Thursday, March 06, 2008

So, what if you make a mistake? And more on the fake anti-virus


So, what if you’ve been fooled and clicked on something you shouldn’t have, and worry that your PC could be compromised?

Well, it depends. It’s a good idea to reboot once, and then run a full manual virus scan. Hopefully you have a major anti-virus vendor like McAfee or Norton, which will check for the latest updates before running the scan.

The other thing is to go to the website for your anti-virus vendor, and look up the name of the virus you’re concerned about. Normally there will be a list of symptoms, and a list of files that the virus would have deposited on your machine. With any sort of windows system, you can run a “search” for file names. Be careful that you pick a filename that really would identify the virus, as many applications use filenames with similar prefixes or letter combinations in their names.

With McAfee, the Security Center has a “SystemGuards” report that lists changes to your registry. You should check that if you use McAfee. I presume Norton has a similar report.

If all these tests are negative, everything is probably OK. I always wonder about the complicated instructions for virus removal. It would surprise me that a virus can run if even one critical component file is removed.

I recall one time in 2002 when my CD player on a Sony Vaio stopped working, that CompUSA said, it wouldn’t be covered by the Silver plan if it was caused by a virus. McAfee had always been negative. They ran a scan with Norton. Still negative. I was covered, and they replaced the drive.

More on the fake “antivirus”:

There’s more to report about the “xpantivirus epidemic.” To wit, on a couple of my blog entries, I’ve found comments that got past moderation. One of them simply said “Here!” with a link, another said “Attention!” In each case, if I ran my cursor over the link, a blogspot link appeared, but in each case, the link was phony and equated to an xpantivirus site to try to “scare” the visitor into buying the product. (It produces a Visual Basic style box on the task bar warning the visitor that the computer may be infected.) It does not appear that the incident harms the computer unless the visitor actually buys the product or runs the exe element. (Scans come up clean, no registry changes, no files loaded.) The name of the blog is like to suggest food or beverages, but changes each time. It appears that the “comment” is changing (in “polymorphic fashion”) to get around Blogger security.

Xpantivirus is flagged as “Red” by McAfee Site Advisor.

In one case, I did get an email from the Blogger comment facility asking for approval. Inside the blogger framework, the comment had only the word “Here” leaving the impression (social engineering) that the format for these emails has changed. It has not. This is still part of the scheme. If you have a blog on blogspot and get an email like this, you should not click on the link, but merely Reject the comment.

A true blog on Blogger allows the visitor to “flag” the blog for review. But a “fake blog” set up with an address-record on a domain (like xpantivirus) may not allow this. I presume that Blogger is working on this security problem.

Blogger has also added the capacity to remove comments “permanently.” I don’t see any comments about the xpantivurs (or similar scams) issue at the Help center yet, but I expect that I will find some discussion there soon.

In the past, I’ve found comments like “I am on the way to the airport and I am glad to meet you” with spammy-like links. A few of these got posted without moderation.

It is possible that older blog entries will have a few of these comments, or that somehow a few will get past Blogger content automatic monitoring before I find them. I delete them when I find them, but there is no practical way to find all the older ones. If you want to advise me by email (my profile) by all means feel free to do so. By all means, do not click on links in comments that look like “spam” or that don’t seem to have any explanation, or that don’t seem to have any legitimate relationship to the subject matter of the blog. Experienced human-being “web surfers” and visitors to blogs know how to recognize these, but it is hard for a blogger-hosting company to write scripts that can reliably identify all of these. Wikipedia has a useful reference on the "spam in blogs" problem here.

My "legislative tracking" Wordpress blog (hosted separately) has attracted spam comments, but so far the hosting company (Verio) has trapped all of them for being marked as spam,

I found another blog (not part of Blogger) that had discussed this problem on Feb. 28. Here is his link (“Blip tv”).

Personal Information:

As always, if you find that you did click on a phishing email for a financial institution where you have accounts, contact them immediately. Legitimate banks and brokerage companies do not send emails asking for personal information; and neither do Paypal, Ebay, or AOL.

Update: March 16

I've noticed that two of my blogs, the International and "disaster movies" blogs, did not have proper settings for comment moderation. That seems to be why a few "spam comments" got through recently. Apparently I overlooked it. I'll check the settings on the other ones.

No comments: