Heres one for you,
If you have a folder in your windows folder called amcdl, or amc, you have been "infected."
This information gathering program installs and uses some or all of the
following files, based on your operating system, which are called everytime you launch your browser:
htmdeng.exe
advert.dll
amcis.dll
amcis2.dll
ipcclient.dll
msipcsv.exe
amcompat.tlb
amstream.dll
advpack.dll
I searched and found some (not all) of them, including looking (or at least
attemptind to look) for "hidden" files.
I Renamed the .dlls (in case something I must have *really* needs them),
and
emptied the ..\amc directory and made it read only, and (finally)
created a
..\amcdl directory and made it read only.
the next step is to install ncimon or zonealarm.
OK folks, I have been busy "reviewing" the contents and code contained
in the DLL's that Aureate makes use of. Here are a few of my findings up
to this point:
advert.dll
This DLL creates a hidden window everytime you open your browser. It
creates
and sends 4 pages of information to the Aureate servers using port 1749
on your system, these pages include:
1. Your name as listed in the system registry ( not the name you
installed
one of the programs with )
2. Your IP address
3. The reverse DNS match of your address. ( tells them what ISP and area of
country you are in )
4. A listing of ALL software that is shown in your registry as being
installed. ( Not just the companies they work with )
5. This DLL sends the following information to their server on all URL's
you
visit:
A.) ad banners you may click on
B.) all downloads you do showing the filename/file
size/date/time/type
of file(image, zip,executable, etc)
C.) full time and date stamps of all your actions while using your
browser
D.) the remote dialup number you are dialing in on (taken out of
your
dialer configuration)
E.) dialup password if saved, does not "appear" at first glance to
send
this through to them.
6. Contains programmers note: "Show me the money! I want to be Mike!"
advpack.dll
Used during the installation only to check for other needed files.
amcis.dll
This DLL modifies the following registry keys:
1. HKEY_CURRENT_CONFIG
2. HKEY_DYN_DATA
3. HKEY_PERFORMANCE_DATA
4. HKEY_USERS
5. HKEY_LOCAL_MACHINE
6. HKEY_CURRENT_USER
7. HKEY_CLASSES_ROOT
Unregisterss oleaut32.dll from memory as provided by M$oft and replaces with
its own calls. Switches back to M$oft's when browser is closed.
Creates stub processes to be started anytime your browser is opened.
amcompat.tlb
This guy tracks any multimedia clips ( video/pictures/sound ) that you view
It tracks the rating level on the video/picture/sound and title /
location
Contains references to DblClick ( still digging on this one! )
amstream.dll
Setups TWO way communications between your system and theirs.
Used to send info and receive update commands/files
Open port 1749 for communications
This is all the further I have gone on the DLL's used by Aureate. I
have
also discovered that if you remove only one of the DLL's after it has
been
started once and is still in memory, the program will make its directory
hidden and replace the missing DLL with a fresh one from their site.
The following is a listing of all software known to install the Aureate spy
on your system.
GetRight
Go!Zilla
CuteFTP 3.0
NetAnts
Net Vampire
Free Solitaire
JetCar
buddyPhone 2
CuteFTP 3.0
NewsShark
Abe's MP3 Finder
Dwyco Video Conferencing
Delphi Tester
MP3 Fiend
WebCopier
Aureate Group Mail
Binary Boy
Download Wonder
ASP1-A3
NetCaptor 5.0
NetTime Thingy
TIFNY
ComTry Music Downloader
WebStripper
Sweep
Calypso E-mail
Netbus Pro 2.10
LOL Chat
PicPluck
Access Diver III
NetNak
Midnight Oil Solitaire
File Mag-Net
Alive and Kicking
BinaryVortex
CuteFTP/Tripod
InnovaClub
LapLink FTP
MP3 Grouppie
Iban Technologies IP Tools 3.1
NewsBin
Planet.MP3Find
3D-FTP
EasySeeker
Crystal FTP
MP3 Album Finder
FTPEditor
Free Spades
Capture Express 2000
DigiCams - The WebCam Viewer
3rd
(Anonym)
SURFy
neanderix
