Hosting Provided By

RE: 030.com

From: Arnold, Jamie <harnold(at)binghamton.edu>
Date: Fri Nov 08 2002 - 17:17:00 EST

030 and huntbar are 2 of many parasite programs that will install into the reg, put entries into the hosts file and other nasty activity. Huntbar can install programs on the infected machine without the users knowledge.

Bad stuff

-----Original Message-----

From: DonaldB@ecar.org [mailto:DonaldB@ecar.org] Sent: Friday, November 08, 2002 11:42 AM To: waitman@emkdesign.com
Cc: incidents@securityfocus.com
Subject: RE: 030.com

Google returned the following link regarding 030.com: http://boards.cexx.org/spyware/messages/2052.html

I strongly recommend using AdAware (with the most current signature file) from www.lavasoftusa.com

My $0.02,
DB

-----Original Message-----

From: Waitman C. Gobble [mailto:waitman@emkdesign.com] Sent: Friday, November 08, 2002 10:56 AM To: incidents@securityfocus.com
Subject: 030.com

Hello

Do you need help?

We realized earlier today that one of our Windows machines was attacked. Doing a keyword search from the address bar in Internet Explorer would send us to http://www.030.com. Modifying the system configuration and registry had no effect. After initial analysis it appears that the host file is tampered with, and an entry is made to trick Internet Explorer into sending you to the 030.com web site.

Fixing the host file worked fine until this afternoon, when it was hijacked again.

It really seems like it is an application on the machine, ie not coming from the Internet.

It also appears that the host file is modified again, either after reboot or while running a particular application.

Sending an email to the support contact at info@030.com received a reply instructing me to go to their web site and click on a link that is supposed to remove the spyware.

I sent emails to the IP block owners of both 030.com and the ip in the hosts file, requesting that they investigate this matter and terminate the activity.

I could care less if the owner of the site sends a friendly email instructing how to disable the thing. The hijacking should not have happened in the first place.

If anyone has the same problem with 030.com please contact me at your convenience.

Do you need more help?

Thanks and Best,

Waitman Gobble
EMK Design
5681 Beach Blvd Ste 101
Buena Park California, 90621
Toll Free in the US 877-290-2768
+1.7145222528

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Nov 11 15:49:35 2002

This message: [ Message body ]
Next message: atrinsig: "Re: IIS and leech"
Previous message: Onsite West Houston: "RE: Ip spoof from 0.0.0.0"
Maybe in reply to: Waitman C. Gobble: "030.com"
Reply: Nick FitzGerald: "Re: 030.com"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:50 EDT