RE: [klmtfsat_private: Your Online Greeting Awaits You!]

From: markat_private
Date: Sun Aug 12 2001 - 14:58:08 PDT

  • Next message: markat_private: "RE: [klmtfsat_private: Your Online Greeting Awaits You!]"

    I ran the program in a restricted VMWare sandbox to see what it was trying
    to do.  I only performed a textual analysis of the binaries, so there's
    probably more nasty things that this software does that I'm not aware of.
    
    It's definitely hostile but doesn't seem to be terribly destructive.  It's a
    money-making scam.  They redirect your browser and default home page to
    their commissioned page-view based ad accounts.
    
    The Terms of Service of the software has you agree to them controlling your
    default home page for the next 25 years.  A copy is attached.
    
    Here's what your new home page is set to:
    ----------------------------------------------------------------------------
    ---
    <html>
    <head>
    <title>Microsoft Internet Explorer</title>
    <meta name="GENERATOR" content="Microsoft FrontPage 4.0">
    <meta name="ProgId" content="FrontPage.Editor.Document">
    </head>
    
    <frameset rows="23%,*">
      <frame name="top" src="http://209.123.183.50/kc/" target="_top">
      <frame name="bottom" src="http://www.melvista.com/kc/">
      <noframes>
      <body>
    
      <p>This page uses frames, but your browser doesn't support them.</p>
    
      </body>
      </noframes>
    </frameset>
    
    </html>
    <noscript> <meta http-equiv="refresh"
    content="0;URL=http://www.yestopia.com/topsites.html"></noscript>
    <script src="http://www.melvista.com/kc/frames/frame.js">
    </script>
    
    ----------------------------------------------------------------------------
    ---
    
    The domain name "greetingcardsusa.cc" was registered yesterday according to
    the registrar's records, so it hasn't been out there very long.  
    
    
    --
    Mark Saum
    Fidelis Consulting Corporation
    Dallas, TX
    
    P.s. I didn't post this back to incidents, as this is an analysis.
    
    
    
    



    This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 21:46:58 PDT