RE: 030 igetnet ignkeywords

["Christopher Wagner" <chrisw () pacaids com>]

It sounds like your user is busy clicking on too many things while browsing
the web.

Read this link, it seems to have some semi-comprehensive information on this
parasite.

http://217.115.153.75//parasite/IGetNet.html

All the updates and hotfixes and anti-virus products in the world can't stop
something if the user clicks "Yes" to running some silly ActiveX program.
Anti-virus products will not stop ActiveX programs from running if they're
ad-parasites since they're technically not "viruses."  IGetnet did not use
any "security holes" to install this, the user LET in run, or installed a
program that let it run.

If the user did NOT let it run, but it ran automatically when going to a
website, then the Internet Zone settings in your Internet Options are set
WAY to lax (ie: it's set to let certain types of ActiveX scripts run
automatically without check)

I like the point someone made earlier, switch browsers.  I personally use
Opera for a considerable amount of my web browsing.  I even paid for the
non-ad copy.  The product is relatively secure, stable, and compatible with
most everything.  In addition, it does not allow many types of parasitic
scripts to run.  It even supports pop-up blocking. :)

Indeed, switching browsers and also installing a personal firewall of some
type to have it check all scripts before they run, have the user VERIFY that
the script about to run is from a site he is on and that he's SURE he knows
what it's doing.

- Christopher Wagner
chrisw () pacaids com

Packaging Aids Corporation - Information Systems
P.O. Box 9144
San Rafael, CA 94912-9144
http://www.pacaids.com/
(415) 454-4868 x116


-----Original Message-----
From: Waitman C. Gobble [mailto:waitman () emkdesign com]
Sent: Sunday, November 10, 2002 7:02 PM
To: incidents () securityfocus com
Subject: 030 igetnet ignkeywords


Hello

I have found more information regarding my original 030.com post.

The machine that is infected is running Windows XP Professional with all
service packs and hotfixes.

Additionally, it is running Norton Antivirus 2003 with the latest
database, and the machine checks clean.

There is a file running on boot:

C:\WINDOWS\WinStart.exe (the date of this file is November 11, 2002)

The file properties indicate that it originates from IGetNet, LLC. The
whois information shows that this is the owner of ignkeywords.com

Also, this file exists: C:\WINDOWS\prefetch\WINSTART.EXE-2C11637C.pf.

It's date and time reflect the last time the machine was booted. Please
note that I am not sure what this file is, but it seems to relate.

The machine now seems to go to ignkeywords.com, however sometimes it
goes to 030.com, which is what we originally observed.

The WinStart file is labelled as a "Browser Upgrade" in the file
properties thingy.

Thanks and Best

Waitman Gobble
EMK Design
Buena Park, California
+1.7145222528



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


SPAM: ---- Start SpamAssassin results
SPAM: 0 hits, 5 required;
SPAM:
SPAM: ---- End of SpamAssassin results


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com