Anybody know anything about this supposed privacy tool?

http://www2.jimmysurf.com/help2.shtml

I'm investigating an Incident where we are getting tons of udp/1239 probes from an IP address that appears to be associated with this tool...concerned that it may have spyware of it's own.

The payload of these UDP probes makes references to the following URL:

http://rub.to/pops/jimmy.html

Clicking on the image takes you to the following:

http://www2.jimmysurf.com/select/bref12.php?refererusername=c2media

C2Media owns lop.com ... rub.to also appears to be affiliated with lop.com (known Spyware / desktop hijack malware):

http://groups.google.com/groups?q=lop.com&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=Ak3p8.45008%24u17.4278470%40amsnews03.chello.com&rnum=1


I'm guessing that udp/1239 is being used to push add pop-ups to "infected" clients. It seems like C2Media/Lop is promoting JimmySurf (software to stop Ad-popups) by using Ad-popups!!

Gotta love it.

*Well, tried to fix that link. Pete

http://www.pcworld.com/news/article/0,aid,101916,00.asp

Last paragraph from above link:

Britain-based C2 Media's MP3 Search application, which is distributed by sites such as MP3Search.com, promises to help you locate digital music. When we installed the software in April, however, it also switched our browser home page and default search engine to the Lop.com Web site. A Lop.com toolbar--with ads for Citibank, the Columbia House Record Club, Ford, and Sears--appeared, as did 89 new bookmarks, many of which pointed to Lop.com. And landing on Lop.com triggered a flock of pop-up and pop-under ads.

I believe that C2Media's plug-in listens on udp/1239 for push-based ads.
Has anyone else seen this..I'd really hate to install the plug-in and then spend hours removing it.

The following URL, attempts to install the C2Media plugin:
http://mp3search.com

WARNING: Suggest you do NOT hit the above link, unless you have your Browser security settings to prompt for ActiveX content!!

Here's what the ActiveX alert will look like:

http://www.mynetwatchman.com/images/mp3_plugin.png
(For some reason this forum wouldn't let me upload the image...so I put it on my site)

I like how the plug-in is downloaded from
http://www.toilet.com/mp3_plugin.exe

from your posts it appears your instincts may have already answered your questions.

Hi,
Was'nt there a web site telling about Lop.com and C2Media and the tactics they use? I can't remember, I tried to search but no luck.
Thanks.

I've noticed a huge upsurge of UDP probes in my ZoneAlarm Logs. They are not (yet) considered to be any danger. I've been wondering what might have caused this. This could explain it. Thanks.

-{ Quote: " quoting: Loki link=board=20;threadid=2688;start=0#18286 date=1027976699]
Hi,
Was'nt there a web site telling about Lop.com and C2Media and the tactics they use? I can't remember, I tried to search but no luck.
Thanks.
" }-




Unfortunately, www.spywareinfoforum.com is no longer in business . They did a very good job on lop.

You can go to the LOP site and they do provide info to get rid of their spyware. They even provide different types of downloadable uninstallers for their products. :) :)


Frequently Asked Questions (FAQ)

http://lop.com/help.html

-{ Quote: " quoting: Prince_Serendip link=board=20;threadid=2688;start=0#18288 date=1027980985]
I've noticed a huge upsurge of UDP probes in my ZoneAlarm Logs. They are not (yet) considered to be any danger. I've been wondering what might have caused this. This could explain it. Thanks.
" }-

The activity I'm looking at all has a *source* UDP port of 1239...destination of random.
I doubt your UDP activity was lop.com related, unless you installed their mp3 plug-in.

To get insight on ANY IP address...check out me 'Lookup by IP Address:' on my home page: http://www.mynetwatchman.com

Most often UDP surges are due to Internet gaming activity or slow DNS servers (src port=53).

-{ Quote: " quoting: MyNethingyman link=board=20;threadid=2688;start=0#18289 date=1027981438]
Unfortunately, www.spywareinfoforum.com is no longer in business . They did a very good job on lop.
" }-

Hehe. Just a server failure. Back in business again. The page you want is http://www.spywareinfoforum.com/lop.html

I know Mike..have been passing the word all over the net you are back in business..good going. :) :) :)