030.com

["Waitman C. Gobble" <waitman () emkdesign com>]

Hello

We realized earlier today that one of our Windows machines was
attacked. Doing a keyword search from the address bar in Internet
Explorer would send us to http://www.030.com. Modifying the system
configuration and registry had no effect. After initial analysis it
appears that the host file is tampered with, and an entry is made to
trick Internet Explorer into sending you to the 030.com web site.

Fixing the host file worked fine until this afternoon, when it was
hijacked again.

It really seems like it is an application on the machine, ie not
coming from the Internet.

It also appears that the host file is modified again, either after
reboot or while running a particular application.

Sending an email to the support contact at info () 030 com received a
reply instructing me to go to their web site and click on a link that
is supposed to remove the spyware.

I sent emails to the IP block owners of both 030.com and the ip in the
hosts file, requesting that they investigate this matter and terminate
the activity.

I could care less if the owner of the site sends a friendly email
instructing how to disable the thing. The hijacking should not have
happened in the first place.

If anyone has the same problem with 030.com please contact me at your
convenience.

Thanks and Best,

Waitman Gobble
EMK Design
5681 Beach Blvd Ste 101
Buena Park California, 90621
Toll Free in the US 877-290-2768
+1.7145222528






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com