SAGE Advice - The wise choice
2 Ashcroft Crescent, MONASH, ACT 2904 sageadvice@sageadvice.com.au
02 6291 8920

Home Up News Computer Sales Book Sales

 

Up

Web browser "malware" etc

Msupdate - current threat

Prevention before cure!

What is malware

Preventing malware and such is always better than cure.  Anti-virus software is a must. Sage Advice recommends Trend Micro's Pc-Cillin Internet Security 2006. It is a top performer as anti-virus, good performing at anti-spyware/anti-adware, has a email spam filter, anti-phishing and now a "two way" firewall (that is, it wil monitor outgoing traffic as well as incoming in case you get a "trojan" which runs on your PC sending data out).  

Most malware works by either making an entry in the Windows registry so that the malware runs ever time you start Windows, or by adding itself to the "Browser Helper Objects" which run when you open Internet Explorer.  It seems fairly obvious that most malware can be thwarted by preventing these changes.  

Spybot has a oddly named utility called Tea Timer which does exactly that. If attempts are made to change any of he critical registry entries a prompt is given allowing the user to accept or decline the change.  If you are installing new software the answer will probably be Accept. But if you are not ....

Microsoft's AntiSpyware program has a similar but much less effective tool, plus it takes up much more system resources to run.

 

Return to top

Currently circulating and not always trapped by anti-virus or spware detection is a file call msupdate.exe.  This is not from Microsoft. It shows up on the Startup menu folder in Win98 and in the task manger list.

First stop it from running by 

  1. Open Windows Task Manager.
    » On Windows 95, 98, and ME, press
    CTRL+ALT+DELETE
    » On Windows NT, 2000, and XP, press
    CTRL+SHIFT+ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    msupdate.exe
  3. Select it and press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

Now undo the changes it has made.  

  1. Click Start>Run.
  2. In the Open input box, type:
    command /c copy %WinDir%\regedit.exe regedit.com | regedit.com
  3. Press Enter.
  4. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>exefile>shell>open>command
  5. In the right panel, locate the registry entry:
    Default
  6. Check whether its value is the path and file name of the malware file.
  7. If the value is the malware file, right-click Default and select Modify to change its value.
  8. In the Value data input box, delete the existing value and type the default value:
    "%1"%*
  9. Repeat this procedure for the following registry keys:
    HKEY_CLASSES_ROOT\comfile\shell\open\command
    HKEY_CLASSES_ROOT\piffile\shell\open\command
    HKEY_CLASSES_ROOT\htafile\shell\open\command
    HKEY_CLASSES_ROOT\batfile\shell\open\command
  10. Close Registry Editor.
  11. Click Start>Run, then type:
    command /c del regedit.com
  12. Press Enter.

Return to top

Virus outbreaks are a relatively well known problem these days.  But there are others.

Spyware often comes, unannounced, with applications or programs downloaded. KaZaa is well known for delivering spyware.  The object is to send data from your PC to remote servers.  Quite what they do with the data is unclear, but any decipherable credit card numbers could be useful.  The best way to avoid spyware is take great care what you download and from where. Easier said than done.  About the best way to block and/or eliminate spyware is Ad-Aware from LavaSoft.  One sign of spyware is unexpected traffic on your Internet connection sending data.  You should only expect to send data when sending e-mail or, in a limited degree, whilst downloading files or surfing. Each time you request a site or page some data must be sent.  Each file you download (which includes web pages) is sent as as a series of "packets".  Every so many packets your PC must tell the sending server that you have received the packets.  Continuous upload traffic is probably spyware.

Ad-Aware will also stop ads (or new web pages) from popping up in your browser.  However, this can also stop some web sites from working correctly.  Internet banking is a classic case where a new browser window is popped up in such a way to prevent you reaching it without a pasword.

Other little files which end up on your PC are designed to keep taking you to sites which reward the malware author for each visit.  Some of these are referred to as "bots", short for robot, because they operate your Web browser for you.  Often associated with spyware bots operate by connecting you to the specified web sites, usually when the browser starts up.  You may see unexpected traffic on your Internet connection, your browser change to a new page unexpectedly or just that your browser seems unresponsive. Spybot is good for catching this sort of software as well as the items Ad-Aware misses.

One variation on the bot is Browser Helper Objects (BHOs).  Adobe Acrobat uses a BHO to integrate Acrobat into your browser to open PDF files within the browser.  No problem there. There are many other OK uses too.  However, BHOs can also be used to force your browser to open selected web sites (often multiple sites) every time your browser opens. They may also cause the same sites to be visited at regular intervals. You may see unexpected traffic on your Internet connection, your browser change to a new page unexpectedly or just that your browser seems unresponsive.  One way to test for these is to open your browser when no Internet connection is available (and do not log on to a connection).  You will probably see you browser "flickering" and repeatedly trying to connect to site. BHODemon is great for getting rid of these.

Return to top

 

 

 

 

Last modified: January 03, 2008