RE: 030.com

From: Arnold, Jamie (harnoldat_private)
Date: Fri Nov 08 2002 - 14:17:00 PST

  • Next message: atrinsig: "Re: IIS and leech"

    030 and huntbar are 2 of many parasite programs that will install into the
    reg, put entries into the hosts file and other nasty activity.  Huntbar can
    install programs on the infected machine without the users knowledge.
    
    Bad stuff
    
    -----Original Message-----
    From: DonaldBat_private [mailto:DonaldBat_private] 
    Sent: Friday, November 08, 2002 11:42 AM
    To: waitmanat_private
    Cc: incidentsat_private
    Subject: RE: 030.com
    
    
    Google returned the following link regarding 030.com:
    http://boards.cexx.org/spyware/messages/2052.html
    
    I strongly recommend using AdAware (with the most current signature file)
    from www.lavasoftusa.com
    
    My $0.02,
    DB
    
    
    -----Original Message-----
    From: Waitman C. Gobble [mailto:waitmanat_private]
    Sent: Friday, November 08, 2002 10:56 AM
    To: incidentsat_private
    Subject: 030.com
    
    
    Hello
    
    We realized earlier today that one of our Windows machines was attacked.
    Doing a keyword search from the address bar in Internet Explorer would send
    us to http://www.030.com. Modifying the system configuration and registry
    had no effect. After initial analysis it appears that the host file is
    tampered with, and an entry is made to trick Internet Explorer into sending
    you to the 030.com web site.
    
    Fixing the host file worked fine until this afternoon, when it was hijacked
    again.
    
    It really seems like it is an application on the machine, ie not coming from
    the Internet.
    
    It also appears that the host file is modified again, either after reboot or
    while running a particular application.
    
    Sending an email to the support contact at infoat_private received a reply
    instructing me to go to their web site and click on a link that is supposed
    to remove the spyware.
    
    I sent emails to the IP block owners of both 030.com and the ip in the hosts
    file, requesting that they investigate this matter and terminate the
    activity.
    
    I could care less if the owner of the site sends a friendly email
    instructing how to disable the thing. The hijacking should not have happened
    in the first place.
    
    If anyone has the same problem with 030.com please contact me at your
    convenience.
    
    Thanks and Best,
    
    Waitman Gobble
    EMK Design
    5681 Beach Blvd Ste 101
    Buena Park California, 90621
    Toll Free in the US 877-290-2768
    +1.7145222528
    
    
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service. For more
    information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service. For more
    information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Nov 11 2002 - 12:49:01 PST