"Jonathan A. Zdziarski" wrote: > > This seems an aweful lot to me like a Remote Code Execution Scam... > > I received an email addressed to "Undisclosed Recipients" notifying me > that I received an E-Card today, so I went to the site > http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]&card=Pick+up > to view the card. Oddly, I received a security warning asking me if > I wanted to allow some code to run on my machine. The mentioned page tries to download a CAB file, "e-card_viewer.cab", which contains the file "potd.dll". From <http://and.doxdesk.com/parasite/Cytron.html>: ----------------------------------------------------------------------- Cytron Parasites [<] other nasties Description Cytron is an Internet Explorer Browser Helper Object. It scans the content of pages being viewed for keywords and opens pop-up advertising when they are detected. Also known as POTD, after the filename and BHO name; Burnaby, the internal object name; TargetingSource, the name used to describe the control in Downloaded Program Files. Distribution Installed by ActiveX drive-by download on a page pointed to by mail claiming you have received an 'e-card'. The ActiveX control purports to be a viewer for e-cards. What it does Advertising Yes. When IE is started for the first time it attempts to connect to Cytron's servers to download a list of keywords to look for, and URLs of pop-ups to open. Privacy violation No. Security issues No. Stability problems None known. Removal First deregister the Cytron BHO. Open a DOS command prompt (Start->Programs->Accessories) and enter the following commands: cd "%WinDir%\System" regsvr32 /u "%WinDir%\Downloaded Program Files\potd.dll" You should then be able to delete the 'TargetingSource' entry in Downloaded Program Files (in the Windows folder), and the registry key HKEY_CURRENT_USER\Software\POTD (Start->Run->regedit). Links * Cytron wrote the ActiveX control. ----------------------------------------------------------------------- Regards, Axel Pettinger ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 29 2002 - 14:47:31 PDT