posted on December 30, 2002 03:32:17 PM new
If you are bored or have some time for reading today, you might enjoy this.
I had a friend over yesterday who is somewhat new to computers. I have taught him how to use the system and how data is organized and used on a PC, so he is at that point to where he is just becoming "dangerous"; that is, he can mess up his PC faster than he can produce useful output with it. Last week, he had managed to delete his Recycle Bin from Windows 2000 Pro, and since Microsoft does not want you to know how to restore it once you do that, he had to reinstall his operating system.
This week, it was unwanted advertising.
My friend had gone to a popular place on the Internet, Themes Unlimited www.themesunlimited.com to get some cool wallpaper for his computer desktop. When I went there, no less than three pop-ups appeared and an offer to make it my Favorite start-up and who I knows what else. I turned my java off just to go through the place.
At any rate, he had downloaded the wallpapers that he wanted. They were "wrapped" in code, which when executed, started an installation process. This confused him, so I tried it on mine and - to their credit, they tell you that they are about to place advertising on your computer as that is how they manage to keep their web site going (right!) With the right tools on-hand, I can monitor every Registry Key that gets installed, where every file goes and where it is placed, and I can uninstall anything that got put onto my PC. All I had to do was to extract the Wallpaper for him and then remove the junk.
To my surprise, not all of the junk was removed by their removal icons. I mean, that's not what surprised me, as anyone who uninstalls programs knows how often Registry Keys are left behind and files orphaned, etc. This one had a nasty security-breaking program that took me a while to fix.
First, it calls itself The WeatherBug. It's stated purpose is to put up-to-date weather into your system tray for easy viewing. In reality, if you track down their homepage through the use of the program, one discovers that the promoter of this free gift is none other than ~ guess Who: The Office of Homeland Security!
Well, after I had gone through the usual clean-up of junk (it was a learning lesson for my friend. That's why I did it), I thought that I had cleaned everything out. But when I booted up this morning, in my system tray was Homeland Security's WeatherBug and ZoneAlarm went off on an alert asking me if I wanted a file named "minibug.exe" access to the Internet!
Needless to say, I told it NO! I immediately went through my registry deleting every Key that had anything to do with 'minibug.exe' or AWS (the official name). I looked for the minibug.exe program and associated files ~ and there were none!
In reality, there were. I used ZoneAlarm to tell me where on my system minibug.exe was broadcasting from. To my surprise - and the reason for this riddle, was that the AWS program had made an invisible folder under my Windows NT folder that cannot be reached by normal means. By that, I mean, Microsoft has a certain way of coding folders so that the normal tools and folder settings, which are supposed to reveal all hidden folders, do not actually reveal certain important system folders that users shouldn't have access to anyway. This \WeatherBug\ folder was just that type of hidden folder.
Luckily, I have kept a holdover from my DOS days a special Browser/Reader named LIST. There is not one file nor one folder or directory that Microsoft can create that this program cannot see and get to. I used it to get into the super-hidden folder, change the attributes of minibug.exe so it could be deleted and then deleted it and then the entire folder off of my hard drive.
If you have read this far, I thank you. I only thought that you ought to be aware of what the OHS, someone in the OHS is up to. Plus, if you ever get the message on your firewall that minibug.exe is wanting access you always kjnow how to get rid of it.
BTW: if you want that little tool I mentioned, you can have a copy of it here: http://home.attbi.com/~borillar/list.zip . You can read the contents of any file with it and see what it does before you execute it.
posted on December 30, 2002 04:30:43 PM new
Fascinating stuff, but what if they now are alerted to the LIST fix and attach some kind of poison cookie to it rendering it useless?
It's not the Office of Homeland Security, though. It's the "Homeland Security Weathernet Network."
What Borillar told us is troubling--if the Weatherbug is on the up-and-up, why does it get hidden in an invisible file in your PC? Censorship, like charity, should begin at home; but unlike charity, it should end there --Clare Booth Luce
posted on December 30, 2002 06:52:34 PM new
>w are alerted to the LIST fix
LIST is not a fix, it's a DOS tool that allows you to see and enter any file of folder on your PC, no matter how impossible that Microsoft makes it. It does not have registry entries and it is not a patch.
>Where did you find that WeatherBug is sponsored by OHS?
When it was in my system tray, I cliked their homepage to see how to remove it. It tells you to use the icon, but that does not uninstall the minibug.exe off of your computer. The OHS thing was on their web site. Maybe its a joke of theirs -- maybe not.
posted on December 30, 2002 06:57:52 PM new
Borillar, my DH had WeatherBug on one of the computers. It didn't trigger Ad Aware, but the minibug came up in SpyBot.
Nice tool, Borillar.
You have the right to an informed opinion -Harlan Ellison
posted on December 31, 2002 12:22:28 AM new
>It's not the Office of Homeland Security, though. It's the "Homeland Security Weathernet Network."
I saw that too, Bunni. But think about it. If there was a local disaster, the federal department to put out that info is FEMA, the Federal Emergency Management Agency don'tcha think? Not the OHS, which is where they would get their info from.
posted on December 31, 2002 05:59:47 AM new
I tried to ID what company is behind this. It appears to be something called Convergence Technologies but their press releases never deal with financial matters. I could not find a symbol for a publicaly traded stock.
A high tech company that doesn't have anything to say about their standing in the market? No news of IPO's or mergers or splits - just all touchy feely good news about what a close relationship they have with the major networks and how the recent bad weather got them 80,000 users with the program in their computers....
Apparently they are not about money.........
posted on December 31, 2002 08:35:21 AM new
Borillar you are obviously ahead of me technically. I'm more like your friend that knows enough to get in trouble. Today all of a sudden I can't access hushmail anymore. When I try to enter my pass word it can't authenticate and gives me an error message that my server has presented a nonce that is not in the data base. I don't have a problem establishing a SSL connection with other services, and it shows a encrypted connection with hushmail. Have any ideas what this is about? I tried using MS Explorer also so it's not a Netscape problem. I tried setting my PPPoE
configuration a bit different but no joy.
posted on January 2, 2003 01:01:17 PM new
Yowsa, Borilar!
You really know your stuff!
Let us know about any other creepy stuff that you come across . . .
posted on January 2, 2003 01:46:27 PM new
Will it be gone if I reinstall windows, or do I have to actually delete the program? I am a PC idiot and don't understand how exactly to remove this program and don't mind reinstalling windows if necessary..
