After at least one person’s My Document’s folder was encrypted by the Archiveus virus the BBC is reports that the password has been cracked. In case you ever need it the 30-character password that is used to hold files for ransom is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw.

While it’s less and less likely for PC users to get infected by a virus, I expect that the outcome of any infections will become increasingly severe. Organized criminals will be able to hire better and better commercial programmers as the value of these extortion efforts increase. With better programmers, you can expect the same improvements being made to encryption and software-registration systems (available free via open source) to be integrated into viruses several generations from now.

Recent spyware and trojans hide behind Windows’ own protection for open files, while many of the new antivirus, security, and even PC-cleanup programs that are supposed to fix those also leave behind processes and open files. All of those may cause repeated “Access Denied” and “Sharing Violation” errors.

Solving the errors used to involve juggling PID’s from the Windows Task Manager and repeated use of Microsoft’s kill.exe process. Even scripting the kill.exe process at boot or from Safe Mode is common. Here’s a list of utilities to automate the process and make manual cleanups a bit faster.

I’ve always liked SysInternals’ stable and well thought-out tools and here are two great utilities: the freeware Process Explorer and PS Kill. PS Kill adds support for scrubbing networked PCs to kill.exe, while Process Explorer tracks all tied processes, DLLs, and other open files. That makes Process Explorer useful - to find everything you actually want to close and delete. The good interface makes it good even when tossing out PS Kill and using any of the cleanup tools below.

One I like is the freeware MoveOnBoot. Just right-clicking on a file lets you choose to Copy/Move/Delete a file on the PCs next boot. It’s also recommended in “How To Override “Access Denied” and “Sharing Violation” Roadblocks”, along with Unlocker Gotcha. Unlocker Gotacha is also freeware and their interface looks pretty fast. They’ve added a bit of Process Explorer’s functionality, so you just need to right-click a folder and a list of all open/locked files will pop up.

Also take a look at EMCO’s Unlock IT. Instead of adding files to a list and rebooting, Unlock IT integrates the ability to kill processes within the interface and copy, move, or delete related files immediately. Instant gratification is great - and even better when it means not needing to wait through a boot process slowed by too many viruses and trojans.

Article tagged: Windows, utility, trojan, spyware, malware, virus, clean, cleanup, fix, repair, access+denied, error, sharing+violation, message, SysInternals, kill.exe, PS+Kill, Process+Explorer, Unlock+It, MoveOnBoot

Microsoft’s newest antispyware package was just released. This is beta 2 and it’s now branded “Windows Defender” instead of Microsoft Antispyware - download Windows Defender beta 2 here. The biggest changes in this new release appear to be to the program’s interface, with a lot of simplification and streamlining. Dwight Silverman’s TechBlog has a good review of the changes and screenshots of the new interface.

Unlike most Microsoft Beta software, Windows Defender Beta 2 automatically detects an earlier version of Microsoft Antispyware and upgrades it without the need to uninstall the earlier version first.

Article tagged: Microsoft, Windows, Defender, AntiSpyware, Beta, 2, software, upgrade

Apparently Symantec was installing its own rootkit with installations of Norton SystemWorks. They created a folder, called NProtect, hidden from Windows Explorer and Micorosft’s APIs (in other words, it was in the regular filesystem but Windows and any software that ran correctly under it couldn’t see the folder existed). While Symantec’s NProtect software was only designed to keep people from deleting SystemWorks files “accidentally” and didn’t directly threaten Windows, the existence of the NProtect folder could have been used by virus writers to create their own programs - and once installed in the NProtect folder those viruses, trojans, and spyware would be a real rootkit that Windows and most anti-virus programs wouldn’t be able to detect and remove.

On the positive side, Symantec has recently, according to eWeek, released an update for SystemWorks that makes the hidden folder visible to Windows. It’s likely that Symantec felt the bad publicity Sony got because of their slow response after installing a similar folder wasn’t worth protecting their own software.

Article tagged: symantec, sony, rootkit, NProtect, virus, trojan, major, antivirus, vendor

A new security exploit for Windows, attached to .WMF files, is floating around the ‘net, Security Focus currently has limited details on this zero-day expoit, ID’d as BID 16074. The bug is capable of remote code execution - which means it can be used to install any virus, trojan, rootkit, or program that the “publisher” sees fit to point it at. The exploit code can infect a machine by viewing a web site with an infected image, opening a folder containing infected files with Windows Explorer, or even when Google Desktop indexes an infected file (thanks to the F-Secure blog for this info). I’m guessing that the exploit code in contained in the WMF file’s headers, since it’s not necessary to open the WMF file to infect a system.

This WMF-exploit can install on fully-patched XP machines, although it appears that McAfee - Exploit-WMF, Symantec - Bloodhound.Exploit.56, TrendMicro - TROJ_WMFIOO.A, and F-Secure - W32/PFV-Exploit have already issued updates for their antivirus programs that will detect the exploit (though most of the attached viruses were already detected).

Since this is a zero-day exploit, there is no patch for the problem available for Windows systems. Vulnerable Windows versions are currently all flavors of Windows XP, that includes Home, Pro, Tablet and Media Center versions. I imagine that Windows 2000 is vulnerable and Windows Vista is probably vulnerable, especially if it has Firefox <1.5 or Opera browsers installed (since both browsers attempt to use “Windows Picture and Fax Viewer” to open WMF files).

I recommend all Network Admins block the following domains at the firewall (obfuscated so hotlinks aren’t auto-created by browser tools or desktop search engines, thanks to F-Secure for the URLs):

• unionseek (dot) com
• crackz (dot) ws
• tfcco (dot) com
• iframeurl (dot) biz
• beehappyy (dot) biz

Article tagged: windows, security, wmf, media, exploit, list, block, blocked, sites

Ben Edelman gets to decide what is spyware and what it isn’t. That’s actually a good thing.

Normally the only people deciding what spyware-adware-malware-grayware really is are anti-spyware vendors; many of whom have fake anti-spyware programs or just plain backtracked on blocking some programs. In Ben’s case he’s opposed to any and all spyware and, as a lawyer and expert witness, has a vested interest in maintaining his credibility.

While not all anti-spyware publishers are listening to him they probably should be. Rather than proclaiming he just doesn’t trust “X” or ranting and raving about how horrible spyware is, he actually does the research to quantify a software’s level of intrusion. By fully documenting what a program or its publishers do Ben is proving what really deserves to be called spyware. For the best reading, check out the “Featured Research” box at top-right of Ben’s website.

Microsoft has released AntiSpyware, beta 1.0.701 which extends the AntiSpyware beta period to July 31st, 2006. The new version is noteworthy for including the ability to remove the half-witted Sony rootkit and for probably being the last version of AntiSpyware before the name is officially changed to “Windows Defender” - <insert bad superhero joke here>.