Are You and Your Friends Fine — Virus Spam

Logged into my Google Email and was checking my spam to see what I see and this one draws my attention:

virusspam

I think I know where this is leading me but I click the link and this website with the Reuters logo pops up:

fakesvideo

Now as you can tell this looks authentic but when I did go to this site, AVG detected some trojan.  It blocked it, but  the file that it is downloaded called “save.exe” and I have talked about [intlink id=”2991″ type=”post” target=”_blank”]flash player fake updates[/intlink].  I have seen other blogs talking about dirty bomb news report leads to malware.  I don’t know about you but if I wanted to update my flash player, I go to the source and not use any links.  It is wise not to download any programs or files and run them without properly checking them out for viruses and Trojans.  You should have a fiewall and anti-virus running at all times and that will help but it is your actions that help your prevent from getting viruses or Trojans.

Is Google the ultimate news source?

As you know We had a big problem Monday Night and All day Tuesday. If you are a regular reader of this blog, you would of noticed either a 503 or lag. It was due to an article that I released late Monday night about the PIFTS.EXE and the so call conspiracy.

At the time, I was wondering and quite disturbed about what Norton Symantec was doing to the forums. So I blogged about this and wouldn’t you know my site was Held Hostage by Google. I kid you not, I had so many people come to my site in under an hour it wasn’t even funny.

[ad#cricket-right-ez]So I sit here, asking a really good question is Google the News? I don’t know exactly when but according to Wikipedia Google was formed in 1998. The Google Motto is Don’t Be Evil, and I guess it makes them look like a news source. When did they get past the news site? I would hazard a guess that it was in late 2004 they started when they when Google gave people the first chance to own the stock on August 19, 2004, when Google became a publicly held company.

I got hit hard by Slashdot, Reddit.com, and Google.  In truthfulness, It was more of searches and people coming from Google than anywhere else. I would say Google was the 90% and and Slashdot and Redidit was 8% and the rest was from other websites for this one article. Now don’t get me wrong the 2% of people was my normal amount of people for the day. So you can imagine how many people actually came to my site over this fiasco.

I call this a fiasco because basically it was one that really made me worry about the server going down. People seemed to try to find out about this program and some of them didn’t even do any more research than to come to my site? Although I do know a little, I have always considered myself to be a BLUE COLLAR Tech Blogger. So you can just call me “The Blue Collar Tech Blogger” when it comes to things like this. I will never proclaim I know everything and I am still learning every day I blog I learn something new.

So this leaves me with a question on how did Blogs become the news also?  Did we step into the roll of news?  I know there are many blogs out there that are telling the news and are almost as if they are the news.  Is that where this has become Web 2.0?  I throw these questions out to see what type of comment.  I just thought this was a good topic for today to talk about.

Fake Scareware Sites Popup after the Pifts.EXE Conspiracy

There Seems to Be a Fake site that are popping up today right after what happened with PIFTS.EXE. I just happen to Google it to see what people are talking about and this appears on the front page.

Not a real site!!

As you can see this leads to a server in Poland and once you go to it you see:

Not a real virus scanner

I will be reporting this to Phishtank. This is scareware which means  there is no real VIRUS because and you
Should never believe the screens when you see something like this. According to Wikipedia:

[ad#ad2-right]Some websites display pop-up advertisement windows or banners with text such as: “Your computer may be infected with harmful spyware programs. Immediate removal may be required. To scan, click ‘Yes’ below.” These websites go as far as saying that a user’s job, career, or marriage would be at risk. Products using advertisements such as these are often considered scareware. serious scareware applications qualify as Rogue software.
[Via Wikipedia]

So if you are worried you have a virus or think you have a virus I would advise you to download one of the free Many anti-virus software and firewall. This is nothing new with the companies who are doing this but don’t buy anything because people are trying to scare you into thinking you have a virus. That rarely is a valid software and you should use the ones that you trust. If you find a site like that please report them to Phishtank and other sites that way we can protect everyone who goes there.

Conspiracy theories run rampent due to PIFTS.EXE

(Looks like some of this was a 4chan gag, check my other post about it)

All of the sudden people around the World are seeing PIFTS.EXE popping up. Norton Antivirus is asking users if they want to accept it. Here what I do know:

Here’s some information I pulled from my Zone Alarm Logs. Does this make sense to anyone?
[ad#cricket-right-ez]2009/03/09 18:26:44 — New Program — PIFTS.exe — Destination IP: 67.134.208.160:80 — outgoing — blocked — Destination: ping.lifecycle.norton.com

2009/03/09 18:47:52 — Program Access — PIFTS.exe — Destination IP: — outgoing — blocked — Destination:

2009/03/09 18:48:28 — Changed Program — Windows Explorer — 207.46.248.249.80 — outgoing — blocked — Destination: sa.windows.com
[Via The Symatec Forums]

This indicates that the program tried to change tactics to go out on the net.  I look a look for this and it is SwapDrive.  So this must be an update to Swapdrive but I am unsure as to why it pops up that way.  The other ip is in Africa or at least take the .80 out of the equation and it points to an Africa IP.  (It looks to my mistake in that little part, “to error is human” Check out this  post about it)  Although just recently Norton Decides to Delete that thread and people are really worried about why?  Is this a cover up of some sort because there is a exploit in the Wild that we don’t know about?  These are good questions that need to be answered.   Here is what one posted about this just after they deleted the forum thread:

Norton Coverup?  Do you suppose

As you can see people are taking this deletion on the community forum thread very seriously, they know something is not right in Denmark.  I also want to point out this one:

Proof there was a thread

I don’t know what Norton is up to but this is making me uneasy.  If they are worried about something that they can’t explain or don’t want to explain then they have made a mistake.  Some users are really worried now because Norton isn’t saying anything at all.  I love this post:

A Conspiracy I see!!

As you can see people see this and are worried, I didn’t want these to be taken offline like the first post so I make physical copies to put on my blog.  I want to prove to people that these actually existed.  I would advise people to run Hijackthis to see if you can figure out where this is coming from.  I don’t know why they would hide the truth, it will bite them in the end.  Anyone want to comment on this, I am quiet curious??

*UPDATE 12:01 am 03/10/09*

Seems Norton Deleted all post about PIFTS.EXe so I don’t know what happened but This will have to come out in the open sooner or later.  I just hope it isn’t going to be to late.

Update 12:15am 03/10/09*

Seems people have decided to go to the Zonealarm forums to discuss this:

People are clearing wanting to know why?

You can visit there forums here.  I am getting more curious about this little situation and now tempted to stay up all night watching this!!

[ad#digg-right]I also found this forum thread from BuckeyePlanet.  I am seeing more and more people blogging about this.  So this must be something REALLY big.  Keep sending me comments if you find anything else.  Don’t forget to add me on Twitter.

This looks interesting:
[ad#cricket-1]

Even more interestingly now, after posting a single post asking about PIFTS.exe, which was deleted, and a subsequent post to another forum asking about the deleted posts, which got deleted, I’ve now been blocked from creating new posts or replies on the Norton forums. They really don’t want to talk about whatever this was.

And doubly interesting — or perhaps not, who knows — not sure if this is standard practice at Symantic or what, but opening the PIFTS.exe in a hex editor shows a large section of the end of the file consists only of “PADDINGXX” repeated over and over. I’ve got some background in programming and can’t think of a good reason why you would need padding like that on a legitimate executable. However, if an executable in an update has been compromised it may require padding such as that to match the original executable’s file size or something. But that’s just pointless conspiracy theorizing that likely has no basis. It would be nice though to hear from Norton about what the **bleep** this thing is.
[Via Zonealarm Forum]

I don’t know but I suspecting an update went wrong at least from all the indications I’m seeing.

I will say you have several options available to you:

  • You could get a Free Anti-virus Software
  • You could run without An Anti-virus (Not a great option, wouldn’t suggest it)
  • You could do nothing and wait. (My recommendation until I find out the the full story!!)

Please let’s not start a pandemic over this, I am however worried because Norton has yet to release any public information about this?  I will update as needed but please people let’s not go to OVERBOARD on this!!

Google Get’s rid of the Trend “PIFTS.EXE, no long there.  It was there last night.  Hmm even more questions and answers? (Click image to view it!!)

Proof it was there!!

On a side note, I do not have a
ccess to this file. I’ve had a friend who told me about this and I started to investigate it and as soon as I did that Norton started to kill the messages. That when I knew it was something big. That is why I blogged about it. I do not have the program. I just know that it is being searched really hard because I’ve had more people coming to my site than usual. So please don’t ask about samples, you can comment on this or ask questions. I provide this for the community to let them know!!

(Looks like some of this was a 4chan gag, check my other post about it)

Fake Emails about Windows Support spam!

According to Trend Micro, Some malicious software is being sent to unsuspecting users about Windows SP1 andSP2 having a error that could damage software or even hardware.  See Trends blog with the photos of the fake spam.

[ad#ad2-right]Although from time to time Microsoft does send out security information to Technet subscribers people have also used this in the past to get people to install Viruses and Malware, like this one that installs TSPY_BANKER.MCL. TSPY_BANKER.MCL monitors the affected user’s online transactions and steals banking related information

Microsoft sends e-mail messages to subscribers of our security communications when we release information about a security software update or security incident. Unfortunately, malicious individuals can and have sent fake security communications that appear to be from Microsoft.

[Via Microsoft]

So if you get an email from Microsoft you’ll probably want to delete it.  Any Microsoft communications will be sent from the Update center.  You should never install software that is from an untrusted website.    If you are concerned you should check the web and find out what people are saying about the situation and see if it is a scam or true!!  Remember only you can prevent a virus or Malware!