Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

You Might Be Infected With Webwatcher If...


  • Please log in to reply
3 replies to this topic

#1 Trance

Trance

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 05 November 2007 - 09:36 AM

The following are clues... They are the things that I noticed in my search for the WebWatcher Program, the person responsible for it, and a method for its removal.
Running the McAfee Security programs, I noticed that emproxy.exe seemed to be running constantly
- Emproxy is their program which check email messages and IM's.
- The data which was streaming out of my machine was behaving like an instant message so emproxy noticed it and scanned it.
- Because of the volume of data going out of the computer emproxy was running all the time.
- Considering I was not sending message or sending or receiving email, emproxy should not have been running at all.

Directories began appearing on my hard disk.
- Every time I would access a directory that contained a spyware program file, the spyware would detect I was going into the directory and move/copy the files to another directory.
- Take a look at your directory structure and you will see duplicate directory names all over the disk.
- It moves the files but since you saw the directory, it remains, but empty.

If you do a search for files on your computer which are connected to the program, it will generate more copies of the file because each time you 'touch' the file it moves. Searches for the files associated with the program will fill you hard disc before they ever finish the search.

ADOBE Updates
- There just always seems to be yet another update to the ADOBE software that you MUST have.
- I understand the Adobe does keep track of their licensing through their update program and it does phone home.
- The spyware is taking advantage of that and pretending to be Adobe Updater because they know you will most likely allow it to do its thing.

Java - Everyone needs Java enabled and installed.
- The spyware knows that you want java enabled and will likely not remove it, but if you do and try to reinstall they will redirect you to the file the want.
- Remember - URL OBFUSCATION means you get to think you are going where you want to go.

URL Obfuscation - If you ever go to a web site and notice that there is one or two pages which still have their 'old' format while everything else has been reformatted, you might be not be where you think you are.
- There is no way to tell when you are getting redirected.
WHY NOT PUT A SMALL TOOL ON THE BROWSER THAT LETS YOU KNOW WHICH IP's YOU ARE HITTING TO GET YOUR INFO. You would then be able to notice that while one server was serving up all the other pages, you just went halfway around the world to get that one page????

TECH SUPPORT - There seemed to be a pattern played out by the tech support desks.
- I would call with a specific question
- They would ask numerous questions related and related to the issue
- They would then put you on hold repeatedly - always apologizing
- At about the 1 hour mark they would tell you you need to contact another support desk.
- THIS HAPPENED WITH BOTH ONLINE AND PHONE TECH SUPPORT

Symantec is a partner with Awareness Technologies
- When I contacted them and told them specifically what I haad detected and wanted removed
- They took remote control of my computer and they wasted an entire day
- In the end they informed me that they couldn't see the program.
- I discovered later on that Symantec is a partner in this. Of course they were not going to help remove it. Their program not only ignores it but their tech support covers it up.
- I paid $99 for their second level support to waste an entire day of my life

FORUMS - If the only place you can ever find a mention of a file is in a forum, it is the spyware program.
- You do a search for the file and all of the results are from other peoples HiJack This scans.
- They all have that file also.... but notice the patterns in the forum.
- First you report it, then they give you a fix, and you report back.
- NO ONE EVER SAYS WHAT THE BAD FILE WAS.
- The forums fixes are simple renaming the virus to something else to enable it to continue
- If you continue to try to get any response on the forum, you will be insulted and spoken down to.
- If you post the clues to your problem instead of the HiJack This code, the post will be deleted.
- None of the forums identifies the problem.
- The moderators in these forums, always have a little piece of code to fix the problem.
- The moderators never tell you what you had.
- The forums all seem to be hosted through the same domain registrar, and often nearby IP numbers.
- The forums that appear in your searches are fake. It's always going to be the same ones.
- The forums which might be out there to help you are being prevented from being displayed.

SEARCH ENGINES -
- The search engine features are working against you.
- Each Search results page returns with a few extra codes in the URL because the search engine wants to help you find things it thinks you are interested in.
- Those search strings can help you find things you want but can also prevent you from finding things
- You can't control the strings - they get added programmatically. You don't even know what's in them
- You can't see them to know what they are 'saying' about you
For Example.
When I Google Divorce and Computer. Google somehow knows I am a developer and returns lists of programs. I speak to my lawyer about these problems and he Google's the same 2 words and is returned a screen full of lawsuits. He never told Google he was a lawyer - but it knew. It used his prior search experience to provide things it though he would want. But the logic can be used to prevent you from getting to things that you want - like the things which might reveal the spyware they are trying to prevent you from finding.
- If you can't find the results you are looking for but send an email to your friend asking them to find it. They can find it and send you the link, but you can't get to the page... OR if they reply and you read it through your browser and can't see the reply message... It's because there is a list of words which if they appear on a web page you are prevented from seeing it. Have them remove the Keyword, or use s p a c e s and you will find that you can suddenly see the page. (I saw this actual experience with LiveJournal.com communications)

PreFetch -
- Who is the idiot that thought up Prefetch???? What a great way to hide a program.
- You know how you can create a shortcut for Internet Explorer.
- You can call that shortcut anything you like and it'll still runs Internet Explorer.
- Well PreFetch works similarly, except Prefetch is a secret and it might create the PreFetch file just seconds before it executes.
- So just because you clicked that program you wanted to run, PreFetch logic decided you should run another program, or perhaps make sure to include certain command line switches that it feels you should have. No bother in telling you, it can create that PreFetch file on the fly and run it for you in milli-seconds.
- And you get to think you are running what you wanted to run.
- If you delete all of the prefetch files, Don't worry, they'll be recreated for you .
- Why can't you read a prefetch file type? .pf?????
- IF YOU SEARCH FOR PREFETCH DISABLE AND CANNOT FIND AN ANSWER YOU ARE INFECTED.

WebWatcher has a list of Keywords which will immediately alert the spy (email or pager etc) if you type them or go to a web page that contains them.
IE
I responded via email to my lawyer regarding the divorce paperwork, but included the word CUSTODY in the message. My son got a phone call shortly thereafter and was picked up by his mother. He was prevented from speaking with me for months without any explanation.
GOOD THING THE SOFTWARE IS UNDETECTABLE. OTHERWISE INTERCEPTING LAWYER/CLIENT COMMUNICATIONS IS ILLEGAL.



Who knows what program files are supposed to be running and when?
- So that file that is running it kind of translates into McAfee Firewall Program - so that must be what it is...
- REALLY??? The program pretends to be a part of programs you already have installed.
- They know you have some sort of security program. When it installs it has the file names and the xml files to associate their spyware with the programs you already have installed.
- Don't try to contact the REAL software company about their software, they don;t know the files either.
- They can't confirm file sizes or versions of their own programs.
- If you press for the information, they resort to asking you first and confirming your info is correct.
- Try this, give them wrong information. They'll confirm it, then correct yourself and listen for the confusion.
- STRANGE .... hmmm, maybe those tech support people don't really work for the companies they claim to work for.
- They can control the web sites that you are requesting. And after you switch through each of the virus programs, you notice that all of their tech support folks seem to be following the same script. Maybe it's because you have been fooled into going to the same place every time with different logos on the screen.
- Ask them about their building. What floor they are one, or the color of the walls, or about traffic that day. Forget about the weather, THEY ARE READY WITH THE WEATHER. It's the one question every touches on while waiting. They have a screen which already tells them what the weather is like in the place where they are pretending to be. I have actually had someone panic and tell me they did not know the color of the walls.
- AND the tech support desk may be fake if they are suddenly giving you their real given names, instead of the Americanized ones we have come to hear over the last years. You won't write down a name which you likely can't pronounce, let alone spell.
- If you get someone with a distinct voice, you will never get to talk to that person again.


I have seen WebWatcher pretend to be video drivers, cd and dvd writer drivers, parts of MS Office, and virus and spyware detection programs.

The program can be enabled and disabled remotely.
- So as soon as you attempt to show someone soething that was happening an hour ago... well it may not work the same way again.

The program files can be adjusted without your ever noticing.
- When I was about to shut down my pc last evening. I took one last peek at the Startup files
- There was a strange entry that had no explanation. have a look.
- It seems all of the directories and files related to it were created in 2006??? Now how could they have been there all along? Either I am getting forgetful, or someone is backdating and adjusting file properties and dates.
- Being curious I opened the file in Notebook. Here's a sample (the whole file in text format)
***********************************
' Script to look for all possible MSTSC product codes installed on machine, and if found
' to uninstall them.
' 3/7/2006
' a-paulhi

Option Explicit

' Target MSI product codes for the WinXP platform install
Dim ProductCodes(122)
' WinXP
ProductCodes(0) = "{3E713D52-C967-41FB-AA24-3A92CC1025A4}" ' LangCode = 1033, en-us
ProductCodes(1) = "{4DEEE869-7CA9-48C9-B219-105DF2BE3D6B}" ' LangCode = 1040, it-it
ProductCodes(2) = "{60B9A48D-559E-43FA-8F28-D657190E4E52}" ' LangCode = 1033, en-us
ProductCodes(3) = "{62416B78-C0F2-46ED-963C-F38064F7F0DB}" ' LangCode = 1033, en-us
ProductCodes(4) = "{62C4121D-CA64-413E-8444-0525FF7E8EF9}" ' LangCode = 1031, de-de
ProductCodes(5) = "{82217086-FCE7-41F8-8512-77C42583DB69}" ' LangCode = 1043, nl-nl
ProductCodes(6) = "{ACC2D401-9724-415D-BDA4-D2E96C650648}" ' LangCode = 1044, no-no
ProductCodes(7) = "{D81A311F-D26B-4BDA-8A44-0B608DF49BEF}" ' LangCode = 2052, zh-cn
Now those Lang Codes, where have I seen them before.... OH YEA... The search engines. Those are the codes that they add to the end of each search stream to make sure I only get the answers in my own language... OR ARE THEY?
And a search for that a-paulhi thing... like an author signing his work... It brings up one of those fake search engine results sites, with a whole stream of familiar phrases associated somehow.
Here is a look at two of the files I found relating to my Halloween Surprise.
I added the txt ending so that wouldn't be executed accidentally.
file 1
file 2

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:08 AM

Posted 05 November 2007 - 01:26 PM

I will never get those five minutes back.

These accusations, and assumptions, are some of the most ludicrous things I have ever read. Is this something you found elsewhere, or do you actually think that prefetch infections, which I am not sure how prefetch can get infected, block certain serp results?

#3 Trance

Trance
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:08 AM

Posted 07 November 2007 - 05:54 PM

You single out just one clue and jump to your conclusion... Did you miss the one where I mentioned that the forums are monitored and they often put down anyone who popints out their programs flaws.

Here's another one... you can see it in the HiJack This logs pretty easily...

When a program installs it will most likely use the same piece of code to indicate the proper path for its installation instead of requesting it again and again.
If you are looking at HiJack This and there are 5 entries for a program which spell McAfee in title case with the upper case M and A, and then you notice two suspicious programs which do not have the letters in upper case, those files are likely the virus. Check the file dates and you'll likely noticed discrepancies in their properties which confirm it.

It only makes sense that the programs were not installed at the same time if their pathing is not identical.

I've noticed this issue personally on multiple infected machines with Microsoft programs, Adobe PDF Reader, McAff and Norton tools and Java installations.

A company like McAfee would consider the path as part of their branding. They wouldn;t let a detail like that slip through, however someone pretending to be them would definitely not understand the importance of the brand.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:08 AM

Posted 08 November 2007 - 02:41 PM

You single out just one clue and jump to your conclusion... Did you miss the one where I mentioned that the forums are monitored and they often put down anyone who popints out their programs flaws.


I own and operate this forum, do you not think I would notice if this was happening?

If you are looking at HiJack This and there are 5 entries for a program which spell McAfee in title case with the upper case M and A, and then you notice two suspicious programs which do not have the letters in upper case, those files are likely the virus. Check the file dates and you'll likely noticed discrepancies in their properties which confirm it.


Can you show me an example?

It only makes sense that the programs were not installed at the same time if their pathing is not identical.


It depends on the paths. What are some examples so I can see myself.

You are talking about this webwatcher right?

http://research.sunbelt-software.com/threa...;threatid=44200

If so, it is not considered an infection but a surveillance software. In some cases the installations are perfectly legitimate.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users