I ran the program in a restricted VMWare sandbox to see what it was trying to do. I only performed a textual analysis of the binaries, so there's probably more nasty things that this software does that I'm not aware of. It's definitely hostile but doesn't seem to be terribly destructive. It's a money-making scam. They redirect your browser and default home page to their commissioned page-view based ad accounts. The Terms of Service of the software has you agree to them controlling your default home page for the next 25 years. A copy is attached. Here's what your new home page is set to: ---------------------------------------------------------------------------- --- <html> <head> <title>Microsoft Internet Explorer</title> <meta name="GENERATOR" content="Microsoft FrontPage 4.0"> <meta name="ProgId" content="FrontPage.Editor.Document"> </head> <frameset rows="23%,*"> <frame name="top" src="http://209.123.183.50/kc/" target="_top"> <frame name="bottom" src="http://www.melvista.com/kc/"> <noframes> <body> <p>This page uses frames, but your browser doesn't support them.</p> </body> </noframes> </frameset> </html> <noscript> <meta http-equiv="refresh" content="0;URL=http://www.yestopia.com/topsites.html"></noscript> <script src="http://www.melvista.com/kc/frames/frame.js"> </script> ---------------------------------------------------------------------------- --- The domain name "greetingcardsusa.cc" was registered yesterday according to the registrar's records, so it hasn't been out there very long. -- Mark Saum Fidelis Consulting Corporation Dallas, TX P.s. I didn't post this back to incidents, as this is an analysis.
This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 21:46:58 PDT