C2Media - lop.com - mp3.exe

Discussion in 'other anti-malware software' started by NetWatchman, Jul 29, 2002.

Thread Status:
Not open for further replies.
  1. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    Anybody know anything about this supposed privacy tool?

    http://www2.jimmysurf.com/help2.shtml

    I'm investigating an Incident where we are getting tons of udp/1239 probes from an IP address that appears to be associated with this tool...concerned that it may have spyware of it's own.
     
  2. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    Re:JimmySurf??

    The payload of these UDP probes makes references to the following URL:

    http://rub.to/pops/jimmy.html

    Clicking on the image takes you to the following:

    http://www2.jimmysurf.com/select/bref12.php?refererusername=c2media

    C2Media owns lop.com ... rub.to also appears to be affiliated with lop.com (known Spyware / desktop hijack malware):

    http://groups.google.com/groups?q=lop.com&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=Ak3p8.45008%24u17.4278470%40amsnews03.chello.com&rnum=1


    I'm guessing that udp/1239 is being used to push add pop-ups to "infected" clients. It seems like C2Media/Lop is promoting JimmySurf (software to stop Ad-popups) by using Ad-popups!!

    Gotta love it.

    *Well, tried to fix that link. Pete
     
  3. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    Re:C2Media - MP3search.com warning

    http://www.pcworld.com/news/article/0,aid,101916,00.asp

    Last paragraph from above link:

    Britain-based C2 Media's MP3 Search application, which is distributed by sites such as MP3Search.com, promises to help you locate digital music. When we installed the software in April, however, it also switched our browser home page and default search engine to the Lop.com Web site. A Lop.com toolbar--with ads for Citibank, the Columbia House Record Club, Ford, and Sears--appeared, as did 89 new bookmarks, many of which pointed to Lop.com. And landing on Lop.com triggered a flock of pop-up and pop-under ads.

    I believe that C2Media's plug-in listens on udp/1239 for push-based ads.
    Has anyone else seen this..I'd really hate to install the plug-in and then spend hours removing it.

    The following URL, attempts to install the C2Media plugin:
    http://mp3search.com

    WARNING: Suggest you do NOT hit the above link, unless you have your Browser security settings to prompt for ActiveX content!!

    Here's what the ActiveX alert will look like:

    http://www.mynetwatchman.com/images/mp3_plugin.png
    (For some reason this forum wouldn't let me upload the image...so I put it on my site)

    I like how the plug-in is downloaded from
    http://www.toilet.com/mp3_plugin.exe
     
  4. snowy

    snowy Guest

    from your posts it appears your instincts may have already answered your questions.
     
  5. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
    Hi,
    Was'nt there a web site telling about Lop.com and C2Media and the tactics they use? I can't remember, I tried to search but no luck.
    Thanks.
     
  6. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    I've noticed a huge upsurge of UDP probes in my ZoneAlarm Logs. They are not (yet) considered to be any danger. I've been wondering what might have caused this. This could explain it. Thanks.
     



  7. Unfortunately, www.spywareinfoforum.com is no longer in business . They did a very good job on lop.

    You can go to the LOP site and they do provide info to get rid of their spyware. They even provide different types of downloadable uninstallers for their products. :) :)


    Frequently Asked Questions (FAQ)

    http://lop.com/help.html
     
  8. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    The activity I'm looking at all has a *source* UDP port of 1239...destination of random.
    I doubt your UDP activity was lop.com related, unless you installed their mp3 plug-in.

    To get insight on ANY IP address...check out me 'Lookup by IP Address:' on my home page: http://www.mynetwatchman.com

    Most often UDP surges are due to Internet gaming activity or slow DNS servers (src port=53).
     
  9. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    Hehe. Just a server failure. Back in business again. The page you want is http://www.spywareinfoforum.com/lop.html
     
  10. I know Mike..have been passing the word all over the net you are back in business..good going. :) :) :)
     
Thread Status:
Not open for further replies.