Windows Secrets Newsletter • Issue 105 • 2004-01-21 • Circulation: over 400,000

Folks, there are some nasty things out there.

Over the years I’ve had to deal with some truly virulent viruses, tormenting trojans and wrathful worms but I’ve just had a run-in with a piece of scumware that’s just simply detestable.

And it nearly ruined my Christmas!

It all started at our annual extended family Christmas party. Now, in one respect, I never really look forward to these things as I just know I’m going to get collared at some stage by some obscure relative looking for me to fix their broken PC.

This year I was sailing fine.  It was nearly time to go home and the only computer talk was from a nephew who wanted to buy a laptop for college.

Then I saw my cousin Andrew coming towards me. He had his eyes fixed on me as he walked. I knew immediately that my lucky streak was coming to an end.

"Hi Cousin Ian, been meaning to talk to you all day. I’ve got a real serious computer problem …"

My fate was sealed. I was going to have to take the 60 mile ride over to Andrew’s place to see what was wrong.

A week later I was sitting in front of my Cousin’s PC and it was clear he really did have a problem. His browser had been hijacked. It was defaulting to a seedy homepage and would navigate to strange sites at random. Then there were all those offensive banner ads.

I’d seen this many times before. I yawned, reached for my utility CD containing SpyBot and Ad-aware and installed the products. “Could be out of here in an hour,” I was thinking.

SpyBot detected a host of problems but most were minor pests. Except one. CoolWebSearch.

CoolWebSearch (CWS) is an infamous browser hijacker. I’d heard about it but had never encountered it.  CWS was almost certainly the cause of the hijacking problem.

SpyBot went through its cleaning procedures, I reset the browser home page and I announced to Cousin Andrew that his PC was now fixed. I rebooted and started packing up.

Not so fast. When I tested the browser I found that the homepage had been hijacked again.

I repeated the cleaning procedure. As before, Spybot detected the problem, said it had cleaned it, yet the problem was still there.

So I tried Ad-aware. Same result.

Faced with the prospect of spending hours looking for registry entries and checking every single Windows auto-start location, I ran a Google search and came up with a site that lists the full history of CWS and the various techniques it uses to gain control of your browser.

http://www.spywareinfoforum.info/articles/cws/

It makes frightening reading. There are over 24 variants of CWS with new mutations appearing regularly. Each variant uses a different mix of clever tricks to avoid detection and removal.

The dudes behind CWS are serious. Worse, they are fiendish. Worse still, they are very smart.

The particular variant on my Cousin’s PC used two processes to watch each other. If one was killed, the other process restarted it. That’s why SpyBot and Ad-aware were unable to get rid of it.

That’s not a new trick. Many virus scanners use the same technique to prevent viruses from pulling down the scanner.  But this implementation was particularly clever – fiendishly clever.

Luckily the site offers a free cleaning utility, CWShredder, to remove CWS. I downloaded it and it worked just fine. If you’ve got CWS, save yourself a lot of time and download the free cleaner from the spywareinfoforum.info website.  It’s updated regularly to include the latest CWS mutations.

The basic mechanism of CWS infection is through the two loopholes in Microsoft’s implementation of Java. Microsoft has issued fixes for both problems but like most PCs, my Cousin’s machine was unpatched.

If your machine is unpatched, you can get infected merely by visiting an unfriendly website or clicking on a spiked ad.

However I don’t suggest you should just rush out and install the patches. I suggest you address the root cause and consider removing the MS Java Virtual Machine altogether from your PC. Instead, install the free, and more recent, Sun version.

MS Java Virtual Machine is a dead product. MS ceased supporting it on January 1, 2004.  That means no more fixes, no more patches. As such, MS VJM is now a security risk. Even MS suggests you remove it. In fact Windows XP SP1a does just that.

You’ll find Microsoft’s position statement here: http://www.microsoft.com/windowsxp/pro/evaluation/news/jre.asp

However, you probably need Java. There are a lot of apps that use it and many websites that require you to have it. So install the Sun version instead.

You’ll find instructions for removing the MS version at this link, though be warned, it involves some registry editing: http://www.windows-help.net/WindowsXP/howto-21.html

If anyone knows of a utility that will do this automatically, please let me know and I’ll publish it in a future issue.

Installation instructions for Sun Java can be found at this link: http://java.sun.com/j2se/1.4.2/docs/guide/deployment/deployment-guide/upgrade-guide/index.html

Take heed folks. This is serious.

Gizmo

Thanks to subscriber Richard Steinitz for letting me know about the Freeware World Team site which lists more than 13,000 freeware programs by category.  A nice feature of the site is they try to give links to the last known free version of once- free products that have gone commercial. This is not 100% implemented but useful where available. There is also multi- language support though I must say the English spelling and grammar needed some attention. Well worth visiting. http://www.all4you.dk/FreewareWorld/links.php

This site offers an excellent collection of free command line tools of use to sysadmins and other tech heads. The two I tried worked a treat. http://www.systemtools.com/free_frame.htm

The SSH protocol is starting to get a lot of traction. If you use Telnet or FTP for connecting to remote servers, you really should bone up on the security advantages that SSH offers. This site tells you all you need to know and includes a useful list of free Windows clients to help you on your way. http://www.jfitz.com/tips/ssh_for_windows.html

This site is an excellent resource for anyone looking to buy new hardware as well as those who want to get the best from what they already own. There are many product reviews and some of the most active user forums on the web.  While at the site, check out the useful weekly newsletter. http://www.pcmech.com

I really liked this site’s collection of unusual freeware.  With many products listed I’ve never heard of, it’s a welcome change from other freeware sites. There’s a strong Linux orientation but there is a good assortment of products of interest to experienced Windows users as well. If you are looking for a notepad replacement or clipboard utility, go elsewhere ;>) http://www.sweetcode.org/

The Internet never ceases to amaze me. This site has a whole section dedicated to documenting the technical characteristics of dozens of different brands of recordable CD media. Also featured are media quality tests which show surprising brand differences. http://www.cdmediaworld.com/hardware/cdrom/cd_quality.shtml#CD-R%20Quality%20Overview

At this site they report a detailed review of seven different spam filters suitable for workstation use. They found that once they have been trained on a sufficient amount of mail, adaptive statistical filters such as Bayesian and Bogofilters are significantly better thean classification style filters. http://freshmeat.net/articles/view/964/

This site offers an excellent Cryptography FAQ. Well, it’s more than an FAQ, it’s practically a textbook. And you can download it. http://www.rsasecurity.com/rsalabs/faq/index.html

A lot of folks have difficulty getting time correction software to work on their PC. If that’s you then you should try Dimension 4, a free utility that gives you the choice of connecting to a time server either by standard TCP protocol or by the more common (and more problem-prone) SNTP protocol. If you haven’t yet got a time correction utility, this is the one.  It’s free, it’s easy to use, and it has every function that you could conceivably want. Because it works from both the command line and Windows, it’s ideal for batch files, too. (292KB) http://www.thinkman.com/dimension4/