Oh woe's me!

[MrLinus]

*GASP* Oh no! I should protect myself from the evils of spyware!!

From - Thu Feb 24 13:41:32 2005
X-Account-Key: account3
X-UIDL: 5b3e88889470ac6c232da6a25de84f18
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Apparently-To: msmittens@msmittens.com via aa.bb.cc.dd; Thu, 24 Feb 2005 10:38:58 -0800
X-YahooFilteredBulk: aa.bb.cc.dd
Authentication-Results: aa.bb.cc.dd
from=bbs-la.com; domainkeys=neutral (no sig)
X-Originating-IP: [aa.bb.cc.dd]
Return-Path: <yiodzyubsssuy@bbs-la.com>
Received: from aa.bb.cc.dd (EHLO aa.bb.cc.dd) (aa.bb.cc.dd)
by aa.bb.cc.dd with SMTP; Thu, 24 Feb 2005 10:38:58 -0800
Received: from s160.itokyofl180.vectant.ne.jp (s160.ItokyoFL180.vectant.ne.jp [202.215.217.160])
by aa.bb.cc.dd (Postfix) with SMTP id 104BE2B6DC7
for <msmittens@msmittens.com>; Thu, 24 Feb 2005 13:38:54 -0500 (EST)
Received: from 199.107.184.204 by 202.215.217.160; Thu, 24 Feb 2005 17:33:53 -0100
Message-ID: <KPVEBQFWGOHIFDEMNFCZ@bellsouth.net>
From: "Gladys Foley" <yiodzyubsssuy@bbs-la.com>
Reply-To: "Gladys Foley" <yiodzyubsssuy@bbs-la.com>
To: msmittens@msmittens.com
Subject: [Bulk] The new threat
Date: Thu, 24 Feb 2005 20:30:53 +0200
X-Mailer: CommuniGate Pro WebUser Interface v.4.1.6
X-Priority: 5
X-MSMail-Priority: Low
X-Antivirus: AVG for E-mail 7.0.300 [266.4.0]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=======AVGMAIL-421E1FDC5485======="

--=======AVGMAIL-421E1FDC5485=======
Content-Type: multipart/alternative; boundary=--2868619857532587

----2868619857532587
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

globalcontinuity.com Magazine announce:
Spy-Control is the most important step you can take is to secure your system!
Free Download Here: http://bobble.fightpyco.net

Prevent the installation of hijackers spyware
Restrict the actions of potentially dangerous sites in Internet Explorer
Prevent Identity Theft
and other potentially unwanted pests.

Try our online scan now: http://violin.fightpyco.net




n^e_v*e_r a'g-a_!-n http://anglophobia.fightpyco.net/discon

----2868619857532587--
--=======AVGMAIL-421E1FDC5485=======
Content-Type: text/plain; x-avg=cert; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "AVG certification"

No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 2/22/2005

--=======AVGMAIL-421E1FDC5485=======--

So, let's visit their fine website. Oh my. I am in trouble. Look at what they say!!!:

95% of computers with an internet connection are now infected – most of the time, without your knowledge! Pop-ups, commercial websites and software like KaZaa are massively installing software which:

• - Monitors your personal info (Chat Logs, Passwords, Emails, SSN)
  - Dramatically Slows Down your computer, until it crashes
  - Floods you with aggressive Pop-ups and Commercials
  - Hides on your PC un-revealed by Anti-Virus or Firewall Programs
  - Some cases even result in Credit Card Fraud or Identity Theft!

And all those fine companies "agree" that this is the "best" spyware product out there. Why, I better scan myself with their "fine product". So I download it and go to install it. Hrmm.. Sygate says it needs to communicate with http://82.114.48.64/. Wonder what's there? An affiliate program?

Post Affiliate Pro is a powerful system that allows you to easy set up and maintain your own affiliate program and pay your affiliates commissions for clicks or sales that they refer to your site.
Using affiliate system on your site is one of the most efficient ways to achieve more traffic, sales and better link popularity without additional costs.

Hrmm... Well, since it's so good I better let it do it... HA!

I actually fired up Ethereal before this started and as you can see from the attached document, it was a rather interesting set of packets. Particularly Frame #10, where I get to see the cookie they left behind. After installing it I fired up HijackThis and got treated to this:

O3 - Toolbar: Spy-Control Toolbar - {F03817A9-5CB0-47ac-A1B3-0CCC1AD0A253} - C:\Program Files\Spy-Control\ToolBand.dll
O4 - HKLM\..\Run: [Spy-Control] C:\Program Files\Spy-Control\Spy-Control.exe /s

For those unaware, ToolBand.dll is an identified Cool Web Search evil. Doing a scan brought up some interesting responses. Apparently the following are spyware:

nsreg.dat
istactivex.inf
A~NSISu.exe

What is curious is that the nsreg.dat is a Netscape Profile database (and wow, oddly enough I can't see Google caches anymore.. wonder how that happened). I haven't been able to fully research the other two but I have doubts. IMO, there is no reason for a spyware program to do this stuff and it's just maliciously abusing FUDing and the average user. No wonder people get so confused.

Always be paranoid.. now off to see what other nasties it left behind after the uninstall.

[zencoder]

Viruses, Trojans, and Worms, Oh My!

Viruses, Trojans, and Worms, Oh My!

Viruses, Trojans, and Worms, Oh My!!!

I really hate these FUD parasites. They are the close relative of the stereotype 'ambulance chaser lawyer'. There was a company a few years ago making a Back Orifice detection/prevention/cleaning tool. After some research, it was found to be complete bollocks (nigil, tiger, help me out here? Did I do that right? Or is it Bullocks?!? I *love* cursing and using euphemisms that are not native to my east-coast-come-mid-west American accent.)

Anyway, the guy who found this 'product' to be a steaming pile of crap created a site that explained all about B.O., how to protect yourself and remove it, and basically knocking this company and it's product. Their lawyer was tougher than his lawyer, and the comments got yanked. And they continued to sell this garbage. *sigh*

[(V)/\><]

bollocks is good. or, if you are reeeally cool, bollox.

"feck" is definately in my top ten. along with shite. (note the appended e).

.

i think this spyware crap is after getting way out of control and the people behind them should be dealt with like the writers of modern worms.

worms, trojans, spyware, etc. they are all different, technically speaking. but they all have atleast this in common. they are all programs executing on your machine by someone else. that's stealing! cpu cycles.

[zencoder]

shiite is a fave of mine as well. Back in my Diablo II:LoD days, I had a paladin named Holy Shiite that always got me some laughs. If used right, people can't tell if you're talking about a member of a Muslim sect or if your a Texan cursing.

[|3lack|ce]

Heh. Texans would've recognized it - we don't say Holy Shiite... we say Holy Sheeeeit!

[MrLinus]

As a follow-up, it did appear that my Mozilla/Firefox was also infected with a hijacker that didn't seem evident. What was particularly weird was the fact that IE wasn't infected (go figure!). And, it specifically infected Google caches. So if I did a search on my name and then attempted to view the cache I got this:

Your search - cache:psBCkxPj6YYJ:http://www.msmittens.com/index.php?/...things-to-have!.html MsMittens - did not match any documents.

Weirdly enough, it seems to be resolved now (I'm attempting to do a deep scan using Ad-Aware and CWShredder along with a quick view of Hijackthis). It seems clean but not sure if I'm missing something... ideas anyone?

[rapier57]

Road Apples, Horse Hockey ... those are some of my favorites. 'Course, I ain't from the east coast.

Thanks for the analysis, MsMittens. I always enjoy these. You're braver than me, letting that stuff get on your system on purpose! I have to spend enough time on other machines without having to clean up my own.

It's easier just to keep it clean.

[KuiXing-2005]

Weirdly enough, it seems to be resolved now (I'm attempting to do a deep scan using Ad-Aware and CWShredder along with a quick view of Hijackthis). It seems clean but not sure if I'm missing something... ideas anyone?

So with me being still wet-behind-the-ears with Winders admin, would removing the program and doing the above pretty much clean the pipes of your machine - or would you need to review the registry as well? What about the MS-Spyware Beta?

And for the side discussion:

My wife and I lifted the term "Frell" from Farscape instead of using the f-bomb. We save the f-bomb for driving. Or just use our German-English combopulation of Scheit!

'Course didn't Cartman's Mom say something like "Ok honeykins - go make bears!"

[MrLinus]

So with me being still wet-behind-the-ears with Winders admin, would removing the program and doing the above pretty much clean the pipes of your machine - or would you need to review the registry as well? What about the MS-Spyware Beta?

The program was removed and I did check the registry prior to this. I was racking my brain somewhat as to why it did this. The one registry setting that I'll need to look for later would be the one that designates/identifies the default browser. I suspect that was the one that got compromised by this little tool.

And I don't trust MS' product. I'm not a big fan of the all-in-one concept and would rather have options available to me other than what they want me to use (I'm a big fan of the CyberInsecurity of a Monopoly paper).

[jinxy]

MsM go here http://www.fightpyco.net/affiliate_overview.php? and try to sign up.

Not Found

The requested URL /affiliate_signup.php" was not found on this server.
Apache/2.0.52 (Unix) DAV/2 PHP/4.3.10 Server at www.fightpyco.net Port 80

Me thinks this is a scam.