Re: E-Card Remote Code Execution Scam

From: Axel Pettinger (apiat_private)
Date: Sun Sep 29 2002 - 02:16:58 PDT

Next message: Midkaemia: "Re: AIM-based worm?"

Previous message: H.Karrenbeldat_private: "RE: E-Card Remote Code Execution Scam"
In reply to: Jonathan A. Zdziarski: "E-Card Remote Code Execution Scam"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Jonathan A. Zdziarski" wrote:
> 
> This seems an aweful lot to me like a Remote Code Execution Scam...
> 
> I received an email addressed to "Undisclosed Recipients" notifying me
> that I received an E-Card today, so I went to the site
> http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]&card=Pick+up 
> to view the card.  Oddly, I received a security warning asking me if
> I wanted to allow some code to run on my machine.  

The mentioned page tries to download a CAB file, "e-card_viewer.cab",
which contains the file "potd.dll". From
<http://and.doxdesk.com/parasite/Cytron.html>:

-----------------------------------------------------------------------
Cytron

Parasites [<]

other nasties

Description

Cytron is an Internet Explorer Browser Helper Object. It scans the 
content of pages being viewed for keywords and opens pop-up advertising 
when they are detected.

Also known as

POTD, after the filename and BHO name; Burnaby, the internal object 
name; TargetingSource, the name used to describe the control in 
Downloaded Program Files.

Distribution

Installed by ActiveX drive-by download on a page pointed to by mail 
claiming you have received an 'e-card'. The ActiveX control purports to 
be a viewer for e-cards.

What it does

Advertising

Yes. When IE is started for the first time it attempts to connect to 
Cytron's servers to download a list of keywords to look for, and URLs of 
pop-ups to open.

Privacy violation

No.

Security issues

No.

Stability problems

None known.

Removal

First deregister the Cytron BHO. Open a DOS command prompt 
(Start->Programs->Accessories) and enter the following commands:

     cd "%WinDir%\System"
     regsvr32 /u "%WinDir%\Downloaded Program Files\potd.dll"

You should then be able to delete the 'TargetingSource' entry in 
Downloaded Program Files (in the Windows folder), and the registry key 
HKEY_CURRENT_USER\Software\POTD (Start->Run->regedit).

Links

   * Cytron wrote the ActiveX control.
-----------------------------------------------------------------------

Regards,
Axel Pettinger

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Midkaemia: "Re: AIM-based worm?"
Previous message: H.Karrenbeldat_private: "RE: E-Card Remote Code Execution Scam"
In reply to: Jonathan A. Zdziarski: "E-Card Remote Code Execution Scam"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 29 2002 - 14:47:31 PDT