RE: [klmtfs () pridemail com: Your Online Greeting Awaits You!]

[mark () fidelisconsulting com]

I ran the program in a restricted VMWare sandbox to see what it was trying
to do.  I only performed a textual analysis of the binaries, so there's
probably more nasty things that this software does that I'm not aware of.

It's definitely hostile but doesn't seem to be terribly destructive.  It's a
money-making scam.  They redirect your browser and default home page to
their commissioned page-view based ad accounts.

The Terms of Service of the software has you agree to them controlling your
default home page for the next 25 years.  A copy is attached.

Here's what your new home page is set to:
----------------------------------------------------------------------------
---
<html>
<head>
<title>Microsoft Internet Explorer</title>
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>

<frameset rows="23%,*">
  <frame name="top" src="http://209.123.183.50/kc/"; target="_top">
  <frame name="bottom" src="http://www.melvista.com/kc/";>
  <noframes>
  <body>

  <p>This page uses frames, but your browser doesn't support them.</p>

  </body>
  </noframes>
</frameset>

</html>
<noscript> <meta http-equiv="refresh"
content="0;URL=http://www.yestopia.com/topsites.html";></noscript>
<script src="http://www.melvista.com/kc/frames/frame.js";>
</script>

----------------------------------------------------------------------------
---

The domain name "greetingcardsusa.cc" was registered yesterday according to
the registrar's records, so it hasn't been out there very long.  


--
Mark Saum
Fidelis Consulting Corporation
Dallas, TX

P.s. I didn't post this back to incidents, as this is an analysis.

Attachment: TOS.txt
Description: