Heres one for you,
If you have a folder in your windows folder called amcdl, or amc, you have been "infected."
This information gathering program installs and uses some or all of the
following files, based on your operating system, which are called everytime you launch your browser:
htmdeng.exe
advert.dll
amcis.dll
amcis2.dll
ipcclient.dll
msipcsv.exe
amcompat.tlb
amstream.dll
advpack.dll
I searched and found some (not all) of them, including looking (or at least
attemptind to look) for "hidden" files.
I Renamed the .dlls (in case something I must have *really* needs them),
and
emptied the ..\amc directory and made it read only, and (finally)
created a
..\amcdl directory and made it read only.
the next step is to install ncimon or zonealarm.
OK folks, I have been busy "reviewing" the contents and code contained
in the DLL's that Aureate makes use of. Here are a few of my findings up
to this point:
advert.dll
This DLL creates a hidden window everytime you open your browser. It
creates
and sends 4 pages of information to the Aureate servers using port 1749
on your system, these pages include:
1. Your name as listed in the system registry ( not the name you
installed
one of the programs with )
2. Your IP address
3. The reverse DNS match of your address. ( tells them what ISP and area of
country you are in )
4. A listing of ALL software that is shown in your registry as being
installed. ( Not just the companies they work with )
5. This DLL sends the following information to their server on all URL's
you
visit:
A.) ad banners you may click on
B.) all downloads you do showing the filename/file
size/date/time/type
of file(image, zip,executable, etc)
C.) full time and date stamps of all your actions while using your
browser
D.) the remote dialup number you are dialing in on (taken out of
your
dialer configuration)
E.) dialup password if saved, does not "appear" at first glance to
send
this through to them.
6. Contains programmers note: "Show me the money! I want to be Mike!"
advpack.dll
Used during the installation only to check for other needed files.
amcis.dll
This DLL modifies the following registry keys:
1. HKEY_CURRENT_CONFIG
2. HKEY_DYN_DATA
3. HKEY_PERFORMANCE_DATA
4. HKEY_USERS
5. HKEY_LOCAL_MACHINE
6. HKEY_CURRENT_USER
7. HKEY_CLASSES_ROOT
Unregisterss oleaut32.dll from memory as provided by M$oft and replaces with
its own calls. Switches back to M$oft's when browser is closed.
Creates stub processes to be started anytime your browser is opened.
amcompat.tlb
This guy tracks any multimedia clips ( video/pictures/sound ) that you view
It tracks the rating level on the video/picture/sound and title /
location
Contains references to DblClick ( still digging on this one! )
amstream.dll
Setups TWO way communications between your system and theirs.
Used to send info and receive update commands/files
Open port 1749 for communications
This is all the further I have gone on the DLL's used by Aureate. I
have
also discovered that if you remove only one of the DLL's after it has
been
started once and is still in memory, the program will make its directory
hidden and replace the missing DLL with a fresh one from their site.
The following is a listing of all software known to install the Aureate spy
on your system.
GetRight
Go!Zilla
CuteFTP 3.0
NetAnts
Net Vampire
Free Solitaire
JetCar
buddyPhone 2
CuteFTP 3.0
NewsShark
Abe's MP3 Finder
Dwyco Video Conferencing
Delphi Tester
MP3 Fiend
WebCopier
Aureate Group Mail
Binary Boy
Download Wonder
ASP1-A3
NetCaptor 5.0
NetTime Thingy
TIFNY
ComTry Music Downloader
WebStripper
Sweep
Calypso E-mail
Netbus Pro 2.10
LOL Chat
PicPluck
Access Diver III
NetNak
Midnight Oil Solitaire
File Mag-Net
Alive and Kicking
BinaryVortex
CuteFTP/Tripod
InnovaClub
LapLink FTP
MP3 Grouppie
Iban Technologies IP Tools 3.1
NewsBin
Planet.MP3Find
3D-FTP
EasySeeker
Crystal FTP
MP3 Album Finder
FTPEditor
Free Spades
Capture Express 2000
DigiCams - The WebCam Viewer
3rd block
Address Rover 98
AutoFTP PRO
LOL Chat
RingSurf
Abe's Picture Finder
Web SurfACE
SonicMail
SBWcc
Dialer 2000
Free Submitter Pro
My Genie SE
StockBrowser
Ping Thingy
MP3 Mag-Net
FourTimes
Beatle
Grafula
Folder Guard Jr.
TWinExplorer Standard
Advanced Call Center
xBlock
VOG Backgammon Table
My Genie Patriots
More Space 99
VOG Backgammon Main
Active 'Net
SmartSum calculator
FreeZip!
Net-A-Car Feature Car Screensaver
My GetRight
Planet.Billboard
Infinite Patience
DNScape
CutePage
ReGet 1.6
SimpleSubmit v1.0
Acorn Email
Octopus
Internetrix
AcqURL
Pictures In News
ProtectX 3
NetSuck 3.10.5
SunEdit 2K
Advanced Maillist Verify
QuoteWatch
Cheat Machine
Wordwright
MX Inspector BIG AD
VOG Shell
Resume Detective
DownLoader v.1.1
CSE HTML Validator Lite
AdWizard
SBJV
WebCamVCR
The Mapper
Space Central Screen Saver
ProxyChecker
Meracl ImageMap Generator
Sound Agent
QuadSucker/Web
Scout's Game
JOC Web Spider
Free Picture Harvester
Check4New
MirNik Internet Finder
WinEdit 2000
hesci Private Label
ActionOutline Light 1.6
SuperIDE
Mp3 Stream Recorder
Add/Remove Plus!
Zip Express 2000
DigiBand NewsWatch
QWallet
Abe's Image Viewer
WebSaver
Auction Explorer
EZ-Forms FREE
Total Finger
FileSplit
Abe's SMB Client
Subscriber
SaberQuest Page Burner
Splash! Siterave
Abe's FTP Client
Photocopier
GovernMail
AutoWeb
DL-Mail Pro 2000
iFind Graphics
Netman Downloader
Shizzam
Visual Cyberadio
DateTime
imageN
CuteMX
AxelCD
VeriMP3
Charity Banner
Web-N-Force
Net Scan 2000
HangWeb
Mail Them
TI-FindMail
JOC Web Finder
Huey v1.8 Color Picker
Danzig Pref Engine
Personal Search Agent
NewsWire
SweepsWinner
TypeWriter 1.0
NotePads+
123Search
Aureate SpamKiller
Notificator 1.0b
FreeSite
Word+
Virtual Access
Gunther's PasswordSentry
HTTP Proxy-Spy
Idyle GimmIP
Download Minder 1.5
VOG Chess Main
Zion
Doorbell 1.18
SK-111
InstallZIP
EmmaSoft ChatCat
EnvoyMail
W3Filer
ScreenFIRE - FileKing
JOC Email Checker
MouseAssist
VOG Chess Table
ChanStat
HTML Translator
Win A Lotto
Website Manager
Text Transmogrifier
Net CB
MultiSender
Add URL
QuikLink Explorer Gold Edition
LineSoft Download
NfoNak
Classic Peg Solitaire
InterWebWord Companion
Cascoly Screensaver
DirectUpdate
Admiral VirusScanner
Visual Surfer
Digital Postman
NeuroStock
SimpleFind
RoboCam 1.10
Vagabond's Realm http://www.devgames.com/
VOG Shell
Web Page Authoring Software
Clabra clipboard viewer
EmmaSoft dBrow
VOG Reversi Main
FreeWebMail
Simple Submit
CamGrab
QuikLink Autobot
SmartBoard 200 FREE Edition
CDDB-Reader
Static FTP
InfoBlast
Blue Engine
MP3 Renamer
TheNet
UK Phone Codes
Quadzle Puzzles
WorldChat Client
ScreenFIRE
VOG Reversi Table
Worm
Music Genie
WEB2SMS
Idyle GimmIP
FreeImageEditor
MP3INFO-Editor
NeatFTP
FreeNotePad
Your ESP Test
WhoIs Thingy
WebType
Total Whois
NetBoard
CDMaster32
ChinMail
Vertigo QSearch
Real Estate Web Site Creator
Network Assistant
Internet Tree
VOG Shell History
Trade Site Creator
StartDrive
Go!Zilla WebAttack
FreeWebBrowser
Tracking The Eye
EmmaSoft Soundz
Web Coupon
Meracl FontMap
Smart 'n Sticky
Rosemary's Weird Web World
Web Registrant PRO
jIRC
Web Resume
Recipe Review
KVT Diplom
Delphi Component Test
alphaScape QuickPaste
QuikLink Explorer
PingMaster
JFK Research
BookSmith : Original
ScreenFlavors
Sea Battle
People Seek 98
EmmaSoft KeepLan
3d Anarchy
FreeIRC
Pattern Book
I am sure this list will grow as more software manufacturers signon with
Aureate.
Elektrospeedy (Anonym)
SURFy
