Website Trojans! Please Read! - GoFuckYourself.com

nastigirl · 10-16-2002, 01:06 AM

IMPORTANT!
THE FOLLOWING WEBSITES ARE TROJANS!
PLEASE READ!

FRIENDS OF THE JS SEEKER VIRUS

www.interneteraser.com
www.sureseeker.com
www.topnukers.com
www.primenetwork.net
www.adultbusiness.co.uk
www.pushinit.com
www.sexthatsells.com
www.topnukers.com
www.62nds.co.nz

Well, it finally happened...I caught a virus while surfing for an in house search engine I was considering using, I stumbled onto one of the adult biz opps sites that seemed interesting: www.adultbusiness.co.uk. From there, I went to their link page. Down at the bottom is a link button to a site located at: www.sexthatsells.com. Since my own ebook is called SEX SELLS! it piqued my curiosity so I gave it a click to see what it was about.

I noticed in the status bar I was being redirected to another site at: www.pushinit.com...but when the page finally transited, I found myself at the home of the dread INTERNET ERASER www.interneteraser.com. I've stumbled over this site several times in the past and get rather annoyed because it's always a blind link from something that sounds interesting, only to end up at the INTERNET ERASER site, which is basically set up to appear as an advertisement for "software" or hacker protection, with bold alerts warning about the machine you're using isn't safe, and other privacy issues. When you close it out, it runs a script that opens your Windows Explorer window, showing you all your files on your hard drive. I've seen the script here and there so pretty much dismissed it, closed out the window and the site, and resumed what I'd been doing.

No sooner had I closed out, suddenly my Norton AntiVirus program jumped up to tell me I'd gotten infected by the JS.Seeker virus, along with the prompts for how to deal with it.

on 004176438 C:\WINDOWS\TEMPORARYINTERNETFILES\Content.IE5\1IC8 NE8B\d[1].py infected with the JS.Seeker virus. NAV was unable to repair, quarantine, or delete file. Access to file denied.

I went thru the "Repair/Quarantine/Delete" steps but it kicked back saying it couldn't do any of those functions. I stopped, got offline, and went thru the virus scan on NAV. I had no idea what the hell was going on, I'd never gotten a virus before, and I had no clue how to remedy it. I knew not to reboot if at all possible, since that's usually when the virus will launch so, being the conscientious netizen I am, I hit Yahoo and typed in JS.Seeker. Fortunately there were many wonderful links about the virus and how to eliminate it:

JS.Seeker is a Trojan horse program that alters the default startup and search pages of your Web browser. The Trojan horse sometimes arrives as a file named Runme.hta. This file runs only if the Windows Scripting Host is installed. This trojan uses the same vulnerability that JS/Kak and VBS/BubbleBoy use to drop itself to the Windows Startup directory.

This trojan consists of three different parts: one HTML web page, and two hta files.

The web page is available in an adult site, and it affects Internet Explorer users. Once a user visits that page it immediately drops a file "runme.hta" in the Windows Startup directory and "removeit.hta" in the root of the "C:" drive. Next time when the system is rebooted it executes and changes the Internet Explorer and Netscape Navigator startup page to www.sureseeker.com. It also modifies the Internet Explorer default search pages to that location. These changes are made to the registry, however, the trojan makes backup of these registry settings to two files, "backup1.reg" and "backup2.reg" in the Windows directory.

After that the trojan executes "removeit.hta", that simply deletes "runme.hta" from the Windows Startup directory. That way the user cannot see the previosly dropped "runme.hta" file. To protect yourself against the vulnerability that this trojan uses, you can download and install the patch provided by Microsoft: (Note: Active Link)

http://www.microsoft.com/technet/sec...n/ms99-032.asp

Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Low
Threat containment: Easy
Removal: Easy

Threat Metrics

Wild: High
Damage: Low
Distribution: Low

Damage:
Payload: Modifies files: Registry
Distribution: Name of attachment: Runme.hta Size of attachment: 3 to 5 K

When JS.Seeker is executed, it makes changes to the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main\Home Page

The original registry values are saved in the \Windows folder as Backup1.reg and Backup2.reg .

The Trojan horse creates the file Homereg111.reg in the \Windows folder and sets the previously mentioned registry keys to its own values. It then runs Removeit.hta, which deletes the file Runme.hta from the C:\Windows\Start Menu\Programs\Startup folder.

JS.Seeker also creates the Prefs.js file in the \Windows folder. This is a JavaScript file that changes Netscape Preferences to its own.

And from a message board entry on the topic, I learned:

> -----Original Message-----
> From: Nate W [mailto:[email protected]]
> Sent: Monday, October 30, 2000 5:18 PM
> To: [email protected]
> Subject: sureseeker.com

> > > If anyone can think of a better place to report this, other than > [email protected] and [email protected], do let me know. >

> Looks like somewhere out there is a web server that cracks into web > clients and does a little bit of reconfiguring without the users's > knowledge or consent. >

> The main objective of the malicious code is to set the user's > start page> to a cheesy "portal" web site, www.sureseeker.com. The sureseeker web > site consists largely of 'affiliate clickthrough' links, for > example news> headlines from isyndicate.com, web searches from goto.com and > searchtraffic.com, and so on. >

> The method appears to begin with the installation of an 'html > application' called runme.hta in the StartUp directory. runme.hta appears > to re-set the start pages for Internet Explorer and Netscap, and also re-set the > seach URLs used by IE in various places. I say "appears to" because I > don't actually have a copy of the file - a second file, called > removeit.hta, is placed in the c:\ directory and executed via > a link from the StartUp folder. removeit.hta deletes runme.hta in an > attempt to cover their tracks. Removeit.hta doesn't get deleted though, and a > set of .reg files named 'backup1.reg' and 'backup2.hta' and 'homereg111.reg' also > remain on the victim's hard drive. >

> The malicous code also puts 'sureseeker.com' in the HTTP-User-Agent > string, so that victims are left running about advertising their > misfortune to every web server they visit. Furthermore, > sureseeker's tag appears in the articles they post to newsgroups using IE and > deja.com, as in this case: >

http://www.deja.com/getdoc.xp?AN=680049493&fmt=text

I have notified sureseeker's internet service providers (ni.net, primenetworks.net, and verio.net just in case either of those is in cahoots with the sureseeker people).

I'm not sure what steps to take next, but if anyone has ideas I'm all ears.

Thanks,

Nate Waddoups
Redmond WA USA

Hmmm...interesting. I went thru the steps and got rid of it. All's well that ends well.

Not quite. I got to thinking about it and tried to remember where the hell I was when it happened. I'd shortcutted a handful of sites but none of them looked familiar after all the virus drama. The idea was to go back to the originating biz op site and email them, tell them their "SEX THAT SELLS" link is a redirect to a virus. I couldn't find the shortcut I'd saved, and then I had a brainflash. WooHoo. I'd remembered that just prior to that net session, I'd cleaned out my cookies, history, recent, temp, and temp net files...which I learned to do a long time back so I'd have some record of where I'd been 'per session', or anyone else using my machine, in case of troubles. I went to the Cookies folder in Windows and browsed thru them...

I found 3 cookies that coinsided with the time frame of 2:06am, including the one NAV recognized:

[email protected]1[1].txt= mses 3d3e50163d3e501600000001Mz9ZwPSHtpsDIqS4 search.py1.com/ 0 1978724096 29651074 2723741696 29504224 * (2:06AM)

ME@www.topnukers[1].txt = lang english www.topnukers.com// 0 3685634176 29577594 2273775680 29504170 *

ME@ www.interneteraser[1].txt = IERASERPARTNER 9545863%2ANoREF www.interneteraser.com/ 0 2787326464 29504566 3811608992 29504223 * (2:01AM)

nastigirl · 10-16-2002, 01:09 AM

((Sorry...had to do this in two parts...))

I remembered INTERNET ERASER's site. I have no idea about topnukers, but I decided to take it a step further. I pulled up www.directnic.com and did a WHOIS on all of the sites involved:

WHOIS www.sureseeker.com

Organization: Tommy
Tommy Johnson
5149 E Paseo Del Bac
Tucson, Az 85718 US
Phone: 000-000-0000
Email: [email protected]

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: SURESEEKER.COM

Created on..............: Sun, Aug 20, 2000
Expires on..............: Fri, Aug 20, 2010
Record last updated on..: Fri, Jun 21, 2002

Administrative Contact: Tommy
Tommy Johnson
5149 E Paseo Del Bac
Tucson, Az 85718 US
Phone: 000-000-0000
Email: [email protected]
Technical Contact, Zone Contact:
Prime Internet Network
Ray Vanpraag
250 El Camino Real # 109
Tustin, CA 92780 US
Phone: 714-669-9638
Fax..: 714-669-9667
Email: [email protected]

Domain servers in listed order:

NS1.PRIMENETWORK.NET 216.158.128.25
NS2.PRIMENETWORK.NET 216.158.128.26

WHOIS www.primenetwork.net

Registrant: Prime Internet Network (PRIMENETWORK2-DOM)
100 W. Main St. Suite # 4
Tustin, CA 92780 US

Domain Name: PRIMENETWORK.NET

Administrative Contact, Technical Contact:
Vanpraag, Ray (RV842) [email protected]
Prime Internet Network - NOC
250 El Camino Real # 109
Tustin, CA 92780
714-669-9638 (FAX) 714-669-9667

Record expires on 10-Dec-2004.
Record created on 09-Dec-1997.
Database last updated on 24-Jul-2002 14:31:05 EDT.

Domain servers in listed order:

NS1.PRIMENETWORK.NET 216.158.128.25
NS2.PRIMENETWORK.NET 216.158.128.26
NS3.PRIMENETWORK.NET 206.183.198.240
NS4.PRIMENETWORK.NET 206.183.198.241

WHOIS www.sexthatsells.com

[whois.opensrs.net]
Registrant: siren publishing ltd
pobox 1707
wolverhampton, west mids wv4 6xu UK

Domain Name: SEXTHATSELLS.COM

Administrative Contact: Cartwright, Matt [email protected]
pobox 1707
wolverhampton, west mids wv4 6xu UK
4407930197333

Technical Contact: Blancett, Phil [email protected]
2227 Lake Tahoe Blvd Suite E
South Lake Tahoe, CA 96150 US
530-542-4209
Fax: 530-542-0391

Registration Service Provider: California.net / Reliablehosting, [email protected]
530 542 3331
http://www.reliablehosting.com

Registrar of Record: TUCOWS, INC.
Record last updated on 17-Mar-2002.
Record expires on 29-Apr-2003.
Record Created on 29-Apr-2000.

Domain servers in listed order:
NS1.CALIFORNIA.NET 216.131.95.20
NS1.OAKWEB.COM 216.131.94.5

WHOIS www.pushinit.com

Registrant: siren publishing ltd
suite27
the chubb buildings
wolverhampton, west midlands wv11ht UK

Domain Name: PUSHINIT.COM

Administrative Contact: cartwright, matt [email protected]
suite27
the chubb buildings
wolverhampton, west midlands wv11ht UK 44 1902 422777

Technical Contact: cartwright, matt [email protected]
suite27
the chubb buildings
wolverhampton, west midlands wv11ht UK 44 1902 422777

Registration Service Provider:
California.net / Reliablehosting, [email protected]
530 542 3331
http://www.reliablehosting.com
Registrar of Record: TUCOWS, INC.
Record last updated on 16-Apr-2002.
Record expires on 14-Jun-2003.
Record Created on 14-Jun-2000.
Domain servers in listed order:
NS1.CALIFORNIA.NET 216.131.95.20
NS1.OAKWEB.COM 216.131.94.5

WHOIS www.topnukers.com

WHOIS www.topnukers.com
Registrant: Leo Dano
dano enterprise
3425 DeLeone Rd
San Marcos, CA 92069
United States

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: TOPNUKERS.COM
Created on: 09-Aug-01
Expires on: 09-Aug-03
Last Updated on: 03-Jul-02
Administrative Contact: Dano, Leo [email protected]
dano enterprise
3425 De Leone Rd
San Marcos, CA 92069
United States
760-295-1471 Fax -- 760-295-1471
Technical Contact: Dano, Leo [email protected]
dano enterprise
3425 De Leone Rd
San Marcos, CA 92069
United States
760-295-1471 Fax -- 760-295-1471

Domain servers in listed order:
NS1.DISCOUNT-HOSTING.COM
NS2.DISCOUNT-HOSTING.COM
NS3.SLCONSEIL.COM

WHOIS www.interneteraser.com

Organization: Internet Commerce Services, Inc.
Corporate Controller
5431 Auburn Blvd. #396
Sacramento, CA 95841 US
Phone: 916-435-8612
Email: [email protected]
Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: INTERNETERASER.COM

Created on..............: Wed, Jul 04, 2001
Expires on..............: Fri, Jul 04, 2003
Record last updated on..: Tue, Jun 25, 2002
Administrative Contact:
Internet Commerce Services, Inc.
Corporate Controller
5431 Auburn Blvd. #396
Sacramento, CA 95841 US
Phone: 916-435-8612
Email: [email protected]

Technical Contact: Internet Commerce Services, Inc.
Corporate Controller
5431 Auburn Blvd. #396
Sacramento, CA 95841 US
Phone: 916-435-8612
Email: [email protected]

Zone Contact: Internet Commerce Services, Inc.
Corporate Controller
5431 Auburn Blvd. #396
Sacramento, CA 95841 US
Phone: 916-435-8612
Email: [email protected]

Domain servers in listed order:

NS1.MEGABIG.COM 209.128.84.5
NS2.MEGABIG.COM 64.38.214.230

WHOIS www.adultbusiness.co.uk

Domain Name: ADULTBUSINESS.CO.UK
Registered For: Sizco UK
Domain Registered By: DOMAINIA
Registered on 05-Jan-2001.
Record last updated on 09-Jun-2002 by .
Domain servers listed in order:

NS1.NETPREFERENCE.CO.UK 217.199.160.161
NS.SECONDARYNAMESERVER.COM 212.67.202.244

WHOIS database last updated at 23:59:00 25-Jul-2002

nastigirl · 10-16-2002, 01:10 AM

((last one!))

Awhile later, I reviewed the search results and had seen a link about seeker's source code. I clicked it and was transferred to http://www.62nds.co.nz/cgi-bin/x/e4015.html a site called 62NDS (sixty seconds). I read the info on the seeker virus source code...and clicked the link to check it out...and I will just be damned if THIS site didn't send me the very same virus all over again! AFTER I went BACK thru the clean up procedure to get rid of it, I went back to the 62NDS site and checked out their links on who they are, where they are and what they're about. The info on their site is thus:

62NDS Solutions (pronounced Sixty Seconds) is a small computer retailer with only one aim: to provide a quality service at a reasonable price. We are not afraid to say that we?re not one of the cheapest places around, but then, with one exception, we don?t sell rubbish.

We pay cash for good quality second-hand computers and parts. Always looking for PCI graphics cards, motherboards, processors, modems and cd-rom drives.

All our staff, from the receptionist to the boss, have had many years in the computer industry, and all are keeping up with the latest technology. So when you ring us with a problem, you won't get passed on to somebody else, because the person on the end of the phone will be able to help you.

Phone: +64 3 389 4445 Christchurch agent
+64 9 627 4001 Auckland branch
Voice Mail: +1 909 363 9085 (USA)
Fax: +64 9 627 5055
or +1 909 363 9070 (USA)
e-mail: click here for details
ICQ: TinyWizard 26064207 ... a little magic every day snail: P O Box 163123,
Lynfield,
Auckland,
New Zealand.

Our Christchurch branch has closed. All existing clients are advised to contact the Computer Centre, in Colombo St, for all warranty work

We do have a free "0508" telephone number for customers within New Zealand who are outside the Christchurch area.

(link to 'about' page) - http://www.62nds.co.nz/cgi-bin/x/e5000.html?sSxwv

From there, I went back to directnic and did a WHOIS on these guys...

% Domainz D.R.S. Automated Registrar Interface
% D.R.S. users confirm on submission their agreement to all published Terms
% Last revision: 22-02-2000 - DRS-RL-v1.00
%
domain_name_status: 01 Current
registrar: WebFarm Ltd
domain_name: 62nds.co.nz
domain_datecreated: 9/12/98
domain_datelastmodified: 15/03/02 14:44:36
holder_name: Phil Young
holder_contact: phil young
holder_phone: +64 3 365 5892
holder_fax: +64 3 365 9433
holder_email: [email protected]
holder_address: PO Box 13922,,
holder_addr_citycountry: CHRISTCHURCH,NEW ZEALAND
technical_contact: Exponnel Limited
technical_contact_phone: +64 6 7572881
technical_contact_fax: +64 6 7572883
technical_contact_email: [email protected]
technical_contact_address_line_1: Level 2, 2 Devon St East
technical_contact_address_line_2: New Plymouth, New Zealand
ns_name_1: ns.host4u.net
ns_ip_1: 209.150.128.30
ns_name_2: ns2.host4u.net
ns_ip_2: 209.150.129.3
ns_name_3:
ns_ip_3:
ns_name_4:
ns_ip_4:
ns_name_5:
ns_ip_5:
ns_name_6:
ns_ip_6:
ns_name_7:
ns_ip_7:
ns_name_8:
ns_ip_8:
ns_name_9:
ns_ip_9:
ns_name_10:
ns_ip_10:

Now that they're all compiled, my intent is to copy this to email and CC it to each of the registrars these whackos got their domains thru, to the various computer crimes network, along with a couple of the more reputable webmasters portals so everybody can get the heads up at the same time.

When you register domains and list the NS and hosts, they should have spider bots that crawl your pages and pick up these trojans & other viruses off the web. Call it the Black Widow or something.

If there are any updates, I'll let ya know. Meanwhile, BEWARE these sites! Pay attention to the links showing in your status tray and try to keep track of all the sites you surf per net session. ALWAYS use a reliable anti virus program and be sure you're running the latest versions of your browser. Check out your browser's home site for any patches and updates...and until next time...safe surfing!

Alky · 10-16-2002, 01:10 AM

NONONOONONONONONONONONONONONONONONONONONONONONONON ONO

quiet · 10-16-2002, 01:11 AM

i like macs

421Fill · 10-16-2002, 01:15 AM

oh man..... and I was just about to goto bed.... soooooo much comes to mind... where to start... hmmm aww fuck it.. I'm just gonna watch. lol

Pornwolf · 10-16-2002, 01:17 AM

Internet Eraser? Isn't that... no... it can't be!?! Noooooooooo!

Amputate Your Head · 10-16-2002, 01:19 AM

this should be good entertainment.

nastigirl · 10-16-2002, 01:25 AM

Yeah...I know. But the link from "sex that sells" button listed by that domain, transferred to pushinit, which went to I.E site and soon as I closed it, the NAV went nuts. That's where it came from. I've seen the I.E. ads all over and clicked them before, but that one place sent me a virus. Dammit.

Guess that's par for the course whilst surfin the red light district.

Anyway, not trying to stir up shit. I thought ya might like to be aware is all. If not, tell me to go fuck myself and I wont say a word

Aussie Rebel · 10-16-2002, 01:28 AM

This is gonna be funny

Backov · 10-16-2002, 01:31 AM

The problem is that you did some investigation, but apparently not enough.

The cookie from interneteraser is obviously an affiliate cookie, which says to me that you got your virus from some crooked affiliate..

Not wise to attack a program with such poor evidence- especially on said programs own bbs.

Cheers,
Backov

Amputate Your Head · 10-16-2002, 01:35 AM

I don't speak for ICS, and I'm not sure where you got your virus from nastigirl, but I highly doubt it was from ICS or InternetEraser themselves. Probably more likely, some punk ass site that was promoting them or possibly a copycat site. And since you said yourself that you have never had a virus before, perhaps your method of tracking it's origin isn't exactly up to snuff.

Also, I haven't used anti-virus software in 8 years, have been from one end of the Net to the other, and I've not had anywhere near the problems you've just described.

nastigirl · 10-16-2002, 02:35 AM

>>>The cookie from interneteraser is obviously an affiliate cookie, which says to me that you got your virus from some crooked affiliate..

Not wise to attack a program with such poor evidence- especially on said programs own bbs. <<<

Point taken, but it wasn't an attack so much as to alert people who may be interested. And if "said programs own bbs" gets nutted up, then said programs own bbs should try to findout who the crooked affiliate is. If if were my program or product and someone came here and said hey, this was advertised and when I clicked it, it dropped a fuckin virus on me, I'd be pissed and start trying to figure out who the fuck it is. About reputation.

I gave the info on where I was when I got it and that's all I can do. If said bb owner gives a shit, said owner won't shoot the messenger. Said owner will check into it and see about fixing the problem.

Least, that's what I'd do. Like I said, it wasn't to stir up shit. It was to pass it along.

10-16-2002, 01:06 AM	#1
nastigirl Registered User Join Date: Oct 2002 Location: Arizona Posts: 26	Website Trojans! Please Read! IMPORTANT! THE FOLLOWING WEBSITES ARE TROJANS! PLEASE READ! FRIENDS OF THE JS SEEKER VIRUS www.interneteraser.com www.sureseeker.com www.topnukers.com www.primenetwork.net www.adultbusiness.co.uk www.pushinit.com www.sexthatsells.com www.topnukers.com www.62nds.co.nz Well, it finally happened...I caught a virus while surfing for an in house search engine I was considering using, I stumbled onto one of the adult biz opps sites that seemed interesting: www.adultbusiness.co.uk. From there, I went to their link page. Down at the bottom is a link button to a site located at: www.sexthatsells.com. Since my own ebook is called SEX SELLS! it piqued my curiosity so I gave it a click to see what it was about. I noticed in the status bar I was being redirected to another site at: www.pushinit.com...but when the page finally transited, I found myself at the home of the dread INTERNET ERASER www.interneteraser.com. I've stumbled over this site several times in the past and get rather annoyed because it's always a blind link from something that sounds interesting, only to end up at the INTERNET ERASER site, which is basically set up to appear as an advertisement for "software" or hacker protection, with bold alerts warning about the machine you're using isn't safe, and other privacy issues. When you close it out, it runs a script that opens your Windows Explorer window, showing you all your files on your hard drive. I've seen the script here and there so pretty much dismissed it, closed out the window and the site, and resumed what I'd been doing. No sooner had I closed out, suddenly my Norton AntiVirus program jumped up to tell me I'd gotten infected by the JS.Seeker virus, along with the prompts for how to deal with it. on 004176438 C:\WINDOWS\TEMPORARYINTERNETFILES\Content.IE5\1IC8 NE8B\d[1].py infected with the JS.Seeker virus. NAV was unable to repair, quarantine, or delete file. Access to file denied. I went thru the "Repair/Quarantine/Delete" steps but it kicked back saying it couldn't do any of those functions. I stopped, got offline, and went thru the virus scan on NAV. I had no idea what the hell was going on, I'd never gotten a virus before, and I had no clue how to remedy it. I knew not to reboot if at all possible, since that's usually when the virus will launch so, being the conscientious netizen I am, I hit Yahoo and typed in JS.Seeker. Fortunately there were many wonderful links about the virus and how to eliminate it: JS.Seeker is a Trojan horse program that alters the default startup and search pages of your Web browser. The Trojan horse sometimes arrives as a file named Runme.hta. This file runs only if the Windows Scripting Host is installed. This trojan uses the same vulnerability that JS/Kak and VBS/BubbleBoy use to drop itself to the Windows Startup directory. This trojan consists of three different parts: one HTML web page, and two hta files. The web page is available in an adult site, and it affects Internet Explorer users. Once a user visits that page it immediately drops a file "runme.hta" in the Windows Startup directory and "removeit.hta" in the root of the "C:" drive. Next time when the system is rebooted it executes and changes the Internet Explorer and Netscape Navigator startup page to www.sureseeker.com. It also modifies the Internet Explorer default search pages to that location. These changes are made to the registry, however, the trojan makes backup of these registry settings to two files, "backup1.reg" and "backup2.reg" in the Windows directory. After that the trojan executes "removeit.hta", that simply deletes "runme.hta" from the Windows Startup directory. That way the user cannot see the previosly dropped "runme.hta" file. To protect yourself against the vulnerability that this trojan uses, you can download and install the patch provided by Microsoft: (Note: Active Link) http://www.microsoft.com/technet/sec...n/ms99-032.asp Wild: Number of infections: More than 1000 Number of sites: More than 10 Geographical distribution: Low Threat containment: Easy Removal: Easy Threat Metrics Wild: High Damage: Low Distribution: Low Damage: Payload: Modifies files: Registry Distribution: Name of attachment: Runme.hta Size of attachment: 3 to 5 K When JS.Seeker is executed, it makes changes to the following registry keys: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Main\Home Page The original registry values are saved in the \Windows folder as Backup1.reg and Backup2.reg . The Trojan horse creates the file Homereg111.reg in the \Windows folder and sets the previously mentioned registry keys to its own values. It then runs Removeit.hta, which deletes the file Runme.hta from the C:\Windows\Start Menu\Programs\Startup folder. JS.Seeker also creates the Prefs.js file in the \Windows folder. This is a JavaScript file that changes Netscape Preferences to its own. And from a message board entry on the topic, I learned: > -----Original Message----- > From: Nate W [mailto:[email protected]] > Sent: Monday, October 30, 2000 5:18 PM > To: [email protected] > Subject: sureseeker.com > > > If anyone can think of a better place to report this, other than > [email protected] and [email protected], do let me know. > > Looks like somewhere out there is a web server that cracks into web > clients and does a little bit of reconfiguring without the users's > knowledge or consent. > > The main objective of the malicious code is to set the user's > start page> to a cheesy "portal" web site, www.sureseeker.com. The sureseeker web > site consists largely of 'affiliate clickthrough' links, for > example news> headlines from isyndicate.com, web searches from goto.com and > searchtraffic.com, and so on. > > The method appears to begin with the installation of an 'html > application' called runme.hta in the StartUp directory. runme.hta appears > to re-set the start pages for Internet Explorer and Netscap, and also re-set the > seach URLs used by IE in various places. I say "appears to" because I > don't actually have a copy of the file - a second file, called > removeit.hta, is placed in the c:\ directory and executed via > a link from the StartUp folder. removeit.hta deletes runme.hta in an > attempt to cover their tracks. Removeit.hta doesn't get deleted though, and a > set of .reg files named 'backup1.reg' and 'backup2.hta' and 'homereg111.reg' also > remain on the victim's hard drive. > > The malicous code also puts 'sureseeker.com' in the HTTP-User-Agent > string, so that victims are left running about advertising their > misfortune to every web server they visit. Furthermore, > sureseeker's tag appears in the articles they post to newsgroups using IE and > deja.com, as in this case: > http://www.deja.com/getdoc.xp?AN=680049493&fmt=text I have notified sureseeker's internet service providers (ni.net, primenetworks.net, and verio.net just in case either of those is in cahoots with the sureseeker people). I'm not sure what steps to take next, but if anyone has ideas I'm all ears. Thanks, Nate Waddoups Redmond WA USA Hmmm...interesting. I went thru the steps and got rid of it. All's well that ends well. Not quite. I got to thinking about it and tried to remember where the hell I was when it happened. I'd shortcutted a handful of sites but none of them looked familiar after all the virus drama. The idea was to go back to the originating biz op site and email them, tell them their "SEX THAT SELLS" link is a redirect to a virus. I couldn't find the shortcut I'd saved, and then I had a brainflash. WooHoo. I'd remembered that just prior to that net session, I'd cleaned out my cookies, history, recent, temp, and temp net files...which I learned to do a long time back so I'd have some record of where I'd been 'per session', or anyone else using my machine, in case of troubles. I went to the Cookies folder in Windows and browsed thru them... I found 3 cookies that coinsided with the time frame of 2:06am, including the one NAV recognized: [email protected]1[1].txt= mses 3d3e50163d3e501600000001Mz9ZwPSHtpsDIqS4 search.py1.com/ 0 1978724096 29651074 2723741696 29504224 * (2:06AM) ME@www.topnukers[1].txt = lang english www.topnukers.com// 0 3685634176 29577594 2273775680 29504170 * ME@ www.interneteraser[1].txt = IERASERPARTNER 9545863%2ANoREF www.interneteraser.com/ 0 2787326464 29504566 3811608992 29504223 * (2:01AM) __________________ ==================<br> from a <br> ~Nikki

10-16-2002, 01:09 AM	#2
nastigirl Registered User Join Date: Oct 2002 Location: Arizona Posts: 26	((Sorry...had to do this in two parts...)) I remembered INTERNET ERASER's site. I have no idea about topnukers, but I decided to take it a step further. I pulled up www.directnic.com and did a WHOIS on all of the sites involved: WHOIS www.sureseeker.com Organization: Tommy Tommy Johnson 5149 E Paseo Del Bac Tucson, Az 85718 US Phone: 000-000-0000 Email: [email protected] Registrar Name....: Register.com Registrar Whois...: whois.register.com Registrar Homepage: http://www.register.com Domain Name: SURESEEKER.COM Created on..............: Sun, Aug 20, 2000 Expires on..............: Fri, Aug 20, 2010 Record last updated on..: Fri, Jun 21, 2002 Administrative Contact: Tommy Tommy Johnson 5149 E Paseo Del Bac Tucson, Az 85718 US Phone: 000-000-0000 Email: [email protected] Technical Contact, Zone Contact: Prime Internet Network Ray Vanpraag 250 El Camino Real # 109 Tustin, CA 92780 US Phone: 714-669-9638 Fax..: 714-669-9667 Email: [email protected] Domain servers in listed order: NS1.PRIMENETWORK.NET 216.158.128.25 NS2.PRIMENETWORK.NET 216.158.128.26 WHOIS www.primenetwork.net Registrant: Prime Internet Network (PRIMENETWORK2-DOM) 100 W. Main St. Suite # 4 Tustin, CA 92780 US Domain Name: PRIMENETWORK.NET Administrative Contact, Technical Contact: Vanpraag, Ray (RV842) [email protected] Prime Internet Network - NOC 250 El Camino Real # 109 Tustin, CA 92780 714-669-9638 (FAX) 714-669-9667 Record expires on 10-Dec-2004. Record created on 09-Dec-1997. Database last updated on 24-Jul-2002 14:31:05 EDT. Domain servers in listed order: NS1.PRIMENETWORK.NET 216.158.128.25 NS2.PRIMENETWORK.NET 216.158.128.26 NS3.PRIMENETWORK.NET 206.183.198.240 NS4.PRIMENETWORK.NET 206.183.198.241 WHOIS www.sexthatsells.com [whois.opensrs.net] Registrant: siren publishing ltd pobox 1707 wolverhampton, west mids wv4 6xu UK Domain Name: SEXTHATSELLS.COM Administrative Contact: Cartwright, Matt [email protected] pobox 1707 wolverhampton, west mids wv4 6xu UK 4407930197333 Technical Contact: Blancett, Phil [email protected] 2227 Lake Tahoe Blvd Suite E South Lake Tahoe, CA 96150 US 530-542-4209 Fax: 530-542-0391 Registration Service Provider: California.net / Reliablehosting, [email protected] 530 542 3331 http://www.reliablehosting.com Registrar of Record: TUCOWS, INC. Record last updated on 17-Mar-2002. Record expires on 29-Apr-2003. Record Created on 29-Apr-2000. Domain servers in listed order: NS1.CALIFORNIA.NET 216.131.95.20 NS1.OAKWEB.COM 216.131.94.5 WHOIS www.pushinit.com Registrant: siren publishing ltd suite27 the chubb buildings wolverhampton, west midlands wv11ht UK Domain Name: PUSHINIT.COM Administrative Contact: cartwright, matt [email protected] suite27 the chubb buildings wolverhampton, west midlands wv11ht UK 44 1902 422777 Technical Contact: cartwright, matt [email protected] suite27 the chubb buildings wolverhampton, west midlands wv11ht UK 44 1902 422777 Registration Service Provider: California.net / Reliablehosting, [email protected] 530 542 3331 http://www.reliablehosting.com Registrar of Record: TUCOWS, INC. Record last updated on 16-Apr-2002. Record expires on 14-Jun-2003. Record Created on 14-Jun-2000. Domain servers in listed order: NS1.CALIFORNIA.NET 216.131.95.20 NS1.OAKWEB.COM 216.131.94.5 WHOIS www.topnukers.com WHOIS www.topnukers.com Registrant: Leo Dano dano enterprise 3425 DeLeone Rd San Marcos, CA 92069 United States Registrar: Go Daddy Software (http://registrar.godaddy.com) Domain Name: TOPNUKERS.COM Created on: 09-Aug-01 Expires on: 09-Aug-03 Last Updated on: 03-Jul-02 Administrative Contact: Dano, Leo [email protected] dano enterprise 3425 De Leone Rd San Marcos, CA 92069 United States 760-295-1471 Fax -- 760-295-1471 Technical Contact: Dano, Leo [email protected] dano enterprise 3425 De Leone Rd San Marcos, CA 92069 United States 760-295-1471 Fax -- 760-295-1471 Domain servers in listed order: NS1.DISCOUNT-HOSTING.COM NS2.DISCOUNT-HOSTING.COM NS3.SLCONSEIL.COM WHOIS www.interneteraser.com Organization: Internet Commerce Services, Inc. Corporate Controller 5431 Auburn Blvd. #396 Sacramento, CA 95841 US Phone: 916-435-8612 Email: [email protected] Registrar Name....: Register.com Registrar Whois...: whois.register.com Registrar Homepage: http://www.register.com Domain Name: INTERNETERASER.COM Created on..............: Wed, Jul 04, 2001 Expires on..............: Fri, Jul 04, 2003 Record last updated on..: Tue, Jun 25, 2002 Administrative Contact: Internet Commerce Services, Inc. Corporate Controller 5431 Auburn Blvd. #396 Sacramento, CA 95841 US Phone: 916-435-8612 Email: [email protected] Technical Contact: Internet Commerce Services, Inc. Corporate Controller 5431 Auburn Blvd. #396 Sacramento, CA 95841 US Phone: 916-435-8612 Email: [email protected] Zone Contact: Internet Commerce Services, Inc. Corporate Controller 5431 Auburn Blvd. #396 Sacramento, CA 95841 US Phone: 916-435-8612 Email: [email protected] Domain servers in listed order: NS1.MEGABIG.COM 209.128.84.5 NS2.MEGABIG.COM 64.38.214.230 WHOIS www.adultbusiness.co.uk Domain Name: ADULTBUSINESS.CO.UK Registered For: Sizco UK Domain Registered By: DOMAINIA Registered on 05-Jan-2001. Record last updated on 09-Jun-2002 by . Domain servers listed in order: NS1.NETPREFERENCE.CO.UK 217.199.160.161 NS.SECONDARYNAMESERVER.COM 212.67.202.244 WHOIS database last updated at 23:59:00 25-Jul-2002 __________________ ==================<br> from a <br> ~Nikki

10-16-2002, 01:11 AM	#5
quiet we'll miss you our friend. RIP Industry Role: Join Date: Sep 2001 Location: Fernie, BC Posts: 25,115	i like macs __________________ we'll miss you our friend. RIP

10-16-2002, 01:15 AM	#6
421Fill Super Mario Industry Role: Join Date: Nov 2001 Location: Swenson's Avatar Posts: 19,452	oh man..... and I was just about to goto bed.... soooooo much comes to mind... where to start... hmmm aww fuck it.. I'm just gonna watch. lol __________________ RELEASE THE EPSTEIN FILES!!!

10-16-2002, 01:17 AM	#7
Pornwolf Drunk and Unruly Join Date: Jan 2002 Location: Hollywood Posts: 22,712	Internet Eraser? Isn't that... no... it can't be!?! Noooooooooo! __________________ I've trusted my sites to them for over a decade... Webair, bitches.

10-16-2002, 01:10 AM	#3
nastigirl Registered User Join Date: Oct 2002 Location: Arizona Posts: 26	((last one!)) Awhile later, I reviewed the search results and had seen a link about seeker's source code. I clicked it and was transferred to http://www.62nds.co.nz/cgi-bin/x/e4015.html a site called 62NDS (sixty seconds). I read the info on the seeker virus source code...and clicked the link to check it out...and I will just be damned if THIS site didn't send me the very same virus all over again! AFTER I went BACK thru the clean up procedure to get rid of it, I went back to the 62NDS site and checked out their links on who they are, where they are and what they're about. The info on their site is thus: 62NDS Solutions (pronounced Sixty Seconds) is a small computer retailer with only one aim: to provide a quality service at a reasonable price. We are not afraid to say that we?re not one of the cheapest places around, but then, with one exception, we don?t sell rubbish. We pay cash for good quality second-hand computers and parts. Always looking for PCI graphics cards, motherboards, processors, modems and cd-rom drives. All our staff, from the receptionist to the boss, have had many years in the computer industry, and all are keeping up with the latest technology. So when you ring us with a problem, you won't get passed on to somebody else, because the person on the end of the phone will be able to help you. Phone: +64 3 389 4445 Christchurch agent +64 9 627 4001 Auckland branch Voice Mail: +1 909 363 9085 (USA) Fax: +64 9 627 5055 or +1 909 363 9070 (USA) e-mail: click here for details ICQ: TinyWizard 26064207 ... a little magic every day snail: P O Box 163123, Lynfield, Auckland, New Zealand. Our Christchurch branch has closed. All existing clients are advised to contact the Computer Centre, in Colombo St, for all warranty work We do have a free "0508" telephone number for customers within New Zealand who are outside the Christchurch area. (link to 'about' page) - http://www.62nds.co.nz/cgi-bin/x/e5000.html?sSxwv From there, I went back to directnic and did a WHOIS on these guys... % Domainz D.R.S. Automated Registrar Interface % D.R.S. users confirm on submission their agreement to all published Terms % Last revision: 22-02-2000 - DRS-RL-v1.00 % domain_name_status: 01 Current registrar: WebFarm Ltd domain_name: 62nds.co.nz domain_datecreated: 9/12/98 domain_datelastmodified: 15/03/02 14:44:36 holder_name: Phil Young holder_contact: phil young holder_phone: +64 3 365 5892 holder_fax: +64 3 365 9433 holder_email: [email protected] holder_address: PO Box 13922,, holder_addr_citycountry: CHRISTCHURCH,NEW ZEALAND technical_contact: Exponnel Limited technical_contact_phone: +64 6 7572881 technical_contact_fax: +64 6 7572883 technical_contact_email: [email protected] technical_contact_address_line_1: Level 2, 2 Devon St East technical_contact_address_line_2: New Plymouth, New Zealand ns_name_1: ns.host4u.net ns_ip_1: 209.150.128.30 ns_name_2: ns2.host4u.net ns_ip_2: 209.150.129.3 ns_name_3: ns_ip_3: ns_name_4: ns_ip_4: ns_name_5: ns_ip_5: ns_name_6: ns_ip_6: ns_name_7: ns_ip_7: ns_name_8: ns_ip_8: ns_name_9: ns_ip_9: ns_name_10: ns_ip_10: Now that they're all compiled, my intent is to copy this to email and CC it to each of the registrars these whackos got their domains thru, to the various computer crimes network, along with a couple of the more reputable webmasters portals so everybody can get the heads up at the same time. When you register domains and list the NS and hosts, they should have spider bots that crawl your pages and pick up these trojans & other viruses off the web. Call it the Black Widow or something. If there are any updates, I'll let ya know. Meanwhile, BEWARE these sites! Pay attention to the links showing in your status tray and try to keep track of all the sites you surf per net session. ALWAYS use a reliable anti virus program and be sure you're running the latest versions of your browser. Check out your browser's home site for any patches and updates...and until next time...safe surfing! __________________ ==================<br> from a <br> ~Nikki

10-16-2002, 01:10 AM	#4
Alky Confirmed User Join Date: Apr 2002 Location: Houston Posts: 5,651	NONONOONONONONONONONONONONONONONONONONONONONONONON ONO

10-16-2002, 01:19 AM	#8
Amputate Your Head There can be only one Industry Role: Join Date: Aug 2001 Location: Somewhere else Posts: 39,075	this should be good entertainment. __________________ SIG TOO BIG

10-16-2002, 01:25 AM	#9
nastigirl Registered User Join Date: Oct 2002 Location: Arizona Posts: 26	Yeah...I know. But the link from "sex that sells" button listed by that domain, transferred to pushinit, which went to I.E site and soon as I closed it, the NAV went nuts. That's where it came from. I've seen the I.E. ads all over and clicked them before, but that one place sent me a virus. Dammit. Guess that's par for the course whilst surfin the red light district. Anyway, not trying to stir up shit. I thought ya might like to be aware is all. If not, tell me to go fuck myself and I wont say a word __________________ ==================<br> from a <br> ~Nikki

10-16-2002, 01:28 AM	#10
Aussie Rebel Blow Me U Geeks Join Date: Aug 2001 Location: Maximum Security Posts: 5,108	This is gonna be funny

10-16-2002, 01:31 AM	#11
Backov Confirmed User Join Date: Mar 2001 Location: Cat Detector Van Posts: 1,600	The problem is that you did some investigation, but apparently not enough. The cookie from interneteraser is obviously an affiliate cookie, which says to me that you got your virus from some crooked affiliate.. Not wise to attack a program with such poor evidence- especially on said programs own bbs. Cheers, Backov __________________ <embed src="http://banners.spotbrokers.com/button.swf" FlashVars="clickURL=http://banners.spotbrokers.com" quality=high pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash" width="120" height="60"></embed>

10-16-2002, 01:35 AM	#12
Amputate Your Head There can be only one Industry Role: Join Date: Aug 2001 Location: Somewhere else Posts: 39,075	I don't speak for ICS, and I'm not sure where you got your virus from nastigirl, but I highly doubt it was from ICS or InternetEraser themselves. Probably more likely, some punk ass site that was promoting them or possibly a copycat site. And since you said yourself that you have never had a virus before, perhaps your method of tracking it's origin isn't exactly up to snuff. Also, I haven't used anti-virus software in 8 years, have been from one end of the Net to the other, and I've not had anywhere near the problems you've just described. __________________ SIG TOO BIG

10-16-2002, 02:35 AM	#13
nastigirl Registered User Join Date: Oct 2002 Location: Arizona Posts: 26	>>>The cookie from interneteraser is obviously an affiliate cookie, which says to me that you got your virus from some crooked affiliate.. Not wise to attack a program with such poor evidence- especially on said programs own bbs. <<< Point taken, but it wasn't an attack so much as to alert people who may be interested. And if "said programs own bbs" gets nutted up, then said programs own bbs should try to findout who the crooked affiliate is. If if were my program or product and someone came here and said hey, this was advertised and when I clicked it, it dropped a fuckin virus on me, I'd be pissed and start trying to figure out who the fuck it is. About reputation. I gave the info on where I was when I got it and that's all I can do. If said bb owner gives a shit, said owner won't shoot the messenger. Said owner will check into it and see about fixing the problem. Least, that's what I'd do. Like I said, it wasn't to stir up shit. It was to pass it along. __________________ ==================<br> from a <br> ~Nikki