Re: 030 igetnet ignkeywords

["J. Foobar" <jfoobar1 () yahoo com>]

I have recently detected a few internal machines being
solicited to download a file called
"Internet.Explorer.Browser.Security.Upgrade.exe"

I perform a parse of proxy logs looking for .exe
downloads by users in my enterprise periodically
(maybe 3 times a week) and I have just noticed this
for the first time a few days ago in the 3-4 months I
have been doing this.

I have a close look at the traffic of the one internal
dolt stupid enough to actually download the file.  He
was surfing animatedgif.com, which is pop-up and
cookie hell, and was probably solicited to download
this by the IP 216.40.225.62, which serves some sort
of "Keyword Tracking" function and is an IP assigned
to Everyones Internet, Inc (ev1.net, Texas). 

I wonder if they are related, at least conceptually.

I have not yet had a chance to examine the end user's
machine and I do not yet know if he was silly enough
to actually run the .exe.

Regards,
Justin  


--- "Waitman C. Gobble" <waitman () emkdesign com> wrote:
> Hello
>
> I have found more information regarding my original
> 030.com post.
>
> The machine that is infected is running Windows XP
> Professional with all
> service packs and hotfixes.
>
> Additionally, it is running Norton Antivirus 2003
> with the latest
> database, and the machine checks clean.
>
> There is a file running on boot:
>
> C:\WINDOWS\WinStart.exe (the date of this file is
> November 11, 2002)
>
> The file properties indicate that it originates from
> IGetNet, LLC. The
> whois information shows that this is the owner of
> ignkeywords.com
>
> Also, this file exists:
> C:\WINDOWS\prefetch\WINSTART.EXE-2C11637C.pf.
>
> It's date and time reflect the last time the machine
> was booted. Please
> note that I am not sure what this file is, but it
> seems to relate.
>
> The machine now seems to go to ignkeywords.com,
> however sometimes it
> goes to 030.com, which is what we originally
> observed.
>
> The WinStart file is labelled as a "Browser Upgrade"
> in the file
> properties thingy.
>
> Thanks and Best
>
> Waitman Gobble
> EMK Design
> Buena Park, California
> +1.7145222528
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com


__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com