Oh woe's me!
*GASP* Oh no! I should protect myself from the evils of spyware!!
So, let's visit their fine website. Oh my. I am in trouble. Look at what they say!!!:From - Thu Feb 24 13:41:32 2005
X-Account-Key: account3
X-UIDL: 5b3e88889470ac6c232da6a25de84f18
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
X-Apparently-To: msmittens@msmittens.com via aa.bb.cc.dd; Thu, 24 Feb 2005 10:38:58 -0800
X-YahooFilteredBulk: aa.bb.cc.dd
Authentication-Results: aa.bb.cc.dd
from=bbs-la.com; domainkeys=neutral (no sig)
X-Originating-IP: [aa.bb.cc.dd]
Return-Path: <yiodzyubsssuy@bbs-la.com>
Received: from aa.bb.cc.dd (EHLO aa.bb.cc.dd) (aa.bb.cc.dd)
by aa.bb.cc.dd with SMTP; Thu, 24 Feb 2005 10:38:58 -0800
Received: from s160.itokyofl180.vectant.ne.jp (s160.ItokyoFL180.vectant.ne.jp [202.215.217.160])
by aa.bb.cc.dd (Postfix) with SMTP id 104BE2B6DC7
for <msmittens@msmittens.com>; Thu, 24 Feb 2005 13:38:54 -0500 (EST)
Received: from 199.107.184.204 by 202.215.217.160; Thu, 24 Feb 2005 17:33:53 -0100
Message-ID: <KPVEBQFWGOHIFDEMNFCZ@bellsouth.net>
From: "Gladys Foley" <yiodzyubsssuy@bbs-la.com>
Reply-To: "Gladys Foley" <yiodzyubsssuy@bbs-la.com>
To: msmittens@msmittens.com
Subject: [Bulk] The new threat
Date: Thu, 24 Feb 2005 20:30:53 +0200
X-Mailer: CommuniGate Pro WebUser Interface v.4.1.6
X-Priority: 5
X-MSMail-Priority: Low
X-Antivirus: AVG for E-mail 7.0.300 [266.4.0]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=======AVGMAIL-421E1FDC5485======="
--=======AVGMAIL-421E1FDC5485=======
Content-Type: multipart/alternative; boundary=--2868619857532587
----2868619857532587
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
globalcontinuity.com Magazine announce:
Spy-Control is the most important step you can take is to secure your system!
Free Download Here: http://bobble.fightpyco.net
Prevent the installation of hijackers spyware
Restrict the actions of potentially dangerous sites in Internet Explorer
Prevent Identity Theft
and other potentially unwanted pests.
Try our online scan now: http://violin.fightpyco.net
n^e_v*e_r a'g-a_!-n http://anglophobia.fightpyco.net/discon
----2868619857532587--
--=======AVGMAIL-421E1FDC5485=======
Content-Type: text/plain; x-avg=cert; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Description: "AVG certification"
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 2/22/2005
--=======AVGMAIL-421E1FDC5485=======--
And all those fine companies "agree" that this is the "best" spyware product out there. Why, I better scan myself with their "fine product". So I download it and go to install it. Hrmm.. Sygate says it needs to communicate with http://82.114.48.64/. Wonder what's there? An affiliate program?95% of computers with an internet connection are now infected – most of the time, without your knowledge! Pop-ups, commercial websites and software like KaZaa are massively installing software which:
- - Monitors your personal info (Chat Logs, Passwords, Emails, SSN)
- Dramatically Slows Down your computer, until it crashes
- Floods you with aggressive Pop-ups and Commercials
- Hides on your PC un-revealed by Anti-Virus or Firewall Programs
- Some cases even result in Credit Card Fraud or Identity Theft!
Hrmm... Well, since it's so good I better let it do it... HA!Post Affiliate Pro is a powerful system that allows you to easy set up and maintain your own affiliate program and pay your affiliates commissions for clicks or sales that they refer to your site.
Using affiliate system on your site is one of the most efficient ways to achieve more traffic, sales and better link popularity without additional costs.
I actually fired up Ethereal before this started and as you can see from the attached document, it was a rather interesting set of packets. Particularly Frame #10, where I get to see the cookie they left behind. After installing it I fired up HijackThis and got treated to this:
For those unaware, ToolBand.dll is an identified Cool Web Search evil. Doing a scan brought up some interesting responses. Apparently the following are spyware:O3 - Toolbar: Spy-Control Toolbar - {F03817A9-5CB0-47ac-A1B3-0CCC1AD0A253} - C:\Program Files\Spy-Control\ToolBand.dll
O4 - HKLM\..\Run: [Spy-Control] C:\Program Files\Spy-Control\Spy-Control.exe /s
What is curious is that the nsreg.dat is a Netscape Profile database (and wow, oddly enough I can't see Google caches anymore.. wonder how that happened). I haven't been able to fully research the other two but I have doubts. IMO, there is no reason for a spyware program to do this stuff and it's just maliciously abusing FUDing and the average user. No wonder people get so confused.nsreg.dat
istactivex.inf
A~NSISu.exe
Always be paranoid.. now off to see what other nasties it left behind after the uninstall.
Reply With Quote