Go!zilla spioniert?!?

[Chrisu]

Folgendes hab´ich heute per E-Mail bekommen:

Aureate gathering information from you!!!!!
Heres one for you, if you have a folder in your windows folder called amcdl, or amc, you have been "infected."
This information gathering program installs and uses some or all of the following files, based on your operating system, which are called everytime you
launch your browser:
htmdeng.exe
advert.dll
amcis.dll
amcis2.dll
ipcclient.dll
msipcsv.exe
amcompat.tlb
amstream.dll
advpack.dll
I searched and found some (not all) of them, including looking (or at least attemptind to look) for "hidden" files.
I Renamed the .dlls (in case something I must have *really* needs them), and emptied the ..\amc directory and made it read only, and (finally)created a ..\amcdl directory and made it read only.
The next step is to install ncimon or zonealarm.

OK folks, I have been busy "reviewing" the contents and code contained in the DLL's that Aureate makes use of. Here are a few of my findings up to this point:
advert.dll
This DLL creates a hidden window everytime you open your browser. It creates and sends 4 pages of information to the Aureate servers using port 1749
on your system, these pages include:

1. Your name as listed in the system registry ( not the name you installed one of the programs with )
2. Your IP address
3. The reverse DNS match of your address. ( tells them what ISP and area of country you are in )
4. A listing of ALL software that is shown in your registry as being installed. ( Not just the companies they work with )
5. This DLL sends the following information to their server on all URL's you visit:
A.) ad banners you may click on
B.) all downloads you do showing the filename/file size/date/time/type of file(image, zip,executable, etc)
C.) full time and date stamps of all your actions while using your browser
D.) the remote dialup number you are dialing in on (taken out of your dialer configuration)
E.) dialup password if saved, does not "appear" at first glance to send this through to them.
6. Contains programmers note: "Show me the money! I want to be Mike!"

advpack.dll
Used during the installation only to check for other needed files.

amcis.dll

This DLL modifies the following registry keys:
1. HKEY_CURRENT_CONFIG
2. HKEY_DYN_DATA
3. HKEY_PERFORMANCE_DATA
4. HKEY_USERS
5. HKEY_LOCAL_MACHINE
6. HKEY_CURRENT_USER
7. HKEY_CLASSES_ROOT

Unregisterss oleaut32.dll from memory as provided by M$oft and replaces with
its own calls. Switches back to M$oft's when browser is closed.
Creates stub processes to be started anytime your browser is opened.
amcompat.tlb

This guy tracks any multimedia clips ( video/pictures/sound ) that you view
It tracks the rating level on the video/picture/sound and title /
location. Contains references to DblClick ( still digging on this one! )

amstream.dll
Setups TWO way communications between your system and theirs.
Used to send info and receive update commands/files. Opens port 1749 for communications. This is all the further I have gone on the DLL's used by Aureate. I
have also discovered that if you remove only one of the DLL's after it has been
started once and is still in memory, the program will make its directory hidden and replace the missing DLL with a fresh one from their site.

Tja, Wahrheit oder Hoax?!?

Zumindest gibt´s die Files wirklich, ich glaub´s jedenfalls. :-<

Mfg, Chrisu

hi chrisu!
makier die mail und geh auf datei.. eigenschaften. vielleicht kannst du etwas aus dem header auslesen ob es ein hoax war.
mfg Franz

[Chrisu]

Nope, war anscheinend kein Hoax, ein Freund von mir hat eine ähnliche Meldung auf irgendeinem Board gefunden.
Der Webmaster von dort hat sogar eine Batch Datei angeboten, die die beanstandeten DLLs entfernt. Dürfte wahr sein.

Ciao, Chrisu

[Walt]

hallo franz,
stimmt leider - deutsche foren sind voll davon .... habe seit 1 woche keinen go!zilla mehr in betrieb, der diese ausspionier-firma aureate informiert - es sind entweder 278 oder 287 programme (schon alle?), die infos an aureate weitergeben :-<

mfg walt

p.s.
der link: http://www.nickles.de/news/m26/934.html und dort nach: "Trojaner - Schaut bitte rein! Sehr, sehr Wichtig!!!!!!!!!!!" suchen!

hi leute!
meine meinung dazu ist immer wieder die selbe: installiert euch das freeware programm PostDa..schaut euch am mailserver eure gelagerten mail`s an, was ihr nicht kennt oder wollt... löscht sie einfach und macht euch nicht verrückt.
mfg Franz

McAffee meint: HOAX
http://vil.nai.com/vil/ve98516.asp


Aureate meint: FALSE RUMORS
http://www.aureate.com/privacy/falserumors.html


... wie schon Großvater sagte: "Mocht's die Roß ned narrisch!"

P.S.: The (Costa Rica) Flesh Eating Banana Bacteria Hoax


Subject: CDC HEALTH DANGER WARNING

Dear Friend,

Please forward to everyone you love!!

The is VALIDATED FROM THE CDC. (center for disease control in Atlanta, Georgia)

Warning:

Several shipments of bananas from Costa Rica have been infected with necrotizing fasciitis, otherwise known as flesh eating bacteria. Recently this disease has decimated the monkey population in Costa Rica. We are now just learning that the disease has been able to graft itself to the skin of fruits in the region, most notably the Banana which is Costa Rica's largest export. Until this finding scientist were not sure how the infection was being transmitted. It is advised not to purchase Bananas for the next three weeks as this is the period of time for which bananas that have been shipped to the US with the possibility of carrying this disease. If you have eaten a banana in the last 2-3 days and come down with a fever followed by a skin infection seek "Medical Attention"!!!

The skin infection from necrotizing fasciitis is very painful and eats two to three centimeters of flesh per hour. Amputation is likely, death is possible..

If you are more than an hour from a medical center burning the flesh ahead of the infected area is advised to help slow the spread of the infection.

The FDA has been reluctant to issue a countrywide warning because of fear nationwide panic. They have secretly admitted that they feel upwards of 15,000 Americans will be affected by this but that these are acceptable numbers.

Please forward this to as many people you care about as possible as we do not feel 15,000 people is an acceptable number.

Manheim Research Institute Center for Disease Control Atlanta Georgia

[Walt]

franz,
das hat NIX mit emails zu tun, sondern es wird von "plötzlich" selbständig werdenden programmen ausgelöst, die sehnsucht nach zuhause haben und einiges aus deinem pc auslesen ....
keine sorge: ich will keinen "scheu machen" und i laß` eh die roß im stall *g*, nur: ZU vertrauensselig sollte man nicht sein (damit meine ich nicht die scans, die tun keinem weh!).

mfg walt

Firewall installieren, ZoneAlarm habe ich laufen, und meldet jedes Program, dass auf´s Internet zugreifen will bzw. auf meine Comp.

Vielleicht sendet aber auch ZoneAlarm Daten von mir .... (panic...)

Servus ;-))


PS: Vertrauen ist gut, Kontrolle besser.

[Kosh]

ZoneAlarm ist fein, aber etwas zu sensitiv und nicht gut konfigurierbar. Ausserdem verwendet es nicht die Sandbox-Technologie (zumindest weis ich nichts davon). Im PC-Professional 3/2000 gibts einen Desktop-Firewall Test.

hi leute /walt!
chrisu schreibt er hat eine e-mail bekommen mit diesem inhalt. darum mein vorschlag, alles was ich nicht kenne hat auf meinen pc nichts verloren.
gruss Franz