lop.com exploit?

[Digiti]

Does anyone know how the lop.com intrusion takes over your browser and toolbar etc.? I have been hearing that a visit to that url. has dire consequences. In fact, a scan with AD-AWARE showed reg. key for lop.com on my system as well. Thanks.

I just went there and found nothing, I ran Ad-aware, and it also found nothing.

[spy1]

I went there, too - nothing. Even clicked on the 'Extreme Adult' link - nada.

Of course, IE-SPYAD automatically put the whole place into the IE 'Restricted' zone to start with! ( <G> ) Pete

[Checkout]

Quote:

I went there, too - nothing. Even clicked on the 'Extreme Adult' link - nada.

Does your mother know where you go at night?

Quote:

Of course, IE-SPYAD automatically put the whole place into the IE 'Restricted' zone to start with! ( <G> ) Pete

I know nothing about this program. *Would you care to elucidate?

[spy1]

I'll tell you about it, too! ( <g> )

Short excerpt from this page: http://www.staff.uiuc.edu/~ehowes/resource.htm :

"IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of known ad/spy servers and domains to the "Restricted Zone" of Internet Explorer. Once IE-ADS.REG is "merged" into your Registry, most ad/spy servers will not be able to resort to the usual "tricks" (e.g., cookies, scripts, popups, et al) that they use in order to track and monitor your behavior while you surf the Net.

Please note that IE-ADS.REG will NOT block banner ads in Internet Explorer (though it will stop script-based popups). This list of known ad/spy servers and domains merely blocks the cookies typically attached to banner ads. It also prevents the use of ActiveX, Java, and scripting -- active content technologies that can be used to compromise your privacy and security -- by the servers and domains specified in IE-ADS.REG.

This "Restricted Zone" list is based on info from the latest HOSTS file of Stephen Martin (http://www.smartin-designs.com/ )."

And (very important) : " After you merge IE-ADS.REG into the Registry, make sure that your settings for the "Restricted Zone" in Internet Explorer are configured for maximum paranoia (i.e., set everything to "Disable" or "Prompt")."

Only works for IE, but it does work with IE6.0 Pete

[spy1]

Also, M Healan's post in this thread: http://www.lavasoft.de/cgi-bin/forums/ikonboard.cgi?act=ST;f=5;t=173;hl=lop.com gives removal instructions, tips if you've been 'infected' by lop.com. *Pete

*See dcinotti's post to that thread, as well.

[TonyKlein]

I also found this in several newsgroup threads:

"Here's why that *** thing stuck around after I'd already killed the Run key that called it:

It also copies a Web page to your Wallpaper folder, which calles the Flash movie that runs that friggin' bar, and changes your current Background to this Web page. You don't think to check because it preserves whatever wallpaper you were currently using.

So, to rip it out by hand, not only do you need to zap the Run key above (and I wish I'd kept better notes when I was doing this so I could post exactly what the key was...at the time I just wanted this OUT...maybe someone can find it and point it out to the class), but you ALSO need to change your wallpaper back to whatever you were using (you'll note it's currently set to "desktop" with an IE icon next to it in Desktop Properties > Desktop, and delete the desktop.htm and desktop.swf files that are in your C:\Windows\Web\Wallpaper folder. It'll go away once you change the wallpaper back, but I recomment destroying all traces of it and rebooting to make sure it's gone."


Cheers,

[Digiti]

Just to let you know, I first heard about lop.com from a techtv broadcast with Chris Pirillo called "Call for Help".It has been showing up in threads on several security forums as well. Evidently it is getting very dangerous out there on the web.

[TonyKlein]

Well, *I wouldn't exactly call it *'dangerous' , *but it still is a scourge.

Take a look at these newsgroup threads... :-/