WCM Forum - Einzelnen Beitrag anzeigen

Chrisu · 13.03.2000, 16:12

Folgendes hab´ich heute per E-Mail bekommen:

Aureate gathering information from you!!!!!
Heres one for you, if you have a folder in your windows folder called amcdl, or amc, you have been "infected."
This information gathering program installs and uses some or all of the following files, based on your operating system, which are called everytime you
launch your browser:
htmdeng.exe
advert.dll
amcis.dll
amcis2.dll
ipcclient.dll
msipcsv.exe
amcompat.tlb
amstream.dll
advpack.dll
I searched and found some (not all) of them, including looking (or at least attemptind to look) for "hidden" files.
I Renamed the .dlls (in case something I must have *really* needs them), and emptied the ..\amc directory and made it read only, and (finally)created a ..\amcdl directory and made it read only.
The next step is to install ncimon or zonealarm.

OK folks, I have been busy "reviewing" the contents and code contained in the DLL's that Aureate makes use of. Here are a few of my findings up to this point:
advert.dll
This DLL creates a hidden window everytime you open your browser. It creates and sends 4 pages of information to the Aureate servers using port 1749
on your system, these pages include:

1. Your name as listed in the system registry ( not the name you installed one of the programs with )
2. Your IP address
3. The reverse DNS match of your address. ( tells them what ISP and area of country you are in )
4. A listing of ALL software that is shown in your registry as being installed. ( Not just the companies they work with )
5. This DLL sends the following information to their server on all URL's you visit:
A.) ad banners you may click on
B.) all downloads you do showing the filename/file size/date/time/type of file(image, zip,executable, etc)
C.) full time and date stamps of all your actions while using your browser
D.) the remote dialup number you are dialing in on (taken out of your dialer configuration)
E.) dialup password if saved, does not "appear" at first glance to send this through to them.
6. Contains programmers note: "Show me the money! I want to be Mike!"

advpack.dll
Used during the installation only to check for other needed files.

amcis.dll

This DLL modifies the following registry keys:
1. HKEY_CURRENT_CONFIG
2. HKEY_DYN_DATA
3. HKEY_PERFORMANCE_DATA
4. HKEY_USERS
5. HKEY_LOCAL_MACHINE
6. HKEY_CURRENT_USER
7. HKEY_CLASSES_ROOT

Unregisterss oleaut32.dll from memory as provided by M$oft and replaces with
its own calls. Switches back to M$oft's when browser is closed.
Creates stub processes to be started anytime your browser is opened.
amcompat.tlb

This guy tracks any multimedia clips ( video/pictures/sound ) that you view
It tracks the rating level on the video/picture/sound and title /
location. Contains references to DblClick ( still digging on this one! )

amstream.dll
Setups TWO way communications between your system and theirs.
Used to send info and receive update commands/files. Opens port 1749 for communications. This is all the further I have gone on the DLL's used by Aureate. I
have also discovered that if you remove only one of the DLL's after it has been
started once and is still in memory, the program will make its directory hidden and replace the missing DLL with a fresh one from their site.

Tja, Wahrheit oder Hoax?!?

Zumindest gibt´s die Files wirklich, ich glaub´s jedenfalls. :-<

Mfg, Chrisu

13.03.2000, 16:12	#1
Chrisu Jr. Member Registriert seit: 07.03.2000 Beiträge: 26	Folgendes hab´ich heute per E-Mail bekommen: Aureate gathering information from you!!!!! Heres one for you, if you have a folder in your windows folder called amcdl, or amc, you have been "infected." This information gathering program installs and uses some or all of the following files, based on your operating system, which are called everytime you launch your browser: htmdeng.exe advert.dll amcis.dll amcis2.dll ipcclient.dll msipcsv.exe amcompat.tlb amstream.dll advpack.dll I searched and found some (not all) of them, including looking (or at least attemptind to look) for "hidden" files. I Renamed the .dlls (in case something I must have really needs them), and emptied the ..\amc directory and made it read only, and (finally)created a ..\amcdl directory and made it read only. The next step is to install ncimon or zonealarm. OK folks, I have been busy "reviewing" the contents and code contained in the DLL's that Aureate makes use of. Here are a few of my findings up to this point: advert.dll This DLL creates a hidden window everytime you open your browser. It creates and sends 4 pages of information to the Aureate servers using port 1749 on your system, these pages include: 1. Your name as listed in the system registry ( not the name you installed one of the programs with ) 2. Your IP address 3. The reverse DNS match of your address. ( tells them what ISP and area of country you are in ) 4. A listing of ALL software that is shown in your registry as being installed. ( Not just the companies they work with ) 5. This DLL sends the following information to their server on all URL's you visit: A.) ad banners you may click on B.) all downloads you do showing the filename/file size/date/time/type of file(image, zip,executable, etc) C.) full time and date stamps of all your actions while using your browser D.) the remote dialup number you are dialing in on (taken out of your dialer configuration) E.) dialup password if saved, does not "appear" at first glance to send this through to them. 6. Contains programmers note: "Show me the money! I want to be Mike!" advpack.dll Used during the installation only to check for other needed files. amcis.dll This DLL modifies the following registry keys: 1. HKEY_CURRENT_CONFIG 2. HKEY_DYN_DATA 3. HKEY_PERFORMANCE_DATA 4. HKEY_USERS 5. HKEY_LOCAL_MACHINE 6. HKEY_CURRENT_USER 7. HKEY_CLASSES_ROOT Unregisterss oleaut32.dll from memory as provided by M$oft and replaces with its own calls. Switches back to M$oft's when browser is closed. Creates stub processes to be started anytime your browser is opened. amcompat.tlb This guy tracks any multimedia clips ( video/pictures/sound ) that you view It tracks the rating level on the video/picture/sound and title / location. Contains references to DblClick ( still digging on this one! ) amstream.dll Setups TWO way communications between your system and theirs. Used to send info and receive update commands/files. Opens port 1749 for communications. This is all the further I have gone on the DLL's used by Aureate. I have also discovered that if you remove only one of the DLL's after it has been started once and is still in memory, the program will make its directory hidden and replace the missing DLL with a fresh one from their site. Tja, Wahrheit oder Hoax?!? Zumindest gibt´s die Files wirklich, ich glaub´s jedenfalls. :-< Mfg, Chrisu