It Can Happen To Anyone - In early July I was aware that my virus software update service was about to expire and because the software itself was 4 years old, I figured it was probably time to acquire something more up to date. After comparing all of the top brands, I decided to try something new so I downloaded a new piece of software overnight and ordered a backup CD as well. Checking to ensure that everything was shut down, I loaded the new stuff, and the effect was surprising to say the least. My system froze in the middle of the initial load, but it long downloads have resulted in corrupted data in the past so it wasn't too surprising. So I waited for the CD to arrive, but what I didn't realize is the failed software load also corrupted my system shutting off my current virus service updates and notifications. But, the backup CD wouldn't load either and my current service (that had not been updating) had expired and I still hadn't seen any system notification.

Within minutes of going online, the notification I received turned out not to be from my system or the service provider, but from a virus/Trojan instead and was detected and ultimately removed by the current virus software. Going online a second time to access the service provider's web site to check the update status turned out to be fatal because the next attacks destroyed the operating system, and it took 9 days to perform a "do-over" operating system reload and wait for snail mail arrival of new virus software. The lesson here is that you need to keep on top of the virus software and update service because it now seems that the bad guys can attack an unprotected system. And, when shutting down software to load new stuff remember to turn off those programs running in the background too. Some do not play well with others and can cause an unbelievable amount of headaches.

If any member has had a similar experience and would like to share it, please contact me and I'll help you get your story ready to place here. It just might help another member avoid the problems that are thrown at us daily in today's less than friendly Internet environment.

WINS Email Lists - Traffic has been very light lately, but it appears that the Lists are working problem free. If you are experiencing any List problems please let me know and I'll do what I can to help get it fixed.

Speaking Of Email - Are you aware that the WINS domain associated email addresses that we used in 2007 are no longer functional and haven't been for almost 6 months? If you are still using any of these to contact a Board officer, don't - they're all dead. These addresses along with my own domain's email address were harvested by SPAMMERS and were shut down by the service provider for a while. Unfortunately, I still receive hundreds of SPAM bounces daily sent using my own domain's email address and it's even made me been consider shutting down my domain for good.

Infection and Malware Alerts - Below are some new and continuing problems reported in August to keep your eye out for. Information source, Panda Security's weekly report on viruses and intruders - Virus Alerts.

Viruses:

The Sality.AG virus is a highly complex, encrypted and polymorphic file infector. When run, it drops another executable file detected by PandaLabs as Sality.AG.drp onto the computer. It is designed to install a Windows driver which will act as a rootkit. The main objective of this virus is to support subsequent infections (probably from Trojans), making their detection more difficult due its polymorphic engine. These combined attacks which use more than one type of malware are highly dangerous, since the samples use the features of other samples to go unnoticed and cause damage.

Worms:

The GetCode.A worm designed is to infect files with the following extensions: Mp3, .Wmv, .Wma and .Mp2. It also downloads other malware samples onto the system by connecting to a Web page.

The Boface.A worm spreads through social networks (MySpace and Facebook) by publishing comments that seem to refer to YouTube videos, but actually take users to web pages where they will get infected. To do this, the worm inserts a link in comments posted on both networks to take users to a fake web page that resembles the actual YouTube site. When the user tries to watch the video they are encouraged to install the latest Flash Player version. However, if they do so, they will be actually letting a copy of the worm into their computers.

The Autorun.ACA worm reaches computers as an executable file that tries to pass itself off as a Word document. Depending on the system configuration, the actual extension of the 'document' might not be displayed. This worm is designed to copy itself to %Root% under the name JONIEZZ.EXE and %SystemRoot%\LoLOxz as SMSS.EXE. Also, it copies itself to external drives and shared drives with the name AUTORUN.INF. This way, the worm tries to infect any user that might access these drives.

The W32/P2PWorm.F worm spreads through mapped and removable drives and P2P programs. To spread through file exchange networks it copies itself to directories of P2P programs, keygens, game cracks, security programs, or popular applications like instant messaging clients. It also inserts entries in Run to run automatically when the computer starts up. This malware collects information from the infected computer, for example, passwords for programs like CUTE FTP, FlashFXP, TotalCmd, SmartFTP, FileZilla, Sniff, etc.

The Oscarbot.UG is a worm with backdoor features which spreads using AOL Instant Messenger (AIM). When run, it copies itself to the system as well as USB drives that connect to it. The worm connects to a Web page and uses IRC to send and receive information. To prevent detection, it stops running if it finds that it is being tried on virtual machines such as vmware, a sandbox or in a honeypot (tools that are often used to check in a controlled environment if an executable file is running malicious commands).

Trojans:

The Banker.LGC Trojan is malicious code is designed to steal banking data (account numbers, passwords, etc.) from users of a major bank. It is distributed through an email falsely reporting an accident suffered by the F1 racer, Fernando Alonso. According to the fake email, the Spanish driver had an accident in Bilbao (Spain) and was severely injured. The article has been designed to appear as if it were extracted from a leading national newspaper. The message includes a link inviting readers to download the video which supposedly contains statements made by witnesses and investigators about the accident. If users click the link, they will download a copy of the Banker.LGC Trojan onto their computer. This Trojan connects to an IRC channel and awaits instructions from its creator.

The Nabload.DIK Trojan tries to trick users by playing a video of the playboy girl Kelly Key, while it downloads banker malware in the background in order to run and install it on the infected system. Once installed on the computer, the process.exe and orkut.exe files run silently waiting to collect the user's banking data. Nabload.DIK uses a youtube link to avoid raising suspicion while the infection takes place.

The Exchanger.T Trojan reaches systems via email in messages like these: "Madonna admits to extra marital affair", "Dog killed by stray golf ball", "McCain goes out on negative campaign against Obama", etc. These messages include a link to an URL that supposedly takes victims to the news story. However, on accessing it, users are advised to download an Adobe Flash Player update to watch it. However, the user will actually install Trj/Exchanger.T, a Trojan designed to download the Application/AntivirusXP 2008 malware to the infected computer. This malware is a fake antivirus ("Antivirus XP 2008" ) which sends out spam messages to spread the infection.

The Bck/PcClient.HV is a malware Trojan opens a backdoor in the computer and inserts an entry in Run and copies three files to the system: PCCORTR.DLL and 81.DLL in C:\WINDOWS, and WUAUCT.EXE in C:\WINDOWS\SYSTEM32. All of them are detected as Bck/PcClient.HV. The Trojan uses the libraries (.DLL files) to reduce the security level of the browser and the WUAUCT.EXE file to connect to a remote address in order to send out information about the infected computer. When the user runs the infected file, a 12-slide PowerPoint presentation is displayed with photos of the Olympic facilities in Beijing.

The Spammer.AJF Trojan is designed to send spam from infected computers. The email that it sends is written in Italian and has the following subject: Ci sono i problemi con la potenzialita? D'ora innanzi non ci saranno piu. The Trojan creates several copies of itself on the infected system. It also creates a series of Windows Registry entries affecting Internet security, including one which prevents Internet Explorer from warning about non-secure or dubious Web pages.

Auction News - Please remember, Our Vice President, Doug Prather, WINS#294 has taken on the task of running "Joe's Hat Drawing" and is accepting the donations (or the data), making the list and performing the actual drawing. If you would like to share part of your collection like Joe did for so many years, please contact Doug, preferably a couple of weeks before the next auction.

Auction 51 just closed and I have to say I am dismayed at some of the things that transpired. There are a surprising number of bidders that are still not using the correct format to place their bids. What they don't seem to understand is these formats really help me to update the HTML auction page more easily and in a timelier manner. Even if you're certain you're using the specified format, please check because far too many of you are not. While not providing a member number, listing your bids in numerical order or continuing to use the WINS acronym when it isn't in the bidding format may not seem like biggies, they all slow down the page update. My thanks to those members that have taken the time to place their bids in the requested format, it really does help.

Something also happened for the first time in a WINS auction that has necessitated Board intervention. A member placed a group of bids, but recorded one Lot number in error with a bid that was almost three times higher than the Lot's value which stopped all bidding on that Lot. The member didn't check the accuracy of their bids before submitting them, didn't verify that they had been recorded properly by visiting the web page after they had been posted, and didn't respond to email questioning the accuracy of the bid. The member also didn't visit the web page again until after the auction closed. Now that member wants to withdraw the bid because they placed it in error.

Folks, I don't know of any auction site were a bidder can withdraw their bid after the auction closes because they really didn't mean to place the bid. As I write this no Board resolution has been reached so I cannot report the outcome, but I can predict another change in the Auction Rules and a few very unhappy members. What is sad is that the lack of consideration by one member has caused so much consternation for at least eleven other members, and the WINS auctions are beginning to look less and less like the family event we once knew. First it was sniping, now it's bidders not paying attention to their bids and standing by them. If this pattern continues, I shudder to think what will become of the WINS auctions. Stay tuned, news at eleven.

Auction 52 is scheduled for October, 4-11 and sellers may submit their lots at anytime.

As always, your comments and suggestions are welcome.

Thanks for stoppin' by.  "See ya' at the auction".
JD White
WINS#7, Operations Admin