Mysterious instant message/http://www.wgutv.com/osama_capture.php?xi01

Discussion in 'Security Software' started by Scott Francis, Feb 11, 2004.

  1. I received the following IM from my brother in law:

    check this out... http://www.wgutv.com/osama_capture.php?
    xi01

    When I clicked on the link I was taken to a "WGUC TV NEWS
    PLAYER WAR GAMES UPDATE" page. I was prompted to install
    a "News Player" ActiveX control.

    I refused to install the control and asked my brother-in-
    law what he'd sent. He said he hadn't sent me anything.

    This seems fishy to me. Is there any knowledge about this
    (a Google search returned nothing)? To whom should I
    report this?

    Thanks,

    Scott Francis
     
    Scott Francis, Feb 11, 2004
    #1
    1. Advertisements

  2. Scott;
    I suspect he has spyware on his comnputer.
    It would be a good idea for both of you to follow at least steps #1,
    #5 &#6 on this link:
    http://www3.telus.net/dandemar/slowcom.htm
     
    Jupiter Jones [MVP], Feb 11, 2004
    #2
    1. Advertisements

  3. This is an AIM worm. See the incidents list thread at:

    http://www.derkeiler.com/Mailing-Lists/securityfocus/incidents/2004-02/0027.html
     
    Keith W. McCammon, Feb 11, 2004
    #3
  4. Also see http://vil.nai.com/vil/content/v_101007.htm

    It's good you didn't click on "accept" to install the software. The EULA
    (not like most people read those, sigh) states:

    ...In addition, the Software will interoperate with your current
    instant messaging client so as to permit the automatic sending of
    advertising messages originating from your Computer to your contact or
    "buddy" list regarding Content offered by PSD Tools or its suppliers. If you
    desire to stop this activity, you may elect to stop the messages by
    navigating to the "buddylinks.net" entry in your "Start Menu", selecting the
    "buddylinks.net Configuration" item, and unchecking the appropriate option.
    You may also refer to PSD Tools' website at http://www.psdtools.com for an
    uninstaller
     
    Lanwench [MVP - Exchange], Feb 11, 2004
    #4
  5. Others have suggested what this is; a google search now may be more
    fruitful.

    As for who to report it to, I'd suggest the FTC. That's my general
    reaction to not-quite-technically-trojan-but-massively-deceptive
    adware.
     
    Daniel Martin, Feb 11, 2004
    #5
  6. Scott Francis

    Tedd Riggs Guest

    It might be worth a email to WGUTV as there site might be promoting this
    junk or just used as a jump point.
    Tedd

    McAfee Visual Trace Version 3.25 Results
    Target: www.wgutv.com

    Administrative Contact:
    wgutv
    Drew Williams
    1770 Mass. Ave 213
    Cambridge, MA 02140
    US
    Phone: 6176614664
    Email:
    Visual Trace Copyright ©1997-2001 NeoWorx Inc
     
    Tedd Riggs, Feb 11, 2004
    #6
  7. Scott Francis

    TiJ Guest

    i got alot of information on the osama aim thingy here:

    http://vil.nai.com/vil/content/v_101007.htm
     
    TiJ, Feb 11, 2004
    #7
  8. Scott Francis

    Kendra Guest

    Hi Scott,
    I recieved a similar message from my old government teacher from
    when I was in high school the moment I signed onto AOL messenger
    "check this out... http://www.wgutv.com/osama_capture.php" but when I
    clicked the link the page came up as "Action canceled: Internet
    Explorer was unable to link to the Web page you requested. The page
    might be temporarily unavailable." While the page was loading I could
    see the I.P. address in the bottom left corner of the explorer window
    and it read "63.251.131.235". I don't know if that would help someone
    figure out what this camo'd spam is, but I hope it does.
    ~Kendra, California
     
    Kendra, Feb 11, 2004
    #8
  9. Here's the whois info on the website:

    wgutv
    Drew Williams
    1770 Mass. Ave # 213
    Cambridge, MA 02140
    US
    Phone: 6176614664
    Email:
     
    anonymous coward, Feb 12, 2004
    #9
  10. Scott Francis

    Tedd Riggs Guest

    I was a little surprised by the answer that I got from Drew asking if they
    know of this or support it, Looks like they do. Copy of email back from
    Drew.

    --
    Tedd Riggs
    PDA Square Content Developer
    www.pdasquare.com
    Redmond, WA

    Hello,
    We hope you are enjoying your BuddyLinks program.
    If you would like to uninstall BuddyLinks, we offer
    two
    easy methods to do this:

    -Via "Add/Remove Programs":

    Click "Start", Settings, Control Panel
    Click "Add/Remove Programs"
    Locate the "buddylinks.net Messaging Integration"
    option and click "Remove".
    Click "Yes" on the prompt.

    -Via a website link:
    Navigate to http://www.buddylinks.net/uninstaller.exe
    or http://www.buddylinks.net/uninstall.exe

    Choose "Run" or "Open" when the download window
    appears.

    We hope this helps answer your questions about
    BuddyLinks. Our support staff will be happy to help
    you
    with any additional uninstall issues via email at
    .
     
    Tedd Riggs, Feb 12, 2004
    #10
  11. Scott Francis

    Mike Burgess Guest

    Tedd,
    Yeah I'm enjoying the program ......
    I hope they enjoy my HOSTS file!

    # [PSD Tools][Adware-BuddyLinks]
    127.0.0.1 download.buddylinks.net #[ShellInstaller Control]
    127.0.0.1 www.buddylinks.net
    127.0.0.1 www.wgutv.com
    --
    For SpywareBlaster users: (add via "Custom Blocking")

    Title: Adware-BuddyLinks
    CLSID: {FDDCE9FF-1FC6-413c-80B1-37B101FDA1D4}
    ____________________________________________________________
    Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
    Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
    http://www.mvps.org/winhelp2002/hosts.htm [updated 02-07-04]
    Please post replies to this Newsgroup, email address is invalid
    --
     
    Mike Burgess, Feb 12, 2004
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.