Security Incidents: RE: 030.com

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: 030.com

From: "Arnold, Jamie" <harnold () binghamton edu>
Date: Fri, 8 Nov 2002 17:17:00 -0500

030 and huntbar are 2 of many parasite programs that will install into the
reg, put entries into the hosts file and other nasty activity.  Huntbar can
install programs on the infected machine without the users knowledge.

Bad stuff

-----Original Message-----
From: DonaldB () ecar org [mailto:DonaldB () ecar org] 
Sent: Friday, November 08, 2002 11:42 AM
To: waitman () emkdesign com
Cc: incidents () securityfocus com
Subject: RE: 030.com

Google returned the following link regarding 030.com:
http://boards.cexx.org/spyware/messages/2052.html

I strongly recommend using AdAware (with the most current signature file)
from www.lavasoftusa.com

My $0.02,
DB

-----Original Message-----
From: Waitman C. Gobble [mailto:waitman () emkdesign com]
Sent: Friday, November 08, 2002 10:56 AM
To: incidents () securityfocus com
Subject: 030.com

Hello

We realized earlier today that one of our Windows machines was attacked.
Doing a keyword search from the address bar in Internet Explorer would send
us to http://www.030.com. Modifying the system configuration and registry
had no effect. After initial analysis it appears that the host file is
tampered with, and an entry is made to trick Internet Explorer into sending
you to the 030.com web site.

Fixing the host file worked fine until this afternoon, when it was hijacked
again.

It really seems like it is an application on the machine, ie not coming from
the Internet.

It also appears that the host file is modified again, either after reboot or
while running a particular application.

Sending an email to the support contact at info () 030 com received a reply
instructing me to go to their web site and click on a link that is supposed
to remove the spyware.

I sent emails to the IP block owners of both 030.com and the ip in the hosts
file, requesting that they investigate this matter and terminate the
activity.

I could care less if the owner of the site sends a friendly email
instructing how to disable the thing. The hijacking should not have happened
in the first place.

If anyone has the same problem with 030.com please contact me at your
convenience.

Thanks and Best,

Waitman Gobble
EMK Design
5681 Beach Blvd Ste 101
Buena Park California, 90621
Toll Free in the US 877-290-2768
+1.7145222528

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

030.com Waitman C. Gobble (Nov 08)
- Re: 030.com Nick FitzGerald (Nov 11)
- <Possible follow-ups>
- RE: 030.com DonaldB (Nov 08)
- RE: 030.com Arnold, Jamie (Nov 11)
- RE: 030.com Lombardi, Chris (Nov 12)