Wednesday, November 26, 2008

Antivirus tools try to remove Sinowal/Mebroot [NEWS UPDATE]

If your software garbles this newsletter, read this issue at

    Windows Secrets logo

Delivery address:
Alternate address:
Locale: Canada L3B 5N5
Reader number: 35034-18272

Windows Secrets NEWS UPDATE • Issue 176a • 2008-11-26 • Circulation: over 400,000

The Pleasure Instinct

Last week to get a free excerpt of 'Pleasure'
As often as possible, Windows Secrets licenses some new content that all of our readers can download and enjoy at no cost. This month, our bonus download reveals hidden motivations that operate beneath the level of our conscious mind.

Our exclusive excerpt of The Pleasure Instinct: Why We Crave Adventure, Chocolate, Pheromones, and Music explains why everything from the smell of cocoa to a whiff of an expensive perfume moves us in unexpected ways.

The printed book won't be available in stores until mid-December, but you can get our PDF e-book excerpt now through Dec. 3, 2008. Simply visit your preferences page, update your entries, press the Save button, and a download link will appear. Thanks for your support! —Brian Livingston, editorial director

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere
Table of contents
INTRODUCTION: A news update to bring you rootkit solutions
TOP STORY: Antivirus tools try to remove Sinowal/Mebroot

    You're receiving only our free content. Use the following link to upgrade and get our paid content immediately:

More info on how to upgrade


A news update to bring you rootkit solutions

Brian Livingston By Brian Livingston

I thought that trying to take a week off for Thanksgiving was too good to be true.

To prove that nature abhors a vacuum, we're publishing today a special "news update" to bring you Woody Leonhard's findings on rootkit removal tools.

Woody's column on Nov. 20 explained how to update your apps to prevent rootkits from infecting your PC. His article received a very high rating of 4.02 out of 5, indicating high reader interest. Today, Woody describes antivirus utilities that attempt to detect and remove dangerous Sinowal/Mebroot variants and other rootkits that hide from ordinary AV programs.

Everyone here at Windows Secrets hopes this two-part series will help you recover from this threat — or, preferably, avoid it entirely.

'Tis the season — promote your biz for free

I've been looking for ways to give something to Windows Secrets subscribers for the holidays. Many of our readers work in or operate small businesses. So we've decided to offer our small-business friends a free ad in our Dec. 4 newsletter at the height of the shopping season.

That's right: your business can submit an ad for our Dec. 4 newsletter and pay nothing. The rules for this offer are as follows:
  • Anyone who places an ad before our ad deadline — Dec. 1 at 2 p.m. Pacific Time — is eligible to receive a free ad in the Dec. 4 newsletter.
  • No more than 12 ads will be accepted in the Dec. 4 newsletter. If more than 12 ads are submitted, 12 will be chosen at random. In a regular newsletter, no more than 9 ads are accepted.
  • A valid credit card must be entered, but your card will not be charged for the Dec. 4 newsletter.
  • Free ads in the Dec. 4 newsletter will be positioned in random order, so there's no reason to enter an exaggerated bid. Simply enter a reasonable bid: whatever you'd be willing to pay if your ad continued to run in the Dec. 11 newsletter.
  • On Dec. 5, we'll send you an e-mail showing the number of click-throughs your ad generated in the first 24 hours. If the response is worth it, make no changes and your ad will continue to run. If not, you can cancel your ad and pay nothing.
  • All ads run until you cancel them. You may cancel an ad by changing your bid to zero (0) at any time before the ad deadline for our Dec. 11 newsletter — Dec. 8 at 2 p.m. Pacific Time. Before the ad deadline, you can also reduce or increase your bid to obtain a better position.
To place your ad, start at the Web page in the link below and follow the instructions:

Windows Secrets advertising page

Many small businesses are struggling in the current global economic slowdown. We hope to give a few of our subscribers' products and services a bit more exposure. Have a great holiday!

No paid content in news updates; next issue Dec. 4

This is a special news update, which has the same content for all free and paying subscribers. There is no paid content in news updates.

Our next regular newsletter will be published on Thurs., Dec. 4, 2008. Windows Secrets skips publication on the 5th Thursday of the month, the last two weeks of August and December, and (usually) the week of Thanksgiving.

I promise you, we won't be publishing another newsletter this Thursday!

Brian Livingston is editorial director of and co-author of Windows Vista Secrets and 10 other books.

Table of contents


Before you turn to the geeks ...   Before you turn to the geeks ...
Diagnose computer problems on your own. Run the free PC Pitstop Optimize 2.0 scan and in just minutes receive a free custom report detailing common issues that might be keeping your PC from running at top speed. Over 100 million scans run. Scan now!
PC Pitstop

Don't let a cyber-attack bite you   Don't let a cyber-attack bite you
Stay safe by installing VIPRE Antivirus + Antispyware on your computer. The program's Active Protection provides real-time security against worms, viruses, malware, Trojans, spyware, rootkits, and more at blazing-fast speed. Try a free 15-day trial!
VIPRE Antivirus + Antispyware

See your ad here


Antivirus tools try to remove Sinowal/Mebroot

Woody Leonhard By Woody Leonhard

I wrote last Thursday about ways to protect your PC from infection by Sinowal/Mebroot, a devilishly effective rootkit that can evade antivirus programs.

This week, I'll concentrate on the best available techniques to try to remove the offender, if you're one of the unfortunates who've already been hit.

My Top Story Nov. 20 focused on prevention, because it can be hard as heck to get rid of Sinowal/Mebroot once your PC's got it. (Sinowal is the name of an older variant and Mebroot is its newer form, so I'll simply call the threat Mebroot in the remainder of this article.)

Mebroot infects a PC's Master Boot Record (MBR), the first sector on a hard drive, where it's invisible to ordinary antivirus agents. As I stated last week, your best defense against infection is to use, on a regular basis, a software scanner such as Secunia's free Personal Software Inspector (get it from Secunia's download page).

Ideally, you should run a PSI scan right after you install Microsoft's Patch Tuesday updates for Windows. The PSI scan tests your third-party applications, so you can patch them with the latest fixes. Unpatched media-player apps — Adobe Reader, Flash Player, Apple QuickTime, and the like — are particularly vulnerable to Mebroot and other threats, so it's vital to keep your players up-to-date.

Most Windows Secrets readers are probably not infected with Mebroot. Sophisticated PC users are less likely than novices to visit "celebrity video" sites and leave their PCs' third-party applications unpatched for months or years at a time.

But, as careful as you are, it's possible that your PC became infected when you visited some seemingly legitimate site with a less-than-fully-updated browser or while you were running an application with an unpatched security hole.

Washington Post blogger Brian Krebs wrote last month that a new sample of Sinowal/Mebroot was submitted to VirusTotal, an antivirus testing firm, on Oct. 21. Only 10 out of 35 antivirus programs (28.6%) correctly identified the sample or flagged it as suspicious, Krebs says.

If your PC is infected, Mebroot removal tools developed by a few security vendors may be able to help you. The bad news is that even the best tool can't be 100% effective against a threat that's evolving as quickly as this li'l terror.

Use F-Secure's utility to clean out rootkits

Security firm F-Secure is at the forefront of the industry's response to Mebroot. F-Secure researcher Kimmo Kasslin gave a presentation to a packed conference hall at the Virus Bulletin conference in October, during which he explained the Mebroot menace in these terms:
  • Mebroot is the most advanced and stealthiest malware seen so far.
  • When an infected machine is started, Mebroot loads first and survives through the Windows boot.
  • Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder.
  • As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines.
For a complete outline of Kasslin's points and a downloadable PDF version of his conference presentation, see the F-Secure blog page.

The company claims that its BlackLight rootkit scanner detects and removes Mebroot. F-Secure also says Mebroot required the development of entirely new detection techniques.

Mebroot's programmers are smart and fast. How smart? When the authors of the rootkit detector GMER discovered how to recognize a particular behavior in Mebroot, the bad guys replaced some code in a driver initializer that threw GMER off the track. (For more information, see Trend Micro's blog entry on this subject.) Detecting and preventing Mebroot is a cat-and-mouse game, and the black cats are winning.

BlackLight is built into F-Secure's commercial products, such as F-Secure Internet Security 2008. A free, standalone BlackLight download is also available. (The utility requires administrator privileges to run.)

For information on the products and a link to the download, see F-Secure's BlackLight page.

To get the best detection odds, you can test your PC with multiple antirootkit programs, many of which are free. For a complete review of several top offerings, see Scott Spanbauer's May 22 Best Software column.

Unfortunately, I don't know of any software maker that claims it can reliably detect — much less remove — every possible variant of Mebroot.

Your only real remedy may be a clean start

Right now, I believe one of my Windows XP machines is infected with Mebroot, but I can't tell for sure. I've quarantined the system by disconnecting it from my network, and I'm in the process of copying a small handful of vital data files off the PC and onto a USB drive.

Once I've copied the files, I'll reformat the machine's hard drive, reinstall Windows and my apps, and then carefully copy the data back — being very sure to hold down the Shift key every time I insert the USB drive. The Shift key circumvents Windows' AutoPlay behavior, thereby making any malware that might have sneaked onto the thumb drive less likely to run automatically.

Finally, I'll install and religiously use Secunia's Personal Software Inspector every month. Then I'll rub my lucky rabbit's foot (lot of good it did the rabbit), knock on wood, cross my fingers (does wonders for my typing), and hope that Mebroot doesn't bite me again.

My long-range plan is to upgrade the video cards on all of my Windows XP machines so they can limp along with their OS upgraded to Vista. At present, the User Account Control (UAC) function of the latest update of Vista does at least warn against Mebroot's initial attempt to activate. For other, more-technical reasons why Vista is not yet at risk from Mebroot, see the "Affected Systems" section of software engineer Peter Kleissner's analysis.

Of course, by the time I've done a clean install, the Mebroot gang may well have found a way to make even Vista as vulnerable as XP is now.

Helluva situation, isn't it?

Help people find this article on the Web (explain):


Please tell us how useful this article was to you:

1: Poor
2: Fair
3: Good
4: Great
5: Superb
Woody Leonhard's latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won't put you to sleep. He is also a co-author of the encyclopedic Special Edition Using Office 2007. Woody's column regularly appears in the paid content of Windows Secrets.

Table of contents


Are your computer's drivers up-to-date?   Are your computer's drivers up-to-date?
Driver Detective provides the most up-to-date drivers specific to your computer! With more than 1 million drivers, Driver Detective saves you endless hours of work and aggravation normally associated with updating drivers.
Drivers HeadQuarters

Get your message seen by 400,000 readers   Get your message seen by 400,000 readers
Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 400,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement.
Windows Secrets Newsletter

See your ad here


Use these permalinks to share info with friends

We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam" and corporate filters start blocking our e-mails.)

The following link includes all articles this week:

Free content posted on Nov. 26, 2008:

Get our paid content by making any contribution

12 months of paid content

There's no fixed fee! Contribute whatever it's worth to you
Readers who make a financial contribution of any amount by Dec. 3, 2008, will immediately receive the latest issue of our full, paid newsletter and 12 months of new paid content. Pay as much or as little as you like — we want as many people as possible to have this information.
Sudarto in Indonesia

A portion of your support helps children in developing countries
Each month, we send a full year of sponsorship to a different child. Your contributions in November are helping us to sponsor Sudarto Sagiman, a 12-year-old boy from a village in the area of Rembay, Indonesia. Plan USA channels development aid from donors to Sudarto and his community. We also sponsor kids through Save the Children and other respected agencies. More info

Organized Work Life excerpt
Upgrade to the paid newsletter and receive this bonus
Regina Leeds shows how you can turn time into your ally in her new book, One Year to an Organized Work Life. In this exclusive excerpt, available from Windows Secrets only until Dec. 17, she provides four exercises that demonstrate how the holiday month of December can actually be used to get your workplace under control.

This bonus download is available only to paid subscribers and to free subscribers who upgrade to receive 12 months of Windows Secrets' paid version.

Upgrade to the paid version and download your bonus

Use the link below to learn more about the benefits of becoming a paid subscriber!

More info on how to upgrade

Thanks in advance for your support!


Table of contents


The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets resulted from the merger of several publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Associate Editors: Scott Dunn, Stuart J. Johnston. Program Director: Tony Johnston. Program Manager: Ryan Biesemeyer. Web Developer: Damian Wadley. Editorial Assistant: Katy Abby. Copyeditor: Roberta Scholz. Chief Marketing Officer: Jake Ludington. Contributing Editors: Susan Bradley, Mark Joseph Edwards, Woody Leonhard, Ryan Russell, Scott Spanbauer, Becky Waring.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter,, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of LLC. All other marks are the trademarks or service marks of their respective owners.

YOUR SUBSCRIPTION PREFERENCES (change your preferences):

Delivery address:
Alternate address:
Country: Canada
ZIP or postal code: L3B 5N5
Reader number: 35034-18272
Bounce count: 0
Your bounce count is the number of times your server has bounced a newsletter back to us since the last time you visited your preferences page. We cannot send newsletters to you after your bounce count reaches 3, due to ISP policies. If your bounce count is higher than 0 or blank, please visit your preferences page. This automatically resets your bounce count to 0.

To change your preferences: Please visit your preferences page.

To access all past issues: Please visit our past issues page.

To upgrade your free subscription to paid: Please visit our upgrade page.

To resend a missed newsletter to yourself: If your mail server filtered out a newsletter, you can resend the current week's issue to yourself. To do so, visit your preferences page and use the Resend link.

To get subscription help by e-mail (fastest method): Visit our contact page. Subscription help by facsimile: 206-282-6312 (fax). Emergency subscription help by phone: 206-282-2536 (24 hours).

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.


1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Use this 2-click Unsubscribe link; or
  • Send a blank e-mail to with leave as the Subject line; or
  • Visit our Unsubscribe page.
Copyright © 2008 by LLC. All rights reserved.

Table of contents


No comments:

Post a Comment

Thanks for understanding that we need to prevent the nasties.

Terms of Use

Personal & Educational Use Only This blog consists mainly of FREE newsletters from computer web gurus that I receive. I thought you might like to see them all in one place than try to discover them on your own. A moderate amount of editing may be done to eliminate unrelated repetitious ads or unnecessary text which bloat the post. However I have given the authors full credit and will not remove their site links because you deserve to see where it comes from and they deserve to get credit for what they have written. Your use of this site is simply for educational purposes. For more computer-related help go to: CPEDLEY.COM for free software, advice and tips on low cost products which are very helpful. If you want to contact the editor, please go CPEDLEY.COM and check the Contact page for email address.