAfee Labs whitepaper outlines these engine technologies and values, covering both endpoint and gateway uses. Beyond introductions to malware detection methodologies–ranging from exact detection to heuristics, and technologies from exploit detection to cloud-based detection, the new paper especially outlines McAfee’s approach to Cooperative Anti-Malware on Endpoint and Gateway. “Cooperative” in this case refers to the added value of combining anti-malware on the endpoint and on the gateway: a true defense-in-depth strategy in action.

In this defense-in-depth implementation we have engine technologies that are optimized for the endpoint and the gateway, respectively, and both are connected through our Global Threat Intelligence back-end, or “cloud.” This combination allows strict enforcement and the highest proactive catch rates at the network perimeter, keeping the majority of threats outside of your network, and effectively and accurately protecting the desktops in an enterprise as well.

Download and read it now!
iPhone OS – Safe again?

Monday August 30, 2010 at 4:23 am CST
Posted by Mike Price

No Comments
Permanent Link

Three weeks ago a ‘mysterious’ new jailbreak technique was posted to Research to date indicates that this technique leverages two distinct vulnerabilities to gain access to devices. The first issue exploited is a FreeType CFF font handling issue, exploitable via MobileSafari. The second issue exploited is an IOSurface framework issue that allows for privilege escalation to root, and eventual complete compromise of devices.

Fortunately for many, Apple has released an update that addresses both issues (HT4291, HT4292). This update should prevent both malicious attackers from exploiting these vulnerabilities, as well as prevent the jailbreak technique from continuing to work (for devices with the update installed).

Great news on the vulnerability front, no doubt. But are 25+ million iPhones truly safe again? Maybe.
Newegg Password Reset Scam: a Harbinger of Threats to Come?

Wednesday August 25, 2010 at 4:28 pm CST
Posted by Adam Wosotowsky

No Comments
Permanent Link

This blog was updated at 1.15 pm Pacific time on Aug. 26.

McAfee Labs has detected a new strain of spam in the wild that is not only a sophisticated forgery of a Newegg purchase receipt, but there is also some indication that the botnet may be attempting to abuse Newegg’s password reset system to further the scam.

password reset

In less than 1 percent of the cases, the spammers appear to be taking advantage of the password reset option on the Newegg website to generate an email to the victim announcing that a password reset is required. This ruse cannot be used to determine if an account exists because the Newegg site returns the same text if you request a password reset on an actual or nonexistent account. So directory harvesting does not appear to be the attackers’ goal. Newegg’s password reset option is not protected by any sort of CAPTCHA authentication unless the account has received multiple requests for a password reset, so this process could be scripted as part of the spam campaign. The password reset request does not actually reset the password unless the recipient clicks on the email that is sent and even then the password reset request does not indicate the account has been compromised. In all likelihood this scam is designed to make the recipient anxious by suggesting an unauthorized individual has attempted to access the account.


Anxiety and frustration are common emotions exploited by spam and phishing messages to make a victim click on a malware link without thinking. One common trick is to send a purchase confirmation email to a recipient, who is likely to click on the attachment or the link because he or she is afraid or is convinced that someone has already hacked the account. To continue the scam: The victims receive a forged Newegg purchase receipt shortly after seeing the legitimate password reset notice. If recipients are anxious about account tampering, they may be willing to release a quarantined spam message that claims to be a purchase receipt because they feel their accounts may have been compromised.


This spam mail appears to be associated with the Cutwail botnet, which is the second-most prolific botnet in detected infections. (Rustock is number one.) Cutwail has the highest number of infections detected in Russia, India, and Brazil. We do not know if every recipient of a Newegg spam has received a password reset notification before the spam mail arrived, but McAfee TrustedSource™ has detected a 233 percent increase over the average mail flow coming from Newegg IP addresses today.


The spam mail not only mimics the look and feel of a Newegg email, but also forges the RFC 821–received headers to pretend that it originated from Newegg servers. The email contains an HTML attachment that uses obfuscated JavaScript to forward the victim to a domain which attempts to deliver fake anti-virus software or other malware to the recipient.

This is a powerful scam: It combines forgery techniques to fool the victims, techniques to fool the filters, and outright abuse of the Newegg corporate infrastructure to scare the recipients of the malicious emails. Techniques like this are not new, but the combination of three in one package is rare. Administrators should be aware of this campaign and inform their users not to be fooled by the purchase receipt. Users who want to check their Newegg accounts should not use any links in an email but should go straight to

Newegg says it is investigating this issue to determine any customer impact and that it is researching any actions the company may need to take to help its customers avoid phishing scams that take advantage of their brand.

Kaspersky Anti-Virus


Kaspersky Anti-Virus features include real-time protection, detection and removal of viruses, trojans, worms, spyware, adware, keyloggers malicious tools and auto-dialers, as well as detection and removal of rootkits. It also includes instantaneous automatic updates via the "Kaspersky Security Network" service.

According to Kaspersky, "Kaspersky Security Network service allows users of Kaspersky Lab security products from around the world to help facilitate malware identification and reduce the time it takes to provide protection against new (“in the wild”) security risks targeting your computer." Kaspersky Lab maintains a strict privacy policy for use of this service and asserts that volunteering to use this service by sending certain information "contains no personally identifiable information about the user and is utilized by Kaspersky Lab for no other purposes but to enhance its security products and to further advance solutions against malicious threats and viruses."

Windows users may download an Anti-Virus Rescue Disk that scans the host computer during booting inside an isolated Linux environment. In addition, Kaspersky Anti-Virus prevents itself from being disabled by malware without user permission via password access prompts upon disabling protection elements and changing internal settings. It also scans incoming instant messenger traffic, automatically disables links to known malware hosting sites while using Internet Explorer or Firefox and includes free Technical Support and free product upgrades within paid-subcription periods. Kaspersky Lab currently offers 1 year, 2 year and 3 year subscriptions.

According to AV-Comparatives, Kaspersky Anti-Virus rates highly amongst virus scanners in terms of detection rates, even despite the fact that the program has failed two Virus Bulletin tests in 2007 and another two in 2008.[1] In addition, PC World awarded Kaspersky Anti-Virus 6 the Editor's Choice in its 2007 anti-virus comparative[2]. The well-known and highly regarded Ars Technica lists Kaspersky as one of the best choices for Anti-Virus on the Windows platform.[3]

Kaspersky Anti-Virus was "A-listed" by the UK PC journal PC Pro in late 2007, where it scored very highly for detection and removal of malware[4]. PC Pro attributes this to “a combination of the software’s heuristic scanning and uncompromising approach to database updates[4]. While many packages check for new virus signatures on a daily basis, Kaspersky runs to an hourly schedule, improving your chances of being immunized before an infection reaches it.” [5]

Kaspersky Anti-Virus was tested by PassMark in June 2008 and was accoladed as having "the industry's fastest scan times" on Windows Vista.

Kaspersky Anti-Virus lacks certain features found in Kaspersky Internet Security. These missing features include a personal firewall, HIPS, AntiSpam, AntiBanner and parental control tools.

Also, Kaspersky, like the majority of its competitors, is incompatible with many other anti-virus and anti-spyware software.[6]

The newly released Macintosh capable edition of Kaspersky Anti-Virus is compatible on (Intel Processor Based) Mac OS X v.10.4 and higher to include the brand new version Mac OS X Snow Leopard, released in August 2009. Kaspersky Labs internal testing concludes consuming only 1% CPU impact on performance and is designed to maintain a user friendly Mac-like interface that Mac users are familiar with. Kaspersky Anti-Virus for Mac contains definitions to detect and block malware affecting Windows, Linux and Mac OS X alike. Kaspersky Anti-Virus for Mac also scans shared folders of users running Windows using Virtual PC on capable Apple Macintosh personal computers.[7]
Linux editions

An edition of Kaspersky's anti-virus solution for Linux workstations is available to business consumers.[8] It offers many of the features included in the mainstream version for Windows, including on-access and on-demand scanners.

Specialized editions of Kaspersky Anti-Virus are also available for a variety of Linux servers and offer protection from most forms of malware.
System requirements
XP (32/64-bit) Windows Vista (32/64-bit) Windows 7 (32/64-bit) Mac OS X (v.10.4.11 "Tiger" or higher) Linux (Red Hat, Mandriva, Fedora, Debian, SUSE)
Processor Intel Pentium 300 MHz or higher (or equivalent) Intel Pentium 800 MHz or higher (or equivalent) Intel Pentium 1 GHz or higher (or equivalent) Intel Pentium 1 GHz or higher (or equivalent) Intel Pentium 133 MHz or higher (or equivalent)
RAM 256 MB 512 MB 1 GB 512 MB 64 MB
Free hard drive space 50 MB 50 MB 50 MB 80 MB 100 MB

A DVD-ROM or CD-ROM drive, Internet Explorer 5.5 or above and Windows Installer 2.0 or above are also required for the installation of Kaspersky Anti-Virus in Windows. The latest version can either be downloaded from their official website or purchased through retail.

The last version of Kaspersky Anti-Virus that still supported Windows Me was and the last version that still supported Windows 2000 was
Security flaws

* In 2005, two critical flaws were discovered in Kaspersky Anti-Virus. One could let attackers commandeer systems that use it.[9] One allowed CHM files to insert malicious code.[10]

AVG (software)


The brand name AVG comes from Grisoft's first product, "Anti-Virus Guard", launched in 1992 in the then Czechoslovakia. In 1997, the first AVG licenses were sold in Germany and UK. AVG was introduced to the U.S. in 1998.[2]

The AVG Free Edition helped raise awareness of the AVG product line.[3]

In 2006, the AVG security package grew to include anti-spyware, as AVG Technologies acquired ewido Networks, an anti-spyware group. That same year, Microsoft announced that AVG components would be available directly within the Windows Vista operating system.

AVG Technologies acquired Exploit Prevention Labs (XPL) in December 2007, and incorporated that company's LinkScanner safe search and surf technology into the AVG 8.0 security product range released in March 2008.

In January 2009, AVG Technologies acquired Sana Security, a developer of identity theft prevention software. This software was incorporated into the AVG security product range released in March 2009.

According to AVG Technologies, over 110 million users have AVG Anti-Virus protection, including users of the Free Edition.[4]
[edit] Products
[edit] Versions for Windows desktop clients

AVG Technologies provides a number of products from the AVG range, suitable for Windows 2000 onwards. In addition to this, AVG Technologies also provides Linux, FreeBSD, and most recently Mac OS X versions of the software. AVG Anti-Virus 9.0 is available in free and commercial editions. AVG 9.0 has identity theft protection through a partnership with Intersections Inc,. AVG 9.0 also adds white listing, behavioral protection and cloud operations to their signature-based blocking. The software adds the Resident Shield, firewall, and identity protection modules. The LinkScanner component has been improved to cut phishing threats further.[5]

For desktop protection of PCs running Windows, the AVG solutions include:

* AVG Internet Security is a full suite which brings together the AVG Anti-Virus, Anti-Spyware, LinkScanner, Anti-Rootkit, Web Shield, Security Toolbar, Firewall, Anti-Spam, Identity Protection and System Tools protection components.
* AVG Identity Protection provides protection against identity theft and unknown malware threats using behavioral monitoring.
* AVG Anti-Virus plus Firewall provides the Anti-Virus, Anti-Spyware, LinkScanner, Anti-Rootkit, Web Shield, Security Toolbar and Firewall protection components.
* AVG Anti-spyware was a rebranded version of ewido Anti-Spyware[6], that was integrated into AVG Anti-Virus as of version 8.0. A free version was also available, having now been merged into AVG Anti-Virus Free Edition
* AVG Anti-Rootkit was a free anti-Rootkit program that was discontinued as of late 2006. Like AVG Anti-Spyware, it has now been merged into AVG Anti-Virus
* AVGADMIN is a remote administration tool, which allows the software to be managed centrally on networks.[citation needed]
* AVG Anti-Virus provides the Anti-Virus, Anti-Spyware, LinkScanner, Anti-Rootkit, Web Shield, and Security Toolbar protection components.
* AVG Anti-Virus Free Edition provides basic Anti-Virus and Anti-Spyware protection, plus the full AVG LinkScanner safe search and surf technology. There are some limitations with AVG Anti-Virus Free Edition compared to the commercial versions of AVG products and other free antivirus. These limitations include:
o Less protection – AVG Anti-Virus Free Edition provides the same anti-virus and anti-spyware scanning engine as the commercial product; however, it lacks anti-rootkit. The older 7.5 Free Edition is perfectly capable of finding and disabling rootkits based on signatures, but cannot scan for rootkit-like activity. The 8.5 version of AVG Anti-Virus Free Edition version lacks any anti-rootkit capability. While there is no official protection for files from messaging sources, the Resident Shield component automatically scans files before they are opened or copied.
o Infrequent updates – AVG Anti-Virus Free Edition receives updates via a lower priority service. Priority updating via high-speed servers is only available for the commercial versions of AVG products.
o No telephone or e-mail technical support – There is no telephone or e-mail technical support provided by AVG for users of AVG Free Edition products anywhere in the world. AVG Free Edition users have access to support via the self-help AVG Free Forum.
o Less customization – Scheduling options in AVG Anti-Virus Free Edition are very limited (only one scheduled update per day). However, the AVG Resident Shield configuration allows exclusions. The on-demand/scheduled scanner allows advanced testing options such as heuristics and reporting of password-protected archives reporting. Process priority for on-demand/scheduled scans can be dynamically adjusted over three different configurations.
o No server support – AVG Anti-Virus Free Edition cannot be installed on server operating systems (such as Windows Server 2003), nor can it be used for the scanning of network drives.
o AVG Anti-Virus Free Edition is only licensed for home and non-commercial use on a single computer.

AVG Free Edition has previously been responsible for popup ads advertising the non-free versions of AVG Anti-Virus and AVG Internet Security , which claim to provide more comprehensive levels of protection.[7][8] AVG Anti-Virus 8.5 Free Edition users are now also subject to a daily pop-up advertising campaign for a "recommended upgrade" to AVG Internet Security. A "manager" on the AVG free version forum states that this advertisement appears once per day for one month each year.[9].

All versions of the AVG products, excluding AVG Anti-Rootkit Free Edition (now discontinued), are compatible with the 64-bit edition of Windows.
[edit] Versions for servers

AVG Technologies also sells AVG anti-virus and Internet security solutions for web/file servers or email servers running either Linux, FreeBSD or Windows.

* AVG Internet Security Business Edition provides centrally controlled protection for workstations and file servers, e-mail server and Microsoft SharePoint server protection, plus e-mail server based anti-spam protection.
* AVG Anti-Virus Business Edition provides centrally controlled anti-virus and anti-spyware protection for workstations and file servers.
* AVG File Server Edition provides anti-virus and anti-spyware protection for file servers.
* AVG E-mail Server Edition provides anti-virus and anti-spyware protection for e-mail servers, plus e-mail server based anti-spam protection.

[edit] AVG for Linux/FreeBSD

With Version 7.5, AVG Technologies is providing a solution for FreeBSD for the first time. AVG Technologies has incorporated spam detection in addition to virus detection for Linux/FreeBSD software.[citation needed]
[edit] Features

AVG features most of the common functions available in modern anti-virus and Internet security programs, including periodic scans, scans of sent and received emails (including adding footers to the emails indicating this), the ability to "repair" some virus-infected files, and a "virus vault" in which infected files are held (A quarantine area; also known as a "virus chest").
[edit] LinkScanner

The patent pending LinkScanner technology acquired from Exploit Prevention Labs and built into most AVG products, provides real-time protection against exploits and drive-by downloads. LinkScanner includes: Search-Shield – a safe search component that places safety ratings next to each link in Google, Yahoo! and MSN search results; plus Active Surf-Shield – a safe surf component that scans the contents of a web site in real-time to ensure it's safe being opened.[10] A faulty upgrade in 8.0.233 causing users to lose internet access, as well as concerns regarding web analytics have made LinkScanner a controversial component (see "LinkScanner Concerns").
[edit] Concerns

Initial AVG Anti-Virus upgrades for version 8.0.233 contained a malfunction in the AVGNSX.exe process, blocking network activity and internet access.[citation needed] The AVGNSX.exe process is part of the LinkScanner utility. Current versions of avg are unaffected, as the product is at revision

When AVG 8.0 was first released, its LinkScanner safe search feature was shown to cause an increase in traffic on web sites that appear high in search engine results pages. Since LinkScanner disguises the scans as coming from an Internet Explorer 6 browser when it prescans each site listed in the search results, web site usage logs showed incorrect and overinflated site visitor statistics. The prescanning of every link in search results also caused web sites to transfer more data than usual, resulting in higher bandwidth usage for web site operators and slow performance for users.[11] AVG initially said site administrators would be able to filter the LinkScanner traffic out of their site statistics, leaving the problem of excess bandwidth usage still to be solved.[12] Pay-per-click advertising was not affected by the increase in traffic.[13]

In response to complaints, AVG announced that as of July 9, 2008 "Search-Shield will no longer scan each search result online for new exploits, which was causing the spikes that webmasters addressed with us",[14] releasing a new build on that date that applies a local blacklist, then prefetches and scans only those links clicked on by the user.[15]
[edit] Resource requirements

AVG had been known for its conservative resource requirements during its version 6.0 run. The AVG Anti-Virus Professional Edition required 16 MB of RAM and 20 MB of space on the hard drive.[citation needed]

Version 7.5 of AVG Free requires a Pentium (or compatible) CPU with 300 MHz and between 64–256 MB of RAM, depending on operating system (at least 64 MB with Windows 9x, at least 128 MB with Windows 2000 or newer, with more RAM recommended).[16]

An additional caveat with version 7.5 in Windows XP, which is a multi-user system that allows more than one user to be logged in at a time, is that scheduled scans ran as separate processes, which created a situation in which there were two scheduled scans, one in each active account, running simultaneously and causing heavy hard disk throttling and considerable system lag. This fault was finally fixed in version 8.0 of the program.

Currently, both AVG Anti-Virus and AVG Internet Security require at least 256 MB of RAM for the computer as a minimum.[17][18] The comparatively high use of paged physical RAM has led to crashes with some software, such as the Half-Life 2 series.[19]
[edit] Issues

* When uninstalling AVG in Windows XP/Vista and attempting to install other anti-virus programs such as Kaspersky Anti-Virus or Norton AntiVirus, the latter programs will not install. Instead, they show an "incompatible software installed" error even if the uninstalled software has been removed using the control panel. This happens because software that updates and changes can add registry entries that were not added when the product was originally installed (therefore the uninstaller is unaware of the registry keys).[20]
* A signature update dated November 9, 2008, crippled some computers, as it allowed the software to treat "user32.dll", a major component of Windows XP/Vista, as a trojan and advised users to delete it. Users who deleted the file in question were put on a continuous reboot loop. The problem was rectified a few days later with a new signature database and further safeguards were added to the product (270.9.0/1778).[21]
* Towards the end of July 2009, a software update caused the program to inform users that iTunes was infected[22] with a non-existent virus, Small.BOG. If users followed the recommended instructions, it would remove critical DLL files and corrupt the iTunes installation.[23]

[edit] Reception

* AVG Anti-Virus was certified by ICSA Labs.[24]
* It has been tested 43 times, from February 1998 through May 2003, by Virus Bulletin and has failed 22 times and passed 21 times. During the period from June 2003 to April 2008, it was tested 23 times; passing 20 times and failing 3 times.[25]
* AVG won a Highly Commended award from Australian PC Authority magazine 2007 Reliability and Service Awards Best Software category (over 14,000 survey respondents) with an 89% satisfaction rating. It was beaten only by Firefox in satisfaction (93%).[26]
* At AVG 7.5 received a 77/100. It did a "fine job" in disinfection tests, but ranked last of the ten products tested in proactive protection using one-month-old signature files.[27]

[edit] See also

* List of antivirus software

[edit] References

1. ^ AVG Anti-Virus and Internet Security - Leading Internet security vendor, Grisoft, changes name to AVG Technologies
2. ^ "AVG Technologies Celebrates 15 Years of Internet Security Success".
3. ^ GRISOFT "Celebrates 15 Years of Internet Security Success", AVG Technologies bulletin, 15 December 2006
4. ^ AVG Home page logo
5. ^,2817,2353742,00.asp
6. ^ "ewido is now part of the AVG Technologies family of world-class Anti-Virus and Internet Security products. ewido users will benefit from AVG's comprehensive threat research and support resources."
7. ^ "Avg 7.5 Constant Pop Up Ad Window".
8. ^ "AVG pro 7.5 annoying pop-up till December?".
9. ^ AVG Free Forum - pop-up ads
10. ^ AVG Anti-Virus and Internet Security - FAQ
11. ^ "AVG Disguises Fake Traffic As IE6".
12. ^ "AVG update disguises LinkScanner traffic as IE6".
13. ^ "LinkScanner could be behind surge in web traffic".
14. ^ "AVG Responds to Fake Traffic Spikes".
15. ^ "Grisoft modifies its free AVG product after complaints".
16. ^ AVG 7.5 Anti-Virus Edition User Manual. GRISOFT, s.r.o.. 2007-11-08. Retrieved 2009-04-16
17. ^ AVG 8.5 Anti-Virus User Manual. AVG Technologies CZ, s.r.o.. 2009-03-10. Retrieved 2009-04-16
18. ^ AVG Anti-Virus and Internet Security - AVG Internet Security
19. ^ Games freeze or crash with looping sounds (paged pool memory issues) - Crashes and Errors - Knowledge Base - Steam Support
20. ^ "Other Antivirus software's error incompatibility while installing due to leftover AVG's registry keys after uninstallation".
21. ^ AVG signature cripples Windows machines
22. ^ "iTunes reported as a Trojan by AVG - How to Fix".
23. ^
24. ^ /ICSALabs/Antivirus/Certified Products
25. ^ Virus Bulletin : Independent Malware Advice
26. ^ Australian PC Authority Magazine Reliability and Service Awards 2007
27. ^ PC World - AVG 7.5 Anti-Virus Professional Review

Wednesday, September 15, 2010

Risk of using computers

Computer virus

Risk of using computers

The Internet lets millions of computer users around the world link together for business and fun. Many different people use the internet. Anyone using the Internet can find information about many different subjects, in many different languages, in very little time.

The Internet makes it possible for one person to damage or slow thousands of computers that are linked to it. They can do this by writing computer programs. Or, they can make the computer fill itself with so much useless information that it stops working. If you are not careful you could make your computer crash.
[change] Great loss by "worm"

On January 24, 2003, a kind of computer virus called a "worm" was released to infect the Internet. A worm is a series of computer instructions that makes copies of itself and sends it to other computers.

This worm sent copies of itself to computers across the Internet. The worm temporarily damaged millions of computers around the world. It slowed large groups of computers called networks.

Three servers defending the Internet crashed due to the worm.

One large American banking company had to close about 13,000 of its machines that let people get money from their bank. People could no longer get cash from the bank’s machines using their credit cards.

A large worldwide airline could not sell tickets using the Internet because the worm made its computers fail. Emergency service workers in the western American City of Seattle, Washington could not answer emergency calls because the worm caused their computers to fail.

Computer experts named the worm "W-Thirty-Two-Slammer". They said the worm caused a problem for the Internet that was similar to a traffic jam: when there are too many cars on a road in a large city, and no one can move. The Slammer worm caused an information jam.

The experts believe the worm was first created in Asia. An American computer expert said evidence seemed to show the virus first appeared in Hong Kong. A government computer team in Hong Kong is working to find who released the new virus.

South Korea may have been the worst hurt nation in the January 24th attack. On January 27th, a spokesman for South Korea’s Information and Communication Ministry said computer communications on the Internet were almost back to normal. The ministry also said experts were working to find from where the computer virus came.

Computer experts in China and Taiwan also reported problems with the worm. Computers in Japan suffered some problems, but they were limited to a few schools and companies.

By the morning of January 28, computer experts around the world had stopped the worm or made their computer systems safe against the Slammer. Experts believe the worm cost computer networks many millions of dollars in delays, lost business, and the loss of work usually done on a computer.

The person who wrote the instructions that created the Slammer worm attacked computers that use the Microsoft's computer operating system. Microsoft quickly provided the necessary computer instructions to make its system safe and prevent the Slammer worm from attacking other computers.

The kind of program that made the Microsoft system safe is called a "patch" or "update". Microsoft says it wants to improve the speed of future updates or patches for computer users linked to the Internet, keeping harm from their products.

Computer experts say the Internet has become extremely important every day in every area of the world. They say businesses, local governments and private citizens everywhere are using the Internet as an important part of their business or daily life. The experts say some businesses could no longer exist without the Internet. However, many businesses, local governments and private citizens have failed to learn how to protect their computers from viruses or worm attacks.
[change] Anti-virus company

Sophos P-L-C is a computer company in Britain that makes programs that protect computers against viruses and worms. It is the fourth largest anti-virus company.

Recently, Sophos company officials warned computer users against many new viruses and worms. The officials said recent evidence shows that some people are working hard to make illegal computer programs. The Sophos company said this in a newspaper report printed in Singapore on January fourteenth, only ten days before the Slammer worm attack.

Graham Cluley is a computer expert with the Sophos company. He says computer security companies expect more viruses and worms this year. He says virus writers want to create the next super virus or worm. These can be easily spread by electronic mail or from a computer communications method called Instant Messaging. Mister Cluley said this kind of virus or worm causes the greatest problems.

The Sophos Company experts say about 40,000 computer viruses are now known to exist. The experts say about 200 new computer viruses are released into the Internet each month.

Mister Cluley says nine of last year's ten most damaging viruses were spread by electronic mail to computers that use Microsoft Windows as their operating system.

A company called F-Secure also makes computer security programs. Its experts say new kinds of computer attacks will be aimed at damaging millions of computers very quickly. This kind of attack is called a "flash worm". It would be able to infect millions of computers in less than fifteen minutes. An F-Secure company computer expert says it is just a matter of time before someone tries to infect the Internet with such a program.
[change] Anti-virus program usefulness

Computer experts say many private citizens, businesses, and local governments are not concerned about computer security until they suffer a damaging attack. Such an attack can cost computer users a great deal of money in lost business, lost information or damaged computer equipment. They say the attack can be more costly than providing good communications security.

The experts say that using a computer anti-virus program is the first step in protecting a business or private computer. An anti-virus program searches the computer for, and guards against, viruses. It also inspects incoming e-mail and new programs for viruses.

The experts say that many good computer companies produce anti-virus protection programs. Most companies that offer anti-virus programs also provide new information called "updates" to protect against new viruses or worms as they appear.
[change] Another way of protection
Ambox scales.svg
An editor thinks that this article may not be neutral.
This can be talked about on the article's talk page.
This article has been tagged since April 2009.

An American company called McAfee Security produces a popular anti-virus protection program. Other companies, for example Symantec and Computer Associates, sell programs that do the same thing. Computer experts say a good anti-virus program is only the first step in computer security. The experts list a number of things computer users can also do to help protect their computers.

For example, do not open any file attached to electronic mail if it comes from an unknown person or place. Delete electronic mail from unknown people. Make copies of all important documents and keep them in a safe place. This should be done often to protect valuable information.

Computer experts agree that everyone should refuse computer information from strangers. They also agree that users must be extremely careful when copying any kind of information from the Internet to their computer's memory. All experts agree that doing these things is better than suffering a virus or worm attack.

The Internet is fun, educational and a great business tool. But because of computer virus attacks, safety is very important.