Important Differences to Know About Spyware and Viruses

Spyware and computer viruses might appear to have more in common than not, they are both malicious programs, they both impact system stability, and the effects of both can range from being a nuisance to inflicting serious damage. They are also both programs that require specialized tools for their removal. While these two different types of malicious programs might closely resemble each another at first glimpse, there are significant differences:

• Unlike viruses, the motivations behind spyware are financial, which has driven rapid technical innovation and broad distribution.

• Spyware is curiously difficult to locate for research, requiring specialized, proactive methods for discovery.

• Removing spyware is especially complicated and problematic because newer versions are highly adept at remaining on a system.

• The business impacts of spyware are greater, as it compromises privacy, threatens assets and affects productivity beyond even the damage caused by viruses.

The bottom line is that spyware presents a unique and serious problem that requires its own dedicated defenses. As spyware rapidly proliferates today, its well-funded developers are creating increasingly sophisticated versions, and it is clear that solutions devoted to handling the intricacies of spyware are necessary. The first line of defense is education, and understanding the unique threat spyware poses is the first step in a practical plan for protection.

Designed to Hide

One important way spyware is distinguished from viruses is discoverability. Antivirus vendors are able to deploy passive techniques for identifying new viruses, such as “honey-nets” that capture the malicious programs as they replicate themselves across the Internet. Because antivirus vendors can rely on these more passive research methods, they have not been as prepared for the active approach necessary to combat the unique challenges of spyware detection.

In order to maintain a definitions database that will effectively defend its users from newly released forms of spyware, an anti-spyware provider must actively seek out new threats and their source location. Keeping up with hundreds of adware companies and thousands of spyware writers is a daunting task. Furthermore, it is becoming even more specialized as increasingly advanced forms of spyware morph into new variations requiring more sophisticated approaches.

There are several approaches to spyware research, but each is technically challenging and resource intensive. One of the more interesting approaches used involves using webcrawler technology to find new threats before they can infect end users. This automated scanning of the Internet to identify new forms of spyware involves proprietary technologies and a specific understanding of spyware and its unique properties.

Difficult to Remove

Once installed on a system, the presence of spyware on the PC can be insidious. While viruses typically take the form of a single executable and might affect a few registry entries, spyware typically impacts multiple registry entries and potentially leaves dozens of application files spread across the hard drive or deep within the hardware. Sophisticated techniques are required to locate and remove these many components created by spyware applications.

In addition, spyware is becoming increasingly sophisticated in its staying power. New spyware programs use complex approaches, such as running separate processes that monitor each other. These programs are capable of reinstalling components and repopulating registry entries that have been removed. They are also capable of randomizing various elements of the program so that they leave a different footprint and are harder to track. To further complicate matters, if left unchecked many spyware applications are capable of downloading additional programs.

Consider for example the insidious spyware program called “Look2Me”. This malicious application gets deep inside your system. It uses Internet Explorer as the launching point to insert another file into the Windows area that controls system start up processes. By hooking itself in this way, it tricks your computer into believing that it is a critical process that must not be removed. If attempts are made to remove the files or their registry entries, Look2Me can automatically reboot the computer to restore itself.

Compared to spyware, the newly identified virus W32.Mydoom. CF@mm is malicious, but much less difficult to remove. The W32.Mydoom.CF@mm virus is a mass-mailing worm that rapidly propagates by mailing itself to addresses gathered from the compromised computer. It copies itself to a Windows system folder and modifies up to three registry entries so it can load when Windows starts up, but removal is as simple as deleting its file and erasing the text strings that it has inserted in the registry. Antivirus programs are designed for this type of task.

When faced with more difficult removal efforts, antivirus programs are not sufficient. Even just to remove some viruses, leading anti-virus vendors have had to build completely separate custom removal tools. Removing aggressive spyware is even more difficult. To be effective, an anti-spyware program must engage in the complex, multi-step process of extracting the spyware components and removing the traces left behind throughout the system. Spyware removal requires highly specialized techniques that are different from the fundamental processes performed by antivirus software.

Different Impact

Another important difference between spyware and viruses is the impact they make on computers and their users. Viruses are developed to cause mischief by clogging networks, bringing down systems, or in some cases, deleting information. Spyware, however, is designed to execute even more malicious objectives. In the hands of cyber criminals, spywares impact can be devastating, enabling them to violate personal privacy, access proprietary information, and steal financial assets. This was the case in a recent headline-making cyber theft in which spyware was used to steal $423 million from Sumitomo Mitsui bank.

In addition, even legitimate” adware programs make a significant negative impact on productivity. They often slow system performance, cause PC crashes, and result in lost time while infected systems are repaired. According to a Microsoft estimate, spyware causes more than half of Windows system crashes1, and Dell announced in 2004 that  a full 25% of the calls to its support staff were from users who had experienced degraded system performance caused by spyware2.

Unique Distribution

The way in which spyware proliferates is also different from viruses. For one, there are often more variants. While viruses may have a few variants or encourage copycat efforts, spyware is often programmatically designed to spin off its own variations, which can lead to a substantially greater number of spyware programs to contend with.

 In addition, while viruses are typically designed to spread themselves openly and obviously across networks, spyware is generally unwittingly downloaded and installed by computer users. Spywares focus is on stealthy delivery, and thus it proliferates more “silently”, which makes it more difficult to determine the scope of its dissemination. While antivirus solutions are focused on combating the more visible spread of viruses and worms, a spyware protection solution must be adept at exposing stealthy delivery methods.

Financially Motivated

Another important differentiator between spyware and viruses is the motivation for their creation in the first place. Viruses are often created by individuals or small groups with the intent of causing a nuisance, or testing their programming skills at the expense of others. Spyware, on the other hand, is financially motivated and represents a growing industry estimated at $2.5B. 

Backed by legitimate organizations with substantial financial resources, spyware is becoming increasingly sophisticated, and increasingly more difficult and complex to manage. With a strong financial motivation behind its advancement, spyware protection will continue to require highly specialized techniques.

Conclusion

In summary, spyware is uniquely difficult to identify, and it becomes entangled in the systems it infects, making its removal extremely complicated. Spywares impact can be dramatically different from that of viruses, resulting in significant loss to theft of assets and decreased

productivity. Finally, because it is financially motivated and backed by increasing investment from a thriving industry, spyware is advancing rapidly and becoming progressively more complex.

When examined more closely, it is apparent that spyware has very different properties from viruses. Understanding the unique properties of spyware is the first defense against its dangers. Dealing with spyware is a complex challenge that requires specialized techniques. Today more than ever, computer users need to rely on a dedicated solution designed specifically to help navigate the unique threats of spyware.

1 Brian Arbogast, Microsoft (corporate vice president of the Identity, Mobile and Partner Services Group

within Microsoft’s MSN and Personal Services Division), at a Federal Trade Commission spyware workshop,

according to a Microsoft press release on April 20, 2004 (http://www.microsoft.com/presspass/

features/2004/apr04/04-20Spyware.asp)

2 Ed Maguire, Merrill Lynch comment, Security Software: Gartner Security Summit Highlights, June 10, 2004

Networking Defined:

Networking is the act of connecting 2 or more computers together. This is
generally done using a cable known as CAT5e (from the name of the standard
describing the cable’s properties).

Today, though, we are not limited to wired infrastructures — a network can
also incorporate wireless connections (commonly known as Wi-Fi) for easier
use with mobile technology. Computer networking in its simple form is no
different than people networking with others. Both are used to share
ideas and information, collaborate, and pass along some form of data.

Whether you have 5 computers or 200, you will need to network them in order
to get anything done. The reason is simple – you need to share data,
resources, and internet – among many other tools.
If you are building new offices or need to network your current location,
New Age Digital can help you get wiring, set up the network’s infrastructure,
and provide and configure high speed internet access.

New Age Digital even has a solution for
networking Multi Tenant Facilities in
the Richmond, Virginia and surrounding areas.
If you have a building with multiple tenants and would like to provide them with
High Speed Internet access
then
call us and we will do a site survey . We can also provide
Internet access and server capabilities for a Multi Tenant office.

Significant Benefits Of Our Multi Tenant Solution

• Significant generation of non-rental income
• Unlimited users/entities are licensed on one server
• An excellent marketing differentiator for your property – market with an advantage
• Attractive facility for prospective tenants/purchasers
• Extremely cost-effective, with significant savings and the ability to make direct profits

Let’s say John Doe at Company abc.com runs Small Business Server 2003 and has a side business with the domain name xyz.com. John can easily receive email to jdoe@abc.com and jdoe@xyz.com. But when Joe sends an email, the recipient will see it comes from jdoe@abc.com. Joe has no option to send the email so it appears to come from jdoe@xyz.com.

This can be resolved by adding an SMTP account to the Outlook profile on the workstation. While not a perfect solution, it does allow users to select which email address they would like recipients to see. This solution is recommended for small sites where the administrative overhead is low and where only a few outgoing domains need to be selectable.

This solution has the following strengths:

1. Little or no modification needs to be made to Exchange.
2. It works great on single Exchange servers and SBS servers.
3. Email to all domains is still delivered immediately to the user’s Exchange mailbox. There is no need to have separate Personal Folder stores or profiles that users will forget to check and backup.

This solution has the following weaknesses:

1. The Outlook client will need an account added to the profile of each user that needs to have multiple outgoing addresses. An account will need to be added for each outgoing address (other than the primary). Multiple Outlook profiles on one computer or users that use Outlook on multiple computers will increase the administration burden.
2. While the alternate email address will show on the recipient’s copy, the email headers will still show the Exchange server’s primary domain. Most recipients won’t even know how to check email headers, but this solution is not appropriate when the appearance of complete separation of the domains needs to be achieved.
3. Outgoing addresses are not selectable under Outlook Web Access.
4. Outgoing email will always show the user’s primary address unless an alternate is selected. The user must select the alternate SMTP account even when replying to an email sent to the alternate email address. For example, John receives an email sent to jdoe@xyz.com (his primary is @abc.com). When John replies to the email he must select the xyz.com SMTP account when he sends the email or else his reply will go out as jdoe@abc.com.

These instructions will assume the user has administrative access to the Exchange and DNS servers on the network or is the administrator of a Microsoft Small Business Server. We will also assume the servers are running Windows 2003, Exchange 2003, and Outlook 2003 or SBS 2003. 2003 is not a requirement, but some steps will vary on other versions of SBS, Windows Server, and Outlook.

The first step in the process is to add the additional domains to the recipient policy on the Exchange server if it has not already been done. This will allow the Exchange Server to receive email sent to the additional domain(s).

1. Open Exchange System Manager, or drill down to your Exchange instance on the Server Management Page for Small Business Server.
2. Open Recipients and click on Recipient Policies.
3. Right click the Default Policy and select Properties.
4. Select the E-mail addresses tab and click New.
5. Select SMTP address and fill in the additional domain name with the @ symbol prefix (@xyz.com) and click OK.
6. You may modify the primary SMTP domain if desired, then click OK.
7. Repeat for each domain you want to add.

At this point, your users can receive email sent to the additional domain only if you edit each user account and add the address for them. I recommend right clicking the Default Policy and selecting Apply this policy now. This will make the additional domain active for all users. In effect, it creates a secondary email address for all of your Exchange users in the Default Policy (normally everyone).

Now DNS needs to be setup. External DNS is provided by a wide range of providers. You will need to contact your domain host to setup the necessary record for DNS. This may be your web hosting company or the company you registered the domain with. You will want to add an A record and MX record for the outside or public IP address of your Exchange server for the additional domain. A CNAME record that aliases an existing A record is fine, or you can use an existing A record. Please contact your domain host if you need help. You can contact us at New Age Digital if you would like to change your hosting service. We can assist with all of the details. This will need to be done for all domains for which you wish to receive email.

Next we will add the domain to your internal DNS server. This will normally be your Small Business Server or PDC in a multi-server environment.

1. Open your DNS MMC console. Normally accessed through Administrative Tools.
2. Right click Forward Lookup Zones and select New Zone.
3. Click Next on the New Zone Wizard and select Primary and click Next.
4. Choose the appropriate selection on the next screen. Normally the default is correct.
5. Enter your additional domain name (xyz.com) and click Next.
6. Normally you will not want dynamic updates, but this may vary depending on your needs. Dynamic updates are not necessary for this setup. Click Next and Finish.
7. Right click the domain you added and select new A record. You may need to expand the tree on the left side of the MMC console to activate the add function.
8. Enter the prefix for the A record in the name field. This should match the A record setup on the external DNS servers for the domain. For example, if an A record, mail.xyz.com, was setup on the external DNS servers, enter mail in the name field.
9. Type in the local IP address of your Exchange server and click Add Host. Please note that this is the internal IP address – not your outside or public IP address.
10. Repeat for each domain that you wish to use for outgoing email.

Add a new account to each Outlook profile on each computer that will need to send email out using the new email address.

1. In Outlook, select Tools, Email Accounts.
2. Select View or change existing email accounts and click Next.
3. Select Add, select POP3, and click Next.
4. Fill in the fields on the POP3 Internet account settings screen as follows:
5. Name . As you would like it to appear to recipients, usually the users full name.
6. Email address – The full email address using additional domain (jdoe@xyz.com).
7. Both POP3 and SMTP servers will be the host you setup in DNS (mail.xyz.com).
8. The username should be the login name of the user to the domain or Exchange server (jdoe).
9. The password is the user’s domain or Exchange password.
10. Do not test the account settings (see below). Click Next and Finish.
11. Make sure the Exchange account is still the default and that the user’s mailbox is the delivery location for all accounts by clicking on each account.
12. Repeat for each outgoing address you wish to add.
13. Repeat for each user and each Outlook profile that your users will use to send outgoing email on the additional addresses.

Most Exchange servers do not have POP3 enabled by default. It does not need to be enabled, nor do we need to make any firewall or router changes to allow POP3 traffic. The next step will be to disable the POP3 half of the new account. This will negate the need to make any changes to Exchange. It will also remove conflicts with some antivirus scanners with email scanning ability, and improve the speed of retrieving new messages. Exchange is already setup to receive incoming mail on the additional domains and that email will be delivered directly to the user’s mailbox on receipt.

The first thing to try is the default password “symantec”.

Older versions of Symantec Antivirus (before version 10)
have a password to access the console. This can be reset
by stopping the Symantec Antivirus services in the
Microsoft Services MMC and changing a registry key.
Changing this key will set the password back to the
default, but must be done with the services stopped.
Open regedit and change the following key’s value and
restart the services.

HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6

\CurrentVersion\ConsolePassword

Value: 1084A085DC6BD2D755D4D6A7726

Symantec Antivirus version 10 has both a login name
and password. This can be reset by using the iforgot.exe
program that is located under the
Program Files\Symantec\Symantec System Center\Tools folder.
You will need to know the login name for the iforgot.exe
program to reset the password.

1) Go to http://companyweb and select the Vacation Calendar on the left. You can add the calendar to your Other Calendars list by clicking on the Link to Outlook button at the top of the Calendar. The downside to this method is that the calendar is read only in Outlook. You cannot add items to the intranet Vacation Calendar in Outlook, you have to go to the intranet site and submit new items there. Method two is almost as easy and is fully editable in Outlook.

2) To make the shared calendar in Outlook, click the Folder List button at the very bottom left of the Outlook Window. This will display your entire folder list in Outlook. At the bottom of the list is Public Folders. Folders and items in those folders are accessible and editable by everyone (by default). Expand Public Folders, then right click All Public Folders, select New Folder, Choose Calendar Items, and give it a name. You can put it on your list of calendars by right clicking on it and selecting Add to Favorites. Next time you click on your Calendar it will show up in your Other Calendars list. Select it and it will display on a split pane with your personal calendar. Once it is created, it will show up in everyone’s Outlook Folder List under Public Folders, but they will have to add it to their favorites for it to show up on their Other Calendar list.

This is a common error message that occurs when a user is deleted and the
mailbox retention time is set to a value other than 0.

The Job Notification reports:

(Server: “Servername”) (Job: “Backup 00006″) Backup 00006 — The job
failed with the following error: The directory is invalid.

The error in the job log reports:

Completed status: Failed

Final error: 0xe000fe09 – The directory is invalid.

Final error category: Resource Errors

For additional information regarding this error refer to
link V-79-57344-65033

Backup- \\SERVER\Microsoft Exchange Mailboxes V-79-57344-65033
- Directory not found. Cannot backup directory ?User Name [uname] and its subdirectories.

Link to Veritas Support Doc:

mhttp://seer.entsupport.symantec.com/docs/241981.htm

You can set the deleted mailbox retention time to 0 to fix the
problem, but this will disable the ability to recover a deleted
mailbox. Open the Server Management screen on the server and
expand the Advanced Management section. Drill down through the
Exchange instance, Servers, Servername, First Storage Group,
Mailbox Store. Right click on the Mailbox Store and select
Properties. Go to the Limits tab, and change the option Keep
Deleted Mailboxes for (Days) to the appropriate amount of
days that the mailbox should stay on the server to 0.

The other option is to train the person that is responsible
for deleting users to purge the mailbox after deleting the
user. Open the Server Management screen on the server and
expand the Advanced Management section. Drill down through
the Exchange instance, Servers, Servername, First Storage
Group, Mailbox Store, Mailboxes. Right click the Mailboxes
folder in the left pane and click the Run Cleanup Agent.
Recently deleted user’s mailboxes will be in the list with
a small red “x” on them. Right click the recently deleted
user.s mailbox and select Purge. Please note that selecting
yes will permanently delete the mailbox and the email therein
will not be retrievable except from previous backups.

Error: 2

I have only run into this error once, and I am still not
sure what caused the problem. My guess is that a program
that included an SQL SP3a backend was installed on the
server that had SP4 already installed on it.

The job log reported:

V-79-57344-33938 – Backup or restore operation terminated
abnormally. An error occurred on a query to database.

0xe0008492 – Database Query Failure. See the job log for details.

Link to Veritas Support Doc:
http://seer.entsupport.symantec.com/docs/276443.htm

The solution was as follows:

1. In the SQL 7.0 installation path (by default \Mssql7\Binn)
   rename the DLL’s Sqlresld.dll and Sqlvdi.dll to
   Sqlresld7.old and Sqlvdi7.old
2. Copy from the SQL 2000 installation path (by default
   \Program Files\Microsoft SQL Server\80\COM) the DLL’s
   Sqlresld.dll and Sqlvdi.dll into the SQL 7.0 installation
   path (by default \Mssql7\Binn)
3. According to the Microsoft article, it is also recommended
   to place the Sqlunirl.dll and Sqlsvc.dll (into \Mssql7\Binn)
   due to the DLL’s dependencies.

Before I overwrote the files as the support document suggested,
I checked the file dates and sizes. The files to be overwritten
were older. I also stopped all SQL services before overwriting
the files, though the article did not specify to do so.

Error: 3

This was a seemingly random error that occurred out of the blue
after several weeks of successful backups.

The job log reported:

Completed status: Failed

Final error: 0xe00084f8 – The network connection to the Backup
Exec Remote Agent has been lost. Check for network errors.

Final error category: Resource Errors

Backup- SERVER\SHAREPOINT AOFO: Initialization failure on:
“\\SERVER\Microsoft Information Store\First Storage Group”.
Advanced Open File Option used: No.
The network connection failed during the snapshot. Check
the network, and then run the job again.

V-79-57344-65072 – The Exchange Store service is not
responding. Backup set canceled.
AOFO: Initialization failure on: “Shadow?Copy?Components”.
Advanced Open File Option used: No.
The network connection failed during the snapshot. Check the
network, and then run the job again.

V-79-57344-65072 – The connection to target system has
been lost. Backup set canceled.

This was resolved by changing the Resource Order of the
Exchange items. The Veritas solution was to try to backup
the Exchange Public Folders and Mailboxes in separate
jobs, but I found an alternate solution that resolved
the problem. It was as simple as setting the Public
Folder Store to be backed up before the Mailbox Store.
Thanks to the original poster in the Veritas Newsgroups.
I was not able to find the Newsgroup thread again to give
proper credit to the gentleman who came up with the solution.

Description:

The Network Load Balancing service failed to start due to the following error:

The service cannot be started, either because it is disabled or
because it has no enabled devices associated with it.

A supposed fix for this is to view the properties of the network
connections on the server and remove the check for the Network
Load Balancing Service in the list of Services. I have yet to
see this fix work.

The fix that I have found and use on my productions servers
requires a quick registry change. Please note that changing
the Windows registry can have disastrous results if you make
the wrong changes. If you are not sure about the changes you
are making, contact qualified professionals like New Age
Digital to assist you!

1. Start Registry Editor. Click Start, Run, type
   “regedit” in the Open box, and click OK.
2. Drill down to the
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WLBS
   registry key.
3. Right click the WLBS registry key and click Export.
   Save the file with a descriptive filename to a secure
   location. This will backup the registry key and allow
   you to restore the key if you make a mistake or decide
   to use Network Load Balancing in the future.
4. In the right window pane, right click registry
   entry named Group, and then click Modify.
5. Clear the Value data. Simply delete the PNP_TDI
   and leave the field blank. Click on OK, and close
   the Registry Editor.
6. On reboot the Error message will no longer be displayed.

If you wish to enable Network Load Balancing, browse to the
backup of the registry key and double click it. Windows will
ask you to confirm importing the data into the registry.
Approve the import and reboot. Note that any registry key
restore will overwrite existing registry values. Any changes
made to the other values under the WLBS key will be
overwritten as well.

To Password Protect the Normal.dot template:

1. Open Microsoft Word.
2. From the Tools menu, select Macro/Visual Basic Editor.
3. In the window labeled Project, click on Normal.
4. From the Tools menu, select Normal Properties, then click
   on the Protection tab.
5. Check the Lock Project for Viewing check box and type in
   a password twice and click OK.
6. From the File menu, select Close and Return to Microsoft
   Word, then close Word.

The next time you start Microsoft Word, the Normal.dot
template will be protected.

1. Click on Start and choose Run, type in Regedit and select OK.
2. Click on the plus sign to the left of HKEY_LOCAL_MACHINE.
3. Continue to drill down, always clicking on the plus sign at the
   left of the named key, through Software, Microsoft, Windows,
   Current Version and Policies.
4. Click on the Ratings folder.
5. In the right pane of the Regedit window, you’ll see an icon
   called Key. Click on it and press Delete. This will clear the
   Content Advisor password, but will not yet disable it.
6. Restart the computer and open Internet Explorer.
7. Select Tools, Internet Options. Click the Content tab and click
   on Disable. When asked for a password, just click on OK. You can
   now re-enable the Content Advisor with a new password or leave it off.