lop.com exploit?

Discussion in 'malware problems & news' started by Digiti, Mar 29, 2002.

Thread Status:
Not open for further replies.
  1. Digiti

    Digiti Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    39
    Does anyone know how the lop.com intrusion takes over your browser and toolbar etc.? I have been hearing that a visit to that url. has dire consequences. In fact, a scan with AD-AWARE showed reg. key for lop.com on my system as well. Thanks.
     
  2. SmackDown

    SmackDown Guest

    I just went there and found nothing, I ran Ad-aware, and it also found nothing.
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I went there, too - nothing. Even clicked on the 'Extreme Adult' link - nada.

    Of course, IE-SPYAD automatically put the whole place into the IE 'Restricted' zone to start with! ( <G> ) Pete
     
  4. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Does your mother know where you go at night?

    I know nothing about this program.  Would you care to elucidate?
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I'll tell you about it, too! ( <g> )

    Short excerpt from this page: http://www.staff.uiuc.edu/~ehowes/resource.htm :

    "IE-SPYAD is a Registry file (IE-ADS.REG) that adds a long list of known ad/spy servers and domains to the "Restricted Zone" of Internet Explorer. Once IE-ADS.REG is "merged" into your Registry, most ad/spy servers will not be able to resort to the usual "tricks" (e.g., cookies, scripts, popups, et al) that they use in order to track and monitor your behavior while you surf the Net.

    Please note that IE-ADS.REG will NOT block banner ads in Internet Explorer (though it will stop script-based popups). This list of known ad/spy servers and domains merely blocks the cookies typically attached to banner ads. It also prevents the use of ActiveX, Java, and scripting -- active content technologies that can be used to compromise your privacy and security -- by the servers and domains specified in IE-ADS.REG.

    This "Restricted Zone" list is based on info from the latest HOSTS file of Stephen Martin (http://www.smartin-designs.com/ )."

    And (very important) : " After you merge IE-ADS.REG into the Registry, make sure that your settings for the "Restricted Zone" in Internet Explorer are configured for maximum paranoia (i.e., set everything to "Disable" or "Prompt")."

    Only works for IE, but it does work with IE6.0 Pete
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Also, M Healan's post in this thread: http://www.lavasoft.de/cgi-bin/forums/ikonboard.cgi?act=ST;f=5;t=173;hl=lop.com gives removal instructions, tips if you've been 'infected' by lop.com.  Pete

    *See dcinotti's post to that thread, as well.
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I also found this in several newsgroup threads:

    "Here's why that *** thing stuck around after I'd already killed the Run key that called it:

    It also copies a Web page to your Wallpaper folder, which calles the Flash movie that runs that friggin' bar, and changes your current Background to this Web page. You don't think to check because it preserves whatever wallpaper you were currently using.

    So, to rip it out by hand, not only do you need to zap the Run key above (and I wish I'd kept better notes when I was doing this so I could post exactly what the key was...at the time I just wanted this OUT...maybe someone can find it and point it out to the class), but you ALSO need to change your wallpaper back to whatever you were using (you'll note it's currently set to "desktop" with an IE icon next to it in Desktop Properties > Desktop, and delete the desktop.htm and desktop.swf files that are in your C:\Windows\Web\Wallpaper folder. It'll go away once you change the wallpaper back, but I recomment destroying all traces of it and rebooting to make sure it's gone."


    Cheers,
     
  8. Digiti

    Digiti Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    39
    Just to let you know, I first heard about lop.com from a techtv broadcast with Chris Pirillo called "Call for Help".It has been showing up in threads on several security forums as well. Evidently it is getting very dangerous out there on the web.
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Well,  I wouldn't exactly call it  'dangerous' ,  but it still is a scourge.

    Take a look at these newsgroup threads... :-/
     
Loading...
Thread Status:
Not open for further replies.