Howdy everyone,

Summer is waning and up on this mountain the crispness of nightly temperatures in the upper 40s gives the impression that winter is just around the corner. While it's hopefully still a couple of months away, one never knows. The Mogollon (pronounced Mo-gie-on) Rim has a tendency to make its own weather and the saying around here is, "If you don't like the weather wait 10 minutes it'll change."

Another thing that comes around about this time every couple of years is the WINS general elections. That's when you, the "active" membership, determine who occupies the Board positions for the next 2 years. Have you considered giving some of your time to the club to help keep it growing? Some positions require more effort than others, but every one of them is important to keep the club running. Please consider throwing your name into the ring for a Board position, and that includes mine. Just because I've been in this position since day 1 (yikes! that's almost 10 years now) doesn't mean that there isn't somebody in the membership that can do a better job. Give it some thought, it's your club. Are you ready to step forward and show that it means something to you?

WINS Email Lists - I realize I say this in every column, but the Lists do remain consistently operational. Traffic remains very light on the talk list and almost nonexistent on the trade list, but both lists appear to be working problem free. During the August auction there was a large number of List member's addresses that were bouncing List mail and one member was having difficulties getting their bids to me, but it may have been that they were sending to the wrong address or it could have been a localized problem. Please keep in mind that I have no control over what your ISP is doing with maintenance down times or email filtering. Sometimes it takes contacting them to correct your problem, but if you are experiencing any List problems please let me know and I'll do what I can to help get it fixed.

Auction News - The 2009 auction schedule is posted on the Auction introduction web page. Auction 58 came and went in early August and even though it was a relatively small auction there was quite a bit of bidding taking place. You can add your support to the auction by offering your duplicate coins or just visiting the current auction web page and placing a bid or two. When the auction is underway, I update the auction page four or five times daily so if you place a bid and it doesn't show up on the page within a reasonable amount of time please drop me an email to make certain that your bid was received. And, please ensure that you send all auction email to me using the address shown on the auction page.

Infection and Malware Alerts - Listed below are some new and continuing problems reported in July/August to keep your eye out for. Information source, Panda Security's weekly "Virus Alerts" reports on viruses and intruders.

Brontok.KN is a virus designed to infect executable (.exe) files. The infected files have a folder icon and the name of the existing folder. Additionally, it deletes files corresponding to several antivirus programs, and ends processes related to security programs and applications such as the Task Manager or the Command console.

Waledac.BN is a worm that spreads using US Independence Day (July 4) as bait. This malicious code reaches computers through emails with subjects including "Let's celebrate Indendence Day" (sic), and with messages in the email text such as "Amazing Independence Day salute", together with a link (mage shown here). On clicking the link, users are redirected to a page resembling YouTube, where they can view a video about July 4 (mage shown here). On clicking the video, a message is displayed, tempting users into downloading an executable file required to view the video (shown here). The file names used are fireworks.exe, video.exe, install.exe, patch.exe, setup.exe and run.exe. These files are a copy of the worm. These two malicious codes are examples of social engineering, i.e. the use of sensational news or issues to attract users and tempt them into clicking malicious links or download infected files.

MyDoom.HN is a worm designed to launch Distributed Denial of Service attacks (DDos) to American and South Korean websites. Additionally, if the system date is later than July 10 it damages the affected computer's hard disk, rendering it unusable. To do so, it overwrites the initial sectors of the hard disk with junk bytes. It also deletes the MBR (Master Boot Record). This malicious code reaches users' computers through emails with subjects related to July 4, Independence Day (United States) (example of these emails shown here).

Sohanat.IM worm spreads through external devices. Once it has infected a computer, this malicious code adds a copy of itself in several paths and removable drives. Additionally, in order to run every time a session is started, it creates several entries in the Windows Registry.

Koobface.EA worm spreads via Facebook by publishing a video on the infected users' Facebook page, for all their friends and contacts to see it. On trying to watch the video, users are redirected to a page similar to YouTube's. Then, they are asked to download an Adobe Flash version necessary to watch the video. This file is actually a copy of the worm. To make the attack even more dangerous, the worm downloads another malicious code to the infected computer: the AntiSpyware Pro 2009 fake antivirus. This malicious adware simulates a fake system scan detecting dozens of actually non-existing malware strains. Then, it offers users the option to eliminate them using a paid version of the fake antivirus. As you can see, the objective is to get financial returns from this malicious code (images of the infection process shown here).

P2Pworm.BJ is a worm designed to steal the information entered on online forms through the Internet Explorer and Firefox browsers. The worm uses the following means to spread:
- Peer-to-peer (P2P) file sharing programs: It creates copies of itself in the shared directories of several programs (Ares, BearShare, Emule, Imesh and Shareaza). The users of these programs can access the shared directories remotely and download some of the files belonging to P2Pworm.BJ to their computers.
- Removable drives: It copies itself to the RECYCLER folder of removable drives. Also, it creates an AUTORUN.INF file on these drives to run every time they are accessed.
- MSN Messenger: It sends messages with a copy of itself to the user's contacts connected at the time of the infection.

Lineage.LAS worm spreads through mapped drives. It copies itself to several folders and downloads a malicious file. It also creates a file called Autorun.inf which allows it to run every time the user opens a folder. Additionally, it modifies the Windows registry to run on every system restart. One of the malicious actions the worm carries out on infected computers is to prevent users from viewing hidden files and folders.

Harakit.D worm downloads an update of itself as soon as it is run. It then modifies the registry to run on every Windows restart and when the browser is opened. Additionally, it ensures that hidden files cannot be viewed and tries to spread to other computers. Harakit.D uses two main propagation methods: through shared network drives and via USB devices. In the first case, not only does it spread through shared local network folders, but also through the Internet subnet used by the user. When spreading via USB devices, it copies itself to the root directory of the USB device and creates a file called autorun.inf, in order to run automatically when connected to another computer.

Ramson.G worm which appears on screen with the icon of an executable file and constantly launches the Windows taskkill utility to eliminate processes, passing a series of commands. When the computer is restarted, a message in Russian is displayed and a code to access the system is requested. Once the code is entered, it displays another message and restarts the system. It spreads through mapped, shared and removable drives. It uses its autorun.inf configuration file for malware to self execute through these drives.

Downloader.WCF Trojan reaches computers in an email that includes a link claiming to point to a video of Michael Jackson's death on YouTube. On clicking the link, users download a file that passes itself off as a video. On running the file, they really install the Downloader.WCF Trojan. To fool users, the Trojan redirects them to a legitimate web page displaying an article about Michael Jackson to make them believe the file has run correctly (photo of the page shown here).

Sinowal.WKM is a Trojan that uses the subject of Michael Jackson's death to lure users. It is spread through emails with subjects such as "Who killed Michael Jackson". The message contains a link which supposedly contains the answer to the question. In reality, the link redirects users to a malicious page from which the Trojan is downloaded.

Banbra.GIU is a banker Trojan. To fool users, it passes itself off as an executable file that resembles a bank security update. It asks users to reveal their banking details. To avoid raising suspicions, it checks and validates fields to prevent users from typing incorrect data, which increases user's trust of the program. Any details entered are sent to cyber-crooks (all the images of the fake program shown here).

Banbra.GIZ Trogan targets a Brazilian bank. When run, the malicious file opens a spoof bank application form informing users that the bank's IT systems are being updated and they must therefore enter their details again in the screen displayed. Any details entered are sent to cyber-crooks, providing them access to users' bank accounts.

Zapchast.ET is a backdoor Trojan designed to connect to IRC channels and await instructions that allow attackers to remotely access and control the compromised computer. Like other malicious codes that have appeared over the last few weeks, this malware uses the story of Michael Jackson's death to trick and infect users. In this case, the malware is distributed through emails with subjects related to the singer. Additionally, when run, it displays a photo of Michael Jackson (image shown here).

Pidief.A Trojan uses the Adobe CVE-2009-1862 vulnerability to infect users. The exploit takes advantage of a known vulnerability when trying to open a PDF document with an embedded flash object. The Acrobat file viewer has a feature to run flash objects included in .PDF files. Thanks to the authplay.dll library, the file reader can open the flash viewer and display the content. In this case, the information sent to the viewer includes the instruction to download a malware file (Trj/Pidief.A). Then, no flash object is displayed to the user. Pidief.A can be used by its creator to download more malware to the affected computer, or to gain total or partial control of the infected system.

AVProtection2009 is an adware aimed at selling users a fake antivirus. When it runs, it simulates the installation of a legitimate antivirus (shown here). It then carries out a false scan of the affected system, supposedly detecting threats on the PC (shown here). Afterwards, it informs users that the software is a trial version and that they must purchase a pay version to disinfect the computer (shown here). If users do not purchase the pay version, it also displays pop-up messages (shown here). The objective is to profit from selling the premium version of spoof antiviruses.

SmartDefenderPro is a fake antivirus type of adware. This adware, like all of its kind, simulates a system scan detecting several malware samples which are really not on the computer (image shown here). Then, it will invite users to purchase a license of the fake antivirus to eliminate the threats (image shown here). If users do not purchase it, will display warning messages (image shown here).

PCSecurity2009 is a fake antivirus type of adware. When installed on the computer, this adware, like all of its kind, simulates a system scan, detecting dozens of malware samples which are really not on the computer. In this case, it also modifies the Windows Security Center so it indicates that the antivirus protection is disabled. Once the scan is complete, it encourages users into registering the antivirus and purchasing a complete pay version to eliminate the non-existent threats. Its objective is to profit financially from those sales (images of the process shown here).

HomeAntivirus2010 is a fake antivirus. As with all of its kind, it simulates an antivirus scan of the system. It then (falsely) claims to have detected dozens of examples of malware on the computer. It also modifies the Windows Security Center so that it indicates that the antivirus protection is disabled. The objective is to make users believe their computer is infected and their security is at risk to offer them a solution: purchasing a pay version of the fake antivirus. You can find images of the way this fake antivirus works here.

SecretService is yet another example of the now widely spread fake antiviruses. This malicious code tries to trick users into believing their computer is infected. To do this, it generates numerous junk files, and offers users the possibility of buying an antivirus solution through an online transaction to remove them. This way, it steals users' credit card details. SecretService carries out a fake computer scan displaying an undetermined number of problems, and offers users the possibility of installing a security software. Once installed, SecretService's interface looks very similar to that of traditional antiviruses even displaying the Windows Security Center page. SecretService can also display fake warnings reporting malicious files, registry errors, etc. These warnings are accompanied by a very characteristic sound. Other actions it carries out to make users believe they are infected include modifying the computer wallpaper. To make the program look more authentic, it inserts an icon in the browser taskbar. Finally, it displays a screen which requires the software to be upgraded to its paid version in order to eliminate all threats. Then, if users enter their banking details, they will be stolen. This fake antivirus reaches computers when users access a malicious web page and agree to install the program.

Registry Optimizer is a new example of the increasingly notorious fake antiviruses. These threats try to fool users by displaying a false infection on the computer to encourage them into purchasing fraudulent security software. In addition to defrauding users, malware creators steal users' bank details when they carry out the transaction. This malicious program displays an installation screen which resembles that of a genuine program, including an end-user license agreement. Once installed, Registry Optimizer carries out a fake system scan. When the scan ends, it shows a set of fake threats it has supposedly found on the computer and offers users the possibility of registering the product by paying a fee . If the program is closed, registry error warnings will continue to be displayed, and on clicking them the program will reopen. It also (creates an icon in the desktop.

These fraudulent applications usually spread through file-sharing networks and users usually download them unwittingly because they have a different name or they are next to content users are interested in. They can also spread through pages that promote the program and allow users to download it, making them believe it is free or a demo, and that it will resolve their security needs. In the case of this fraudulent program, the page even displayed the awards "obtained" to look more credible (shown here).

Total Security 2009 is yet another example of the many fake antiviruses in circulation. This type of malware passes itself off as legitimate software applications in order to steal users' money by tricking them into believing that they will eliminate threats that actually do not exist. Once installed on the target computer, Total Security displays a warning indicating that the computer is at risk. Then, it simulates a system scan reporting a series of infections in order to scare users into buying the antivirus solution. On finishing the scan, Total Security displays a screen offering a solution to the user's problem. The solution consists of activating the fake antivirus. However, to activate the product, users must pay a fee to the anti-malware vendor. After this, users receive a code they must enter in the program . Once they do this, the malicious application stops displaying warnings about threats. This aims to make users believe they have actually bought an antivirus product, whereas, in reality, no infection has been removed and users are not protected against threats. Total Security installs on computers just as if it were a legitimate security solution. It creates a shortcut in the desktop, another one in the program directory of the Start menu, and a third one in the Add or Remove Programs section. This malware can reach users in a variety of ways: through links in spam messages, downloaded from a malicious Web page, etc. Once run, the program launches the installation process.

SaveSoldieris another example of malicious programs that pass themselves off as legitimate software applications in order to steal users' money by tricking them into believing that they will eliminate (non-existent) threats. This fake antivirus is designed to collect personal and bank details provided by users when they buy it. This malware scans the system searching for infected software and displays an interface which resembles the interface of a typical antivirus program. It then asks users to buy and install certain software to resolve problems caused by the malicious software supposedly detected on the computer.

When the fake antivirus 'detects' infected files, it prompts the user to enter a code they will receive when they buy the antivirus pack. To do so, users are redirected to a page where they can purchase the software using a credit card . It also displays several warnings informing about malware problems, registry errors, etc.