Ironic.

[Soda_Popinsky]

I've been getting AIM spam lately. Mostly from generated names like aim236236437 and similar.

I decided to play Mr. Detective with the latest. It linked to here:
http://%74k.u%6b.to/zom/

From there I got 2 domains:
http://www.exitforcash.com/
http://public.windupdates.com

Some things I noticed:

1. User account "cheez" spammed me to hopefully earn .003 cents from exitforcash.com
2. public.windupdates.com sounds a lot like windows update.

3. windupdates has removal instructions on it's main page, obviously because people didn't want it there in the first place. I'm wondering what exploit it uses to get on your box in the first place, or if you unwillingly click OK to an activex download.

What is Wind Updates?

Wind Updates is free ad delivery software which provides targeted advertising offers.

How did Wind Updates get installed on your computer?

You downloaded Wind Updates from a Website that is able to offer its content for free because it shows the Wind Updates ActiveX popup. The Wind Update program is installed only once the user has agreed to it by clicking “ yes” on the ActiveX. Though the ActiveX, the user can review the license terms and privacy policy before installing the software. Each and every distributor is carefully reviewed to make sure that their distribution techniques abide by a strict code of conduct.

If you do not remember having seen an ActiveX prompt, you might have downloaded Wind Updates from a popular free software product (screensavers, games, file sharing software, etc.). Users always have to opt-in before installing the Wind Updates software.

Removal instructions:
Wind Updates supports many free software products through its advertising relevancy technology. If you remove Wind Updates from your system, certain free software that you installed may no longer function properly and you may have to reinstall them from a backup.

If you are sure that you want to remove Wind Updates from your computer just follow these two easy steps:

* Click Start -> Control Panel -> Add/Remove Programs
* Scroll to Wind Updates and click Remove

4. info@(no spam)exitforcash.com is the listed contact address on exitforcash. Funny, they can dish spam out but can't take it.

Contact information:
domain: windupdates.com
status: production
organization: CDT Inc.
owner: Domain Manager
email: [email protected]
address: P.O. Box 181
address: TMR P.O.
city: Mont-Royal
state: Quebec
postal-code: H3P3B9
country: CA
------------------------------
Exitforcash.com
Administrative Contact:
Waveflow Inc., Waveflow Inc. [email protected]
PO Box 87
Baysville, ON P0B 1A0
CA
705-669-9402
---------------------------------
http://www.waveflowinc.com has no website.


It seems these spammers are from Canada? I'm guessing they tried to get money for referrals from windupdates and exitforcash from the same linked page.

[jr05linux]

Thx man i have been haveing this same problem. But i just stopped using aim for a while. But now that i know what is going on hopefully i can set her straight...lol

oh yah by the way nice Mr. Detective plaing...lol Wish i could of figured it out actually.

[|3lack|ce]

We should give these idjits a dose of their own medicine, and spam them with technical stuff so far beyond their comprehension as to cause their brains to implode. where's maddox when ya need him?