OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Axel Pettinger (api_at_epost.de)
Date: Sun Sep 29 2002 - 04:16:58 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    "Jonathan A. Zdziarski" wrote:
    >
    > This seems an aweful lot to me like a Remote Code Execution Scam...
    >
    > I received an email addressed to "Undisclosed Recipients" notifying me
    > that I received an E-Card today, so I went to the site
    > http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]&card=Pick+up
    > to view the card. Oddly, I received a security warning asking me if
    > I wanted to allow some code to run on my machine.

    The mentioned page tries to download a CAB file, "e-card_viewer.cab",
    which contains the file "potd.dll". From
    <http://and.doxdesk.com/parasite/Cytron.html>:

    -----------------------------------------------------------------------
    Cytron

    Parasites [<]

    other nasties

    Description

    Cytron is an Internet Explorer Browser Helper Object. It scans the
    content of pages being viewed for keywords and opens pop-up advertising
    when they are detected.

    Also known as

    POTD, after the filename and BHO name; Burnaby, the internal object
    name; TargetingSource, the name used to describe the control in
    Downloaded Program Files.

    Distribution

    Installed by ActiveX drive-by download on a page pointed to by mail
    claiming you have received an 'e-card'. The ActiveX control purports to
    be a viewer for e-cards.

    What it does

    Advertising

    Yes. When IE is started for the first time it attempts to connect to
    Cytron's servers to download a list of keywords to look for, and URLs of
    pop-ups to open.

    Privacy violation

    No.

    Security issues

    No.

    Stability problems

    None known.

    Removal

    First deregister the Cytron BHO. Open a DOS command prompt
    (Start->Programs->Accessories) and enter the following commands:

         cd "%WinDir%\System"
         regsvr32 /u "%WinDir%\Downloaded Program Files\potd.dll"

    You should then be able to delete the 'TargetingSource' entry in
    Downloaded Program Files (in the Windows folder), and the registry key
    HKEY_CURRENT_USER\Software\POTD (Start->Run->regedit).

    Links

       * Cytron wrote the ActiveX control.
    -----------------------------------------------------------------------

    Regards,
    Axel Pettinger

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com