[Dshield] He wasn't bulletproof after all

Kenneth Coney superc at visuallink.com
Sun Feb 8 16:57:14 GMT 2004

Some of you may recall my posting about someone who only ran DOS on his 
machine and who thought that because of his lack of Windows and his 
selection of browsers that he was immune to all malware and AV software or 
firewalls which required Windows would be a waste of his time and money. 
Today I got this from him.
"Somehow when I was online I received a pop-up box which calls itself
a "sticky-stay" in my Opera version 6.05 which I was running on my
Windows 95 machine.  I can't get rid of the darned thing, even when I
am off line.  I even performed a complete re-install of my Opera browser
and I still can't get rid of it.  The "sticky-stay" is a big black
box and it says "Inbox".  No text or graphics ever appears in the box.
When I move my mouse over the icon for it that is stuck in my system
tray some text appears saying
"Inbox: http://www.uchase.com/exit/sticky/stay.html"  If I go to the
URL to try to find out what it is all about I get another sticky-stay.
I am warning everybody not to go to that URL because if you do you
will probably get a sticky-stay too.  I really want to get rid of the
darned thing because I am paranoid and I think it is spying on me.
Has anyone here ever heard of a problem like this before?  I am not
crazy and I am not imagining things.  This is actually happening to me.
How do I get rid of a sticky-stay?"

(Written with Pine)
The link given can't be visited at all with my Netscape browser.  Nothing 
happens at all.  When I try to go there with IE, my IE browser turns off, 
but Outlook Express tries to open.  Firewall logs show the connection was 
made when the browser shuts down.  Of course I don't really have a 
functional Outlook Express in my machine, so just the OE icon activates. 
(A little registry rewriting on my part, good thing.)  Going to uchase.com 
with IE shows it to be an Internet advertising company.  Adding exit/sticky 
brings me to an index.  Clicking on stay, again turns off my IE browser. 
Since uchase.com won't resolve for me in my altered Netscape I don't know 
what stay does.  Whois.crisnic.net shows (with a little redirection) 
Uchase.com belongs to Zeusinterent Pty Ltd. in Brisbane, AU.  Looks to me 
from his description and what I see on their site what he got is a Spyware. 
  Probably it was expecting to find Windows on his machine and upon 
executing some part of it's code the popup would have called home then 
disappeared.  Of course he doesn't have Windows, so that poor popup is just 
stuck there hanging around waiting for a windows command.  Anyone have any 
idea how he can delete it?      :)

More information about the list mailing list