The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/aug19,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

1. Zotob Outbreak Leads To Worm War III
2. Feature - Registry Mechanic + Spyware Doctor
3. Srv.SSA-KeyLogger Not Installed By CWS
4. 180Solutions Turns Loose The Lawyers
5. AOL Email Thief Sentenced
6. DomainsByProxy Under Fire
7. Privacy and Spyware Headlines

Permalink | Top

The internet has become a gangland war zone and your computer is the street corner being fought over.

Shortly after someone published exploit code for a newly discovered Windows 2000 flaw, someone created the Zotob worm. Once installed, Zotob will try to seek out and infect other computers on the same network. It also opens a backdoor trojan that allows someone to access the infected machine.

Several slightly different versions of Zotob have been released. The creators of these separate versions apparently have gone to war with each other. Now owners of infected computers not only have to deal with a virus infection. They also are dealt the double indignity of seeing their machine become a battleground, as the different Zotob worms try to exterminate each other.

In the past, people released viruses and worms for bragging rights. They wanted to show their fellow miscreants how cool they were, so they would infect millions of computers for the hell of it. These days, an infected computer is worth money.

Everyone - from spammers to organized crime to international terrorists - pay good money for control of large networks of infected computers. These computers can be used to send spam. They can be used to launch denial of service attacks. They can be used for a number of illegal things.

An infected computer now is "turf" belonging to whoever can take the machine and keep it. If a competitor is discovered, that competitor must go. The best way to avoid being hit in the crossfire of this or any future computer gang war is to have a policeman nearby. By that, I mean that you must have an antivirus program which is kept up-to-date on a constant basis.

If you can afford to pay for an antivirus program, I suggest Nod32. It costs $39.00 and is absolutely worth every penny. If you can't afford to buy one, then I suggest Avast. It has a free version for home use and I hear good things about it.

You also need to make sure you install Windows security updates, as soon as they come out. Turn on automatic updates or visit http://windowsupdate.microsoft.com at least once a week. Microsoft Updates usually are released on the second Tuesday of each month. Occasionally, a very critical update is released off schedule, so take the time to check at least once a week.

Permalink | Top

Program: Registry Mechanic + Spyware Doctor
Author: PCTools
Platforms: Windows XP, Me, 98, 95, NT and 2000
License: $39.90 (Normally $59.90. Discount expires August 26)
Purchase: http://www.spywareinfo.com/rd/regmech081805
Spyware Doctor alone: http://www.pctools.com/spyware-doctor/purchase/?ref=afl_spywareinfo
Registry Mechanic alone: http://www.pctools.com/registry-mechanic/purchase/?ref=afl_spywareinfo

If it has been longer than a few months since you last installed Windows, then your computer's registry probably is a mess of redundant and invalid entries. Everything you do on your computer leaves traces in the registry, from picking through the start menu, opening program, installing programs and surfing the web. These traces build up over time and fill your registry with unneeded junk.

Even after uninstalling them, many programs leave invalid entries throughout the registry and it is difficult to track them all down. If you ever have had a problem with Windows telling you a file is missing after you restart it, this probably is because of an invalid registry entry.

Registry Mechanic scans your entire registry to find these junk entries. It also checks your shortcuts to find those pointing to non-existent programs. Once it has scanned, it lists every invalid registry entry and every shortcut pointing to a missing file and lets you delete them with the click of a button. Every entry that is removed is backed up, in case you need to restore something. Depending on how long it has been since you installed Windows, you might see a small difference to a dramatic increase in performance and stability.

When you run Registry Mechanic, you have three operations to choose from: "Scan Your Registry", "Optimize Your System" or "Compact Registry".

Registry Scan looks at the entire registry to find entries pointing to files which no longer exist. It also can scan for the actual location of the files referenced in the registry if you choose that option. It probably slows down the scan but that option is worth doing. Once it is done, the invalid registry entries will be corrected or deleted.

Optimizing your system applies a series of tweaks that should speed up the system. For instance, DLL files will be unloaded from memory when they are not needed. Another tweak makes the computer shut down faster when you reboot or turn it off.

Compacting the registry is similar to defragging your hard drive. The Windows Registry is really a set of files which are loaded into memory when the computer starts. Changing and deleting entries leads to spaces and gaps in these files. When you compact these files, the gaps are removed. Doing this makes the registry take up less memory and load faster.

This week we have a Spyware Doctor + Registry Mechanic bundle with $10.00 off each one. You can read my review of Spyware Doctor on the web site. If you prefer just one program or the other, click the trash can icon on the ordering page to remove it from the shopping cart. The $10.00 discount still applies to the one that remains.

If you have any problems with the ordering page, please email Catherine http://www.spywareinfo.com/email2.php.

Permalink | Top

After more study of the web sites involved in that ID theft keylogger, I am no longer convinced that CoolWebSearch has anything to do with it. I am no longer convinced the hijacker software that installed the keylogger is associated with CoolWebSearch.

The version of the keylogger we looked at was downloaded from a site called ipassist[dot]biz. That site's home page redirects to and shares an IP address with clicksearchclick[dot]com, which itself has started recently to redirect to clicksearchclick[dot]biz. Clicksearchclick also happens to be the site to which Internet Explorer's home page is reset after this thing is installed.

I studied the HTTP logs after clicking some links at clicksearchclick. They all link to an IP address which belongs to something called yeahsearch[dot]net. Yeahsearch[dot]net uses DNS servers set up by klikfeed[dot]com, which is owned, or at least affiliated with, klikrevenue[dot]com.

To the best of anyone's knowledge, none of these web sites are related to CoolWebSearch - not the hijack sites, not the servers or IP addresses used by the hijackers, not the servers called by the keylogger and not the server which actually stores the keylogger. According to a source inside the browser hijacker / pay-per-click scene, Klikrevenue and CoolWebSearch are competitors.

I feel comfortable pointing a finger at KlikRevenue, or at least to one of their affiliates. On the other hand, I do not see any evidence that CoolWebSearch is involved in even the most indirect manner with Srv.SSA-KeyLogger. It looks like my site and dozens of others have some articles to edit.

Permalink | Top

180Solutions has announced that they are taking seven of their former affiliates to court. 180 states that these affiliates violated the terms of their distributor's contract by installing 180Solutions software on numerous computers, without the consent of the owners. These particular affiliates were using a botnet to distribute the software.

Earlier this year, 180Solutions implemented a code of behavior which they claim they have required all affiliates to sign. Someone slipped a copy of this agreement to me several months ago. The agreement specifically forbids any method of installation that does not seek explicit permission from the computer owner. The affiliate would be liable for penalties, enforced by lawsuit if necessary, if they violated the terms of the contract.

I have to say, I was impressed by the contract. I also wondered if they had any intention of enforcing it. I know a couple of Washington D.C. lobbyists who happened to have been meeting with 180Solutions at the time, about the SPY ACT legislation. While I was in Washington myself earlier this year, I showed them the contract and asked them what they thought. They said they did not believe 180 ever would enforce the agreement.

Happily, it looks like they are enforcing it, at least on a limited basis. 180Solutions claims to have dropped the ax on at least 500 affiliates this year; and they have taken at least eight of them to court.

On the other hand, it seems that in every case where an affiliate has been sued, it was over an incident that someone else discovered and made public. These lawsuits seem to be more PR damage control than anything else. Still, hopefully, it will make the rest of their affiliates nervous.

Permalink | Top

In 2003, Las Vegas-based spammer Sean Dunaway slipped $28,000 to AOL employee Jason Smathers in exchange for 92 million AOL screen names and email addresses. This resulted in AOL users receiving over 7 BILLION spam emails pitching offshore gambling web sites.

Smathers was sentenced August 17 to spend 15 months in a federal prison. The judge in the case rejected a Probation Department recommendation that Smathers be forbidden from working in the computer industry again. The judge stated his belief that Smathers truly has learned his lesson. Charges against Dunaway are still pending.

Permalink | Top

DomainsByProxy is coming under fire for revealing the private information of some of their customers.

DBP is a division of GoDaddy, a very popular domain name registrar. DBP provides a service that allows people to register a domain name privately. When someone owns a domain name, the registrar is required to publish their name, telephone number, street address and email address publicly. If you use a service like DomainsByProxy, it will be their address and phone number listed in the public WHOIS database, although you control the domain.

Two people are making a lot of noise about DomainsByProxy failing to hold up their end of the agreement. One is the husband of a poet, whose DBP account was terminated without notice after the people he criticized anonymously demanded his name. Another case involves a web site owner who discovered that DBP gave out his information to someone who called the company asking for it.

The contract with DomainsByProxy seems to leave out any liability in the event they do fail to protect a person's information. On the other hand, they advertise their service in a way that says otherwise, so I doubt the contract would stand up if they are sued. If you take money for a service that says you will keep a person's information private, you probably should keep it private.

I am a customer of both GoDaddy and DomainsByProxy myself. Every domain I own is registered at GoDaddy and each one is covered by DomainsByProxy to keep my information private. After a couple of disturbing phone calls, I felt it was in my best interests to keep my phone number and home address out of public view.

DBP has never failed to keep my information private, at least not that I know of. A friend of mine was trying to reach me a while back. I had disappeared from my usual online haunts and several people were trying to contact me. DBP told him they didn't have my phone number, which of course wasn't true.

This brings up the situation with one of my domains. I have a .us web site on which I maintain a mailing list and an archive of every virus, spyware, adware and browser hijacker to come into my possession. For very obvious reasons, I do not want my phone number and street address listed in the WHOIS database for that web site.

A bureaucrat working for a subagency of the Department of Commerce, the National Telecommunications and Information Administration (NTIA), has created a new policy for .us domain holders. .us domains cannot be protected by proxy services. Owners of .us domains must have their name, address, telephone numbers and other information published in the public database.

I say "new" policy because this requirement was not in the original contract between NTIA and domain registrars. NTIA says otherwise. And I will call them liars until they point to the line in the original contract that forbids anonymous .us ownership. I'm still waiting for somebody - ANYBODY - to show me that clause.

It is, perhaps, the clearest example of government hypocrisy that the NTIA refuses to name the person there who ordered this new requirement. We wouldn't want to violate their privacy, now would we?

I wrote to both of my state's US Senators and my Congressman and asked them how a federal agency is allowed to create policy without congressional approval. Only Senator Saxby wrote back and he seems to be satisfied with the answer/press release that NTIA sent back to his office. In other words, nothing is going to be done to reverse this new policy.

In my case, the requirement will backfire when that particular domain comes up for renewal and I am no longer able to hide the contact information. For my address, I will list a post office box that I only check once every two week. For my telephone number, I will list a cell phone that I never turn on, except for roadside emergencies.

So if, God forbid, a law enforcement agency needs to look up who owns that domain, they will have less accurate information than they would have had if the old policy had been left alone. I suspect many other .us domain owners will do something similar. Nice going NTIA. I'm sure law enforcement appreciates your meddling.

Permalink | Top

SpywareInfo has a new feature, listing news headlines relevant to spyware, privacy and safely using the computer. There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

This Spywareinfo News Section is updated every day - and several times during the day. It is a section of Spywareinfo that we hope will keep you informed on a daily basis - and keep your internet time a bit safer. Go have a look.