The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/june15,2004.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

Permalink | Top

A browser hijacker known as ILookup has been caught red-handed exploiting a previously unknown flaw in Microsoft Internet Explorer.

ILookup installs as a toolbar and browser helper object. Once installed, it will hijack the home page, search page and sidebar search page. It also will create pop-up ads, most of them pornographic.

A Dutch student and security researcher analyzed the hijacker after receiving an email about it. He posted his findings to Bugtraq after realizing that it was exploiting flaws in Internet Explorer that no one knew about. These flaws enables this hijacker to infect Internet Explorer running on all versions of Windows and regardless of security patches.

Microsoft is extraordinarily upset about the situation. Stephen Toulouse, security program manager for Microsoft, called the ILookup's use of a security flaw "criminal" and said that Microsoft has contacted the FBI about it.

I am glad to see Microsoft taking this so seriously. If only we could direct Microsoft's anger at the hundreds of other browser hijackers who also exploit flaws in Internet Explorer. There's an excellent candidate at coolwebsearch.com.

Permlink | Top

Program: Registry Mechanic and Tweak Manager
Author: Winguides Software
Platform: Windows 9x/ME, NT, 2K, XP
Click to purchase Tweak Manager
Click to purchase Registry Mechanic
Purchase both and receive a $10.00 discount. Add both products to your cart and use coupon code SWBUNDLE to receive your discount

Tweak Manager was probably the most fun to test of all the programs that have been featured here. I am a geek and I like playing with my computers. I set up a test computer with a fresh install of Windows on it. I used Tweak Manager to play with the settings and this program is amazing.

As its name implies, Tweak Manager allows you to tweak every imaginable setting on your Windows machine. There are literally hundreds of settings that can be tweaked and more are added all the time. You can change how Windows looks, how it behaves, how it shuts down and how it starts. It will optimize memory and CPU usage and tweak your internet connection to speed up your web browsing and downloads. Tweak manager disables unsafe settings and many common annoyances such as reminder pop-ups and balloon tips. Some of these tweaks are not for the faint of heart, so please be careful.

Tweak Manager lets you choose for which users on the machine you are changing settings and even lets you tweak another machine over a local network. I've used a dozen tweaking programs and Tweak Manager has the most refined interface I have ever seen. It is intuitive and nicely organized which makes finding a particular tweak very easy. It even points out other tweaks related to the one you currently have selected and lets you go online to read about each tweak at Winguides.com. You don't have to be a geek to find your way around this program.

If it has been some time since you last installed Windows, then your computer's registry is probably a horrible mess. Everything you do on your computer leaves traces in the registry, from picking through the start menu, opening program, installing programs and surfing the web. These traces build up over time and fill your registry with unneeded junk.

Even after uninstalling them, many programs leave invalid entries throughout the registry and it is nearly impossible to remove them all. If you ever have had a problem with Windows telling you a file is missing after you restart it, this is because of an invalid registry entry.

Registry Mechanic scans your entire registry to find these junk entries. It also checks your shortcuts to find those pointing to non-existent programs. Once it has scanned, it lists every invalid registry entry and every shortcut pointing to a missing file and lets you delete them with the click of a button. Every entry that is removed is backed up in case you need to restore something. Depending on how long it has been since you installed Windows, you might see a small difference to a dramatic increase in performance and stability.

Permalink | Top

Telus Corporation of Canada soon will begin intercepting all outbound phone calls to Sao Tome and several other countries. Sao Tome, the Solomon Islands, Cook Island and certain other countries are where dialer programs tend to call when they infect a computer.

Dialers usually are installed by exploiting various security flaws in Internet Explorer or by taking advantage of lowered ActiveX security settings. Once the computer is infected, the dialer will disconnect the computer from the victim's ISP, turn off the modem speaker and dial a long distance number, usually in a foreign country.

When the victim's next phone bill comes, there will be a huge charge for phone calls made by the dialer. Not even blocking foreign phone calls makes you safe. I've heard of dozens of cases where someone has blocked foreign calls, 1-900 calls and other services, only to become infected by a dialer that used a 10-10-somethingorother service to bypass the blocks.

Starting July 1, Telus will use operators to intercept calls to countries known to be used by dialers. If a person really is dialing the number deliberately, then the call will continue normally. If it is a computer modem making the phone call, the call will be disconnected.

I applaud this action by Telus. Having human operators intercept all of these calls probably is not the best approach but at least they are working to stop the problem. I wish more phone companies would take steps to stop modem dialer fraud. Most long distance carriers are only too happy to participate actively in this fraudulent activity by looking the other way, as they prepare the monthly bill. What astonishes me is that they are able to do this without legal sanction.

In a Philadelphia Inquirer interview (* see note below), Verizon admits publicly that they are participating in what they know to be fraud and continue to collect the fees. Last year, we had a long and heated discussion at the message board with someone claiming to be a customer service representative of a long distance carrier. This person admitted that his company and others knowingly participate in this illegal activity and collect fees from victims.

In most places, to knowingly aid and abet a crime makes you an accomplice to that crime and just as guilty as the person who actually committed it.

Instead of participating in this fraud, phone companies should be working to stop it by letting customers block calls to these countries, block calls to 900 services and by not passing along the fee to the scammer, without first checking with the customer that the phone calls are legitimate.

Unfortunately, as long as they can continue to profit from this illegal activity without interference from the authorities, most phone companies will continue to do just that.

* Note: The Philadelphia Inquirer article is not linked in the article because they require visitors to register before allowing them to read articles older than a few days. This became apparent only AFTER I read it originally. Registration-only sites are blacklisted from this newsletter.

Permalink | Top

I have had some harsh words for Comcast in the past. They do things that would outrage me if I were a customer. Now, however, they have done something right. Last week, Comcast began blocking port 25 for accounts where the customer appears to be infected with a trojan. Port 25 is the port used for sending email.

Some time ago, spammers started paying virus writers to distribute trojans that allow them to relay spam through infected computers. This lets them spam all they want without worrying about spam blacklists blocking them. Some studies say that as much as 80% of all spam is relayed through these infected machines.

Comcast has an enormous number of customers infected with these trojans. By blocking that port, they block the ability of those customers to send out spam.

Many ISPs are starting to block port 25 because of this problem. Unfortunately, these ISPs are blocking it for all customers, not just those who are infected. While it stops infected customers from sending spam, it also stops uninfected customers from using mail servers other than the one at their own ISP. For instance, I've never used my ISP's email server. I always use the email server at spywareinfo.com to send and receive email. If my ISP were to block port 25, I would be unable to send or receive email at all.

Many people will say that all ISP's should block port 25 for all customers because "they have no legitimate reason to connect to 'foreign' email servers". That is a naive opinion, most likely expressed by those who have never used email for non-personal purposes. There are many reasons for using a mail server other than the ISP's, far too many for me to list them here.

Comcast is doing this right. They are blocking that port only for specific customers who obviously have become infected with a spam relay trojan. That is the correct approach as far as I'm concerned. Another approach ISPs could try is to block the port for all customers by default while unblocking it for those customers who request it.

Let's all hope this does some good. Three of every four emails today is spam and that doesn't even include viruses. Pretty soon, email will become useless as a means of communication if something isn't done to cut down on spam.

Permalink | Top

From time to time, I receive a letter from a reporter who wants to discuss spyware and browser hijackers. Usually this is not long after they or a friend have become infected with one or the other. Occasionally these reporters want to interview people who have had to remove spyware or a browser hijacker. When that happens, I usually send out a newsletter asking for people in their geographical area.

I want to start a list of people ahead of time for situations like this. If you ever have become infected with spyware, adware, a browser hijacker or a phone dialer and you would like to talk to a reporter about it, I would like you to contact me. I will have your name available if a reporter in your geographical area would like to contact people who have been infected in the past. Use this address please instead of replying to this newsletter.

This is the information I need:

How you became infected if you know
What you were infected with if you know
How long you were infected before fixing it
How you fixed it (ie. Spybot, Ad-aware, a message board, etc)
What city you are located in or near
A working email address

I won't give your email address to the reporter, if one from your area writes (or to anyone else for that matter). Instead, I will reply to your email with the reporter's contact information. I know from experience that a large number of you are going to email, so I won't be able to respond to these emails. Thank you in advance for participating in this.

Permalink | Top

I have updated the RSS feeds for SpywareInfo. Previously, there were three different feeds, one with five items, one with ten items and one with fifteen. Now I have dropped the five and fifteen item feeds and switched to just one feed with ten items. In addition, I have moved it, so if you had the old ones bookmarked or loading on your web site, you will need to update the address. The new address is http://www.spywareinfo.com/index.xml.

If you don't know what RSS is, it stands for Rich Site Summary or Really Simple Syndication depending on whom you ask. Visit Harvard University's RSS article for more information.

Permalink | Top

From the look of things, this summer is going to be a repeat of last summer, with thunderstorms every other day. It has rained here nearly every day for the last three weeks. I've had my power either go out or flicker several times in the last couple of weeks because of nearby thunderstorms. There was even a brownout the other day.

I'm starting to worry about the hard drives in my computers. Suddenly losing power without a proper shutdown can damage a hard drive and that is going to happen to me sooner or later if this keeps up. I'm thinking of buying an uninterruptible power supply (UPS) to protect my computers. The problem is that I have no experience with a UPS, so I don't know which are good and which are trash. At the moment, I have my eye on this one. The specs look good but the customer reviews are worrisome.

What is your opinion of a good UPS? I don't want to spend a bunch of money on one. I've spent enough money on this computer recently. If you have a suggestion, please let me know. Thanks.