SpywareInfo Home
September 21, 2002

I know, I know. Overdue as usual. This one will be short and sweet. Apologies for the no doubt larger-than-normal number of typos. ;-)

My web host is upgrading servers on Monday, September 23, and it's going to mean another IP address change for the site. DNS changes usually take a few days to reach all the way around the world, so loading the domain may be hit and miss for a day or two afterward. The new IP address will be 208.251.150.135, which you'll be able to load in your browser as http://208.251.150.135/~mikehealan/ (I think) until the DNS updates everywhere. spywareinfoforum.info/newlsetter probably won't work at all until things update, so just use either http://www.spywareinfoforum.info/newsletter/ or http://208.251.150.135/~mikehealan/newsletter/.

To prevent any confusion, I'll be closing the suport forums down on Sunday until the DNS update reaches my ISP (which seems to be last to update usually). Hopefully that will be no later than sometime on Tuesday.


A new "drive-by downloader" has come onto the scene recently. Xupiter.com's browser toolbar has been finding its way onto the computers of countless people via activex installation, and people all over the net have been running around in circles trying to figure out what to do with it. There is an enormous thread at the message boards about this which nearly broke the record for replies to a single topic, and smashed the record for page views with nearly 7,000 hits. [Edit It's now had over 32,000 views]

Spybot S&D will soon be updated to handle this software and the other spyware removal companies have been sent the relevant information. If your company produces spyware/adware/hijacker/<insert term here> removal software and you haven't already been receiving notification of potential new targets from me, please contact me to give me an appropriate contact address.

If you have this thing installed and wish to get rid of it now, the manual instructions are as follows (with apologies to Tony Klein for snitching his instructions):


EDIT:

Do not use these instructions. There have been many new variants of Xupiter released since this issue, so please use Spybot instead of these directions.

You can get Spybot from http://security.kolla.de/. Make certain you use the built-in update feature before using it. I'll leave the directions here for informational purposes, but please do not use them to remove Xupiter.


Open the registry (from the Start menu, click Run and enter regedit) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Delete the 'XupiterStartup' entry in the Right Hand pane.

Also delete the following Registry Keys:

HKEY_CURRENT_USER\Software\Xupiter
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

Reboot, and delete the entire Program Files\Xupiter directory.

You're also likely to have a Xupiter ActiveX object in your Downloaded Program Files folder. Find that one, rightclick it, and choose properties. It has the following ID: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

Now rightclick the file, and choose delete.

Next, delete the Xupiter folder in Program Files.

Finally, go to Internet Options/Programs, and hit "Reset Web Settings".

Many, many, many, many thanks to the dozens of people that contributed information to that thread. Most especially to one of the moderators at the forums, who goes by Mr Bones, who actually installed the software to log its installation process.


Gator corporations e-wallet software has been recently updated. This time it seems that some of the files are varying according to where you get them. Whatever the reason for that is, it has the effect of making it a moving target which none of the spyware removal programs have updated to handle. If you have a mysterious file named fsg*.exe (* is random), possibly you have Gator installed. Until the removal products are updated, don't count on Ad-aware, Spybot, or most of the others to notice it during a scan.

It is worth mentioning again that there are at least two great alternatives to Gator which do not include an integrated adware component, Keywallet and Roboform. Roboform has the ability to import saved login information from Gator, so you don't lose any information replacing it.


Windows XP service pack 1 has been released. It fixes a large number of bugs and exploits, the most well-known of which (by now) is the health center exploit. This bug is caused by code in an html file in the health center folder which allows for the deletion of all files in a directory simply by clicking on a specially formed hyperlink. The danger level of this bug is severely critical because of the simplicity of exploiting it, and I strongly urge all users of Windows XP to update as soon as possible.

In true, callous, monopolistic fashion, Microsoft refuses to release a separate patch for this problem, which means that either you deal with the possibility of a simple hyperlink removing the contents of your c:\ drive for you, or you spend lord knows how long downloading a 140 megabyte service pack. I consider this behavior to be reprehensible and condemn Microsoft in the strongest possible terms for refusing to release a separate patch so that people can fix their sloppy coding immediately and protect their computers.

Thankfully, the rest of the online community is not so callous. GRC.com's Steve Gibson has taken the fixed file from the service pack and bundled it into one of his famous, super tiny programs. It will check your file to see which version it is, and replace it if your's has the exploitable code. You may download this program and read about the bug further at Gibson's XP exploit page. From the bottom of my heart, thank you Steve.

It should be noted that I've heard that Gibson's file is the English version, and that his program may not detect that you have the patched version if you have a non-english installation of XP. However, if you have installed service pack 1, you don't need this program. If you don't have service pack 1, you do. Those simple facts should remove any confusion.


I have finally gotten my PayPal situation cleared up and can once again accept donations for the upkeep of the site. SpywareInfo has gotten so popular that I can hardly believe it. You can see that for yourself by looking at the log statistics. You'll notice that there has been over 8 gigabytes of data transfer this month so far. Considering that I have to pay my hosting company extra when it goes over 5 gigs, I think you'll see why I need the donation page. Part of the purpose of this newsletter is to generate some money for exactly this reason, but all of these ads are really just affiliate links, so I get no money until someone actually buys something. That may change in the future, but that's the situation now.

If you'd like to make a donation to help cover these and other costs associated with running SpywareInfo, please see our support page. If you've previously contributed via PayPal or Amazon, don't worry with it. You've already helped me out and I'm thank you again.


That's it for now. Last time, I promised something about a story about pizza delivery of all things. It's still coming, I just need a bit more time to put it together.

The permanent URL for this issue is http://www.spywareinfoforum.info/newsletter/archives/september-2002/09212002.html. Please use this URL when linking to it.

SUBSCRIBE
TO THE
SPYWARE WEEKLY!

Email Address

Spyblocker
Spyblocker
Software

News feed
Privacy News

Privacy Software

iClean Macintosh
Internet Sweeper
Panicware's Popup Stopper
Pest Patrol
RegRun Security
SpyCop
Surf Pal
Windows Guide Network
X-Cleaner
ZoneAlarm Pro

About SpywareInfo
Contact us
Downloads Page
Latest Virus Alerts
Links Page
Link To Us
Lockergnome Tip
Past Issues
Privacy Policy
SpywareInfo Chatroom
Support SpywareInfo
Support Forums


All material on this web site is copyrighted
© 2001-2002 by Mike Healan. ® All rights reserved.

SpywareInfo banner designed by mockie