Security Incidents mailing list archives

Re: E-Card Remote Code Execution Scam

From: Axel Pettinger <api () epost de>
Date: Sun, 29 Sep 2002 11:16:58 +0200

"Jonathan A. Zdziarski" wrote:


This seems an aweful lot to me like a Remote Code Execution Scam...

I received an email addressed to "Undisclosed Recipients" notifying me
that I received an E-Card today, so I went to the site
http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]&card=Pick+up 
to view the card.  Oddly, I received a security warning asking me if
I wanted to allow some code to run on my machine.


The mentioned page tries to download a CAB file, "e-card_viewer.cab",
which contains the file "potd.dll". From
<http://and.doxdesk.com/parasite/Cytron.html>:

-----------------------------------------------------------------------
Cytron


Parasites [<]

other nasties

Description

Cytron is an Internet Explorer Browser Helper Object. It scans the 
content of pages being viewed for keywords and opens pop-up advertising 
when they are detected.

Also known as

POTD, after the filename and BHO name; Burnaby, the internal object 
name; TargetingSource, the name used to describe the control in 
Downloaded Program Files.

Distribution

Installed by ActiveX drive-by download on a page pointed to by mail 
claiming you have received an 'e-card'. The ActiveX control purports to 
be a viewer for e-cards.

What it does

Advertising

Yes. When IE is started for the first time it attempts to connect to 
Cytron's servers to download a list of keywords to look for, and URLs of 
pop-ups to open.

Privacy violation

No.

Security issues

No.

Stability problems

None known.

Removal

First deregister the Cytron BHO. Open a DOS command prompt 
(Start->Programs->Accessories) and enter the following commands:

     cd "%WinDir%\System"
     regsvr32 /u "%WinDir%\Downloaded Program Files\potd.dll"

You should then be able to delete the 'TargetingSource' entry in 
Downloaded Program Files (in the Windows folder), and the registry key 
HKEY_CURRENT_USER\Software\POTD (Start->Run->regedit).

Links

   * Cytron wrote the ActiveX control.
-----------------------------------------------------------------------

Regards,
Axel Pettinger

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 28)
- RE: E-Card Remote Code Execution Scam Jason Robertson (Sep 29)
- <Possible follow-ups>
- E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 28)
  - Re: E-Card Remote Code Execution Scam Jeff Jirsa (Sep 29)
  - Re: E-Card Remote Code Execution Scam Axel Pettinger (Sep 29)
  - RE: E-Card Remote Code Execution Scam Fulton Preston (Sep 29)
    - RE: E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 29)
    - RE: E-Card Remote Code Execution Scam Fulton Preston (Sep 29)
  - RE: E-Card Remote Code Execution Scam H.Karrenbeld (Sep 29)