Subject: Re: Aureate Spies on You
From: G. Wilson (wilsongr
OZEMAIL.COM.AU)
Date: Sun Feb 27 2000 - 13:27:05 CST
If what you say is only partly true it's still of considerable concern to
all of us. Perhaps it's time to distinguish between the traditional hacker
and the new breed of corporate entities that have vast amounts of venture
capital available to them to develop these new forms hacking. In effect
what they're doing is reverse-hacking - from the corporate entity to
individual citizens. Maybe we should call them 'Corphachers'. To my mind,
in the long run we netizens stand to lose much more of our personal
freedoms and privacy to them than anything individual hackers can dream
up. For starters (unlike most hackers) their ultimate goal is always
profit, and to that end, with efficient marketing departments, these
pernicious and invasive (and expensive) tools will be marketed to us as
so-called products.
(Even today (whist not in the same league but not far from it mind you) I
downloaded the new Eudora Mail 4.3 upgrade (the up-dater from 4.0 to 4.3
for existing users (4xto43Updater.exe)). This is marketed 'as free to
existing users of the full version 4.0'. [In a new strategy the free
version will carry advertisements and the paid-for copy won't] However, to
take advantage of free price and Eudora without ads I have to register with
them on-line with Eudora 4.3 in order to get the fix-everything
registration number. Of course, now Eudora has all my email
settings. This method of enforced-registration is much more than copyright
checking for the information is saleable, and what's more it's accurate, up
to date and so on.
To make matters worse you are not informed about this (it wasn't obvious to
me) before installation, and, of course, the up-dater into and over your
existing version 4.0. Needless to say I've not registered it with Eudora
for I did a backup and I've nuked parts of Windows 2000 to keep Eudora in
check [and that's a story in itself - stopping W2K from repairing itself -
which also means that that these guys and Aureate etc. can now rely on
an O/S environment with very stable parameters to help them too]. For the
moment this email is coming to you in the 'Sponsored Mode' but without
sponsors. Naturally, my solution is not that satisfactory for it shouldn't
be necessary for me to tweak my O/S to stop this nonsense. And, of course,
most people won't or won't be able to do it so in reality Eudora has a win
- and we lose.
Ideally, consumers should stop using their product but it'd be most welcome
if some enterprising person could come up with a fix-eud43.exe patch in the
interim.
Thanks very much for the info and I'd welcome a copy of the 'Aureate Spies
on You' patch.
g.
PS: For non-hackers like me a list of tools that show unwanted or
attempted calls to nefarious addresses (and preferably trap them before
they go) would be most useful.
----
At 07:09 26/02/2000 -0800, you wrote:
>Many thanks to all who have posted such useful information about this
>issue. After spending sometime on this problem have come up with solution
>called "AntiSpy". It will delete all the offending dll's,
>give you system a good scrub down and leave everything happy and working.
>If you are interested please email me for file.
>
>aCiD buRn
>
>Tito C wrote:
>
> > As soon as i got this email I checked it on my system.I have installed
> 3 of the offending applications (calypso email,cuteftp,3d-ftp) and I have
> found some of the .dll´s installed on my system too.
> > I started checking and sure enough,as soon as I opened my browser I
> checked netstat and I got this connection establiushed:
> >
> > Connection Information
> > IP:216.37.13.140
> > Hostname:ad2-1.aureate.com
> > Local Port:2651
> > Remote Port: 1975
> > Protocol:TCP
> > Status Code:Established
> > Status Description: Connection has been established, connection is active
> >
> > What got my attention was that the port changes from the one especified
> on Dale Haag´s original email.
> >
> > ===============================================
> >
> || Tito_C
> ||
> >
> || www.hven.com.ve
> ||
> >
> || tito_chven.com.ve
> ||
> > || PGP Key ID:
> 0x6DD1A00F ||
> > ===============================================
> >
> > *********** REPLY SEPARATOR ***********
> >
> > On 23/02/2000 at 09:14 AM MJE wrote:
> >
> > >Forwarded from another list -- anyone know about this Aureate spying
> stuff?
> > >Be sure to check the list of apps that allegedly contain this code -- it's
> > >at the bottom of the message.
> > >
> > >MJE
> > >
> > >
> > >
> > >> -----Original Message-----
> > >> From: Edward (Ted) Burton [mailto:egburtonCONSULTBURTON.COM]
> > >> Sent: Monday, February 21, 2000 2:02 PM
> > >> To: Lawyers and the Internet
> > >> Cc: Craighead, Paula
> > >> Subject: [NET-LAWYERS] Aureate Spy
> > >>
> > >>
> > >> While I am not a Windows user, the following information has popped
> > >> up on the LawTech list and is of some interest to attorneys who wish
> > >> to not leave a paper trail out there on the Internet for commercial
> > >> use by others.
> > >>
> > >> According to Dale Haag, <dhaagNOL.NET>
> > >>
> > >> The following is a listing of all software known to install the
> > >> Aureate spy on your system. The Aureate spy keeps track of your
> > >> Internet activities and sends a report to Aureate every time you open
> > >> your browser. The Aureate spy places the following files on a Windows
> > >> machine. [It is not known, yet, to affect Macintosh or Linux
> > >> machines.]
> > >>
> > >> The installed files are some or all of:
> > >>
> > >> adimage.dll
> > >> advert.dll
> > >> advpack.dll
> > >> amcis.dll
> > >> amcis2.dll
> > >> amcompat.tlb
> > >> amstream.dll
> > >> anadsc.ocx
> > >> anadscb.ocx
> > >> htmdeng.exe
> > >> ipcclient.dll
> > >> msipcsv.exe
> > >> tfde.dll
> > >>
> > >>
> > >> ========== ========== ========== ==========
> > >> Dale said:
> > >>
> > >> OK folks, living up to my reputation as a "bulldog" when I get my
> > >> teeth into something, I have been busy "reviewing" the contents and
> > >> code contained in the DLL's that Aureate makes use of. Here are a
> > >> few of my findings up to this point:
> > >>
> > >> advert.dll
> > >> =======
> > >>
> > >> This DLL creates a hidden window every time you open your browser. It
> > >> creates and sends 4 pages of information to the Aureate servers using
> > >> port 1749 on your system, these pages include:
> > >>
> > >> 1. Your name as listed in the system registry ( not the name you
> > >> installed one of the programs with )
> > >> 2. Your IP address
> > >> 3. The reverse DNS match of your address. ( tells them what ISP and
> > >> area of country you are in )
> > >> 4. A listing of ALL software that is shown in your registry as being
> > >> installed. ( Not just the companies they work with )
> > >> 5. This DLL sends the following information to their server on all
> > >> URL's you visit:
> > >> A.) ad banners you may click on
> > >> B.) all downloads you do showing the filename/file
> > >> size/date/time/type of file(image, zip,executable, etc)
> > >> C.) full time and date stamps of all your actions while
> > >> using your
> > >> browser
> > >> D.) the remote dialup number you are dialing in on (taken out of
> > >> your dialer configuration)
> > >> E.) dialup password if saved, does not "appear" at first glance
> > >> to send this through to them.
> > >> 6. Contains programmers note: "Show me the money! I want to
> > >> be Mike!"
> > >>
> > >>
> > >> advpack.dll
> > >> =========
> > >>
> > >> Used during the installation only to check for other needed files.
> > >> amcis.dll
> > >> =======
> > >>
> > >> This DLL modifies the following registry keys:
> > >> 1. HKEY_CURRENT_CONFIG
> > >> 2. HKEY_DYN_DATA
> > >> 3. HKEY_PERFORMANCE_DATA
> > >> 4. HKEY_USERS
> > >> 5. HKEY_LOCAL_MACHINE
> > >> 6. HKEY_CURRENT_USER
> > >> 7. HKEY_CLASSES_ROOT
> > >>
> > >> Unregisterss oleaut32.dll from memory as provided by M$oft and
> > >> replaces with its own calls. Switches back to M$oft's when browser is
> > >> closed. Creates stub processes to be started anytime your browser is
> > >> opened.
> > >>
> > >>
> > >> amcompat.tlb
> > >> ===========
> > >>
> > >> This guy tracks any multimedia clips ( video/pictures/sound ) that
> > >> you view It tracks the rating level on the video/picture/sound and
> > >> title / location Contains references to DblClick ( still digging on
> > >> this one! )
> > >>
> > >>
> > >> amstream.dll
> > >> ==========
> > >>
> > >> Setups TWO way communications between your system and theirs.
> > >> Used to send info and receive update commands/files
> > >> Open port 1749 for communications
> > >>
> > >> ==================================================
> > >>
> > >> The programs that are known to install the Aureate spy are:
> > >>
> > >> 123Search
> > >> 3d Anarchy
> > >> 3D-FTP
> > >> 3rd block
> > >> Abe's FTP Client
> > >> Abe's Image Viewer
> > >> Abe's MP3 Finder
> > >> Abe's Picture Finder
> > >> Abe's SMB Client
> > >> Access Diver III
> > >> Acorn Email
> > >> AcqURL
> > >> ActionOutline Light 1.6
> > >> Active 'Net
> > >> Add URL
> > >> Add/Remove Plus!
> > >> Address Rover 98
> > >> Admiral VirusScanner
> > >> Advanced Call Center
> > >> Advanced Maillist Verify
> > >> AdWizard
> > >> Alive and Kicking
> > >> alphaScape QuickPaste
> > >> ASP1-A3
> > >> Auction Explorer
> > >> Aureate Group Mail
> > >> Aureate SpamKiller
> > >> AutoFTP PRO
> > >> AutoWeb
> > >> AxelCD
> > >> Beatle
> > >> Binary Boy
> > >> BinaryVortex
> > >> Blue Engine
> > >> BookSmith : Original
> > >> buddyPhone 2
> > >> Calypso E-mail
> > >> CamGrab
> > >> Capture Express 2000
> > >> Cascoly Screensaver
> > >> CDDB-Reader
> > >> CDMaster32
> > >> ChanStat
> > >> Charity Banner
> > >> Cheat Machine
> > >> Check4New
> > >> ChinMail
> > >> Clabra clipboard viewer
> > >> Classic Peg Solitaire
> > >> ComTry Music Downloader
> > >> Crystal FTP
> > >> CSE HTML Validator Lite
> > >> CuteFTP 3.0
> > >> CuteFTP 3.0
> > >> CuteFTP/Tripod
> > >> CuteMX
> > >> CutePage
> > >> Danzig Pref Engine
> > >> DateTime
> > >> Delphi Component Test
> > >> Delphi Tester
> > >> Dialer 2000
> > >> DigiBand NewsWatch
> > >> DigiCams - The WebCam Viewer
> > >> Digital Postman
> > >> DirectUpdate
> > >> DL-Mail Pro 2000
> > >> DNScape
> > >> Doorbell 1.18
> > >> Download Minder 1.5
> > >> Download Wonder
> > >> DownLoader v.1.1
> > >> Dwyco Video Conferencing
> > >> EasySeeker
> > >> EmmaSoft ChatCat
> > >> EmmaSoft dBrow
> > >> EmmaSoft KeepLan
> > >> EmmaSoft Soundz
> > >> EnvoyMail
> > >> EZ-Forms FREE
> > >> File Mag-Net
> > >> FileSplit
> > >> Folder Guard Jr.
> > >> FourTimes
> > >> Free Picture Harvester
> > >> Free Solitaire
> > >> Free Spades
> > >> Free Submitter Pro
> > >> FreeImageEditor
> > >> FreeIRC
> > >> FreeNotePad
> > >> FreeSite
> > >> FreeWebBrowser
> > >> FreeWebMail
> > >> FreeZip!
> > >> FTPEditor
> > >> GetRight
> > >> Go!Zilla
> > >> Go!Zilla WebAttack
> > >> GovernMail
> > >> Grafula
> > >> Gunther's PasswordSentry
> > >> HangWeb
> > >> hesci Private Label
> > >> HTML Translator
> > >> HTTP Proxy-Spy
> > >> Huey v1.8 Color Picker
> > >> Iban Technologies IP Tools 3.1
> > >> Idyle GimmIP
> > >> Idyle GimmIP
> > >> iFind Graphics
> > >> imageN
> > >> Infinite Patience
> > >> InfoBlast
> > >> InnovaClub
> > >> InstallZIP
> > >> Internet Tree
> > >> Internetrix
> > >> InterWebWord Companion
> > >> JetCar
> > >> JFK Research
> > >> jIRC
> > >> JOC Email Checker
> > >> JOC Web Finder
> > >> JOC Web Spider
> > >> KVT Diplom
> > >> LapLink FTP
> > >> LineSoft Download
> > >> LOL Chat
> > >> LOL Chat
> > >> Mail Them
> > >> Meracl FontMap
> > >> Meracl ImageMap Generator
> > >> Midnight Oil Solitaire
> > >> MirNik Internet Finder
> > >> More Space 99
> > >> MouseAssist
> > >> MP3 Album Finder
> > >> MP3 Fiend
> > >> MP3 Grouppie
> > >> MP3 Mag-Net
> > >> MP3 Renamer
> > >> Mp3 Stream Recorder
> > >> MP3INFO-Editor
> > >> MultiSender
> > >> Music Genie
> > >> MX Inspector BIG AD
> > >> My Genie Patriots
> > >> My Genie SE
> > >> My GetRight
> > >> NeatFTP
> > >> Net CB
> > >> Net Scan 2000
> > >> Net Vampire
> > >> Net-A-Car Feature Car Screensaver
> > >> NetAnts
> > >> NetBoard
> > >> Netbus Pro 2.10
> > >> NetCaptor 5.0
> > >> Netman Downloader
> > >> NetNak
> > >> NetSuck 3.10.5
> > >> NetTime Thingy
> > >> Network Assistant
> > >> NeuroStock
> > >> NewsBin
> > >> NewsShark
> > >> NewsWire
> > >> NfoNak
> > >> NotePads+
> > >> Notificator 1.0b
> > >> Octopus
> > >> Pattern Book
> > >> People Seek 98
> > >> Personal Search Agent
> > >> Photocopier
> > >> PicPluck
> > >> Pictures In News
> > >> Ping Thingy
> > >> PingMaster
> > >> Planet.Billboard
> > >> Planet.MP3Find
> > >> PMS
> > >> ProtectX 3
> > >> ProxyChecker
> > >> QuadSucker/Web
> > >> Quadzle Puzzles
> > >> QuikLink Autobot
> > >> QuikLink Explorer
> > >> QuikLink Explorer Gold Edition
> > >> QuoteWatch
> > >> QWallet
> > >> Real Estate Web Site Creator
> > >> Recipe Review
> > >> ReGet 1.6
> > >> Resume Detective
> > >> RingSurf
> > >> RoboCam 1.10
> > >> Rosemary's Weird Web World
> > >> SaberQuest Page Burner
> > >> SBJV
> > >> SBWcc
> > >> Scout's Game
> > >> ScreenFIRE
> > >> ScreenFIRE - FileKing
> > >> ScreenFlavors
> > >> Sea Battle
> > >> Shizzam
> > >> Simple Submit
> > >> SimpleFind
> > >> SimpleSubmit v1.0
> > >> SK-111
> > >> Smart 'n Sticky
> > >> SmartBoard 200 FREE Edition
> > >> SmartSum calculator
> > >> SonicMail
> > >> Sound Agent
> > >> Space Central Screen Saver
> > >> Splash! Siterave
> > >> StartDrive
> > >> Static FTP
> > >> StockBrowser
> > >> Subscriber
> > >> SunEdit 2K
> > >> SuperIDE
> > >> Sweep
> > >> SweepsWinner
> > >> Text Transmogrifier
> > >> The Mapper
> > >> TheNet
> > >> TI-FindMail
> > >> TIFNY
> > >> Total Finger
> > >> Total Whois
> > >> Tracking The Eye
> > >> Trade Site Creator
> > >> TWinExplorer Standard
> > >> TypeWriter 1.0
> > >> UK Phone Codes
> > >> Vagabond's Realm
> > >> VeriMP3
> > >> Vertigo QSearch
> > >> Virtual Access
> > >> Visual Cyberadio
> > >> Visual Surfer
> > >> VOG Backgammon Main
> > >> VOG Backgammon Table
> > >> VOG Chess Main
> > >> VOG Chess Table
> > >> VOG Reversi Main
> > >> VOG Reversi Table
> > >> VOG Shell
> > >> VOG Shell
> > >> VOG Shell History
> > >> W3Filer
> > >> Web Coupon
> > >> Web Page Authoring Software
> > >> Web Registrant PRO
> > >> Web Resume
> > >> Web SurfACE
> > >> WEB2SMS
> > >> WebCamVCR
> > >> WebCopier
> > >> Web-N-Force
> > >> WebSaver
> > >> Website Manager
> > >> WebStripper
> > >> WebType
> > >> WhoIs Thingy
> > >> Win A Lotto
> > >> WinEdit 2000
> > >> Word+
> > >> Wordwright
> > >> WorldChat Client
> > >> Worm
> > >> www.devgames.com
> > >> xBlock
> > >> Your ESP Test
> > >> Zion
> > >> Zip Express 2000
> > >>
> > >> _________________________________________
> > >> List Owner: Lewis Rose, lewrosearentfox.com
> > >> Web Site: http://www.net-lawyers.org
> > >> Archives: http://eva.dc.lsoft.com/Archives/net-lawyers.html
> > >>
> > >> http://www.prairielaw.com "The #1 law destination..."
> > >> Participate in our
> > >> message
> > >> boards, e-mail discussion groups, and chats. Network with other legal
> > >> professionals; get opinions from experts; offer assistance to
> > >> consumers.
> > >>
> > >
> > >_____________________________________________________________________
> > >** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> > >** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> > >SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
> >
> > _____________________________________________________________________
> > ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
> > ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
> > SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>
>_____________________________________________________________________
>** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
>** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
>SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
