[Dshield] He wasn't bulletproof after all

jayjwa jayjwa at atr2.ath.cx
Mon Feb 9 16:07:40 GMT 2004

On Sun, 8 Feb 2004, Kenneth Coney wrote:

> "Somehow when I was online I received a pop-up box which calls itself
> a "sticky-stay" in my Opera version 6.05 which I was running on my
> Windows 95 machine.  I can't get rid of the darned thing, even when I
> am off line.  I even performed a complete re-install of my Opera browser
> and I still can't get rid of it.  The "sticky-stay" is a big black
> box and it says "Inbox".  No text or graphics ever appears in the box.
> When I move my mouse over the icon for it that is stuck in my system
> tray some text appears saying
> "Inbox: http://www.uchase.com/exit/sticky/stay.html"  If I go to the
> URL to try to find out what it is all about I get another sticky-stay.
> I am warning everybody not to go to that URL because if you do you
> will probably get a sticky-stay too.  I really want to get rid of the
> darned thing because I am paranoid and I think it is spying on me.
> Has anyone here ever heard of a problem like this before?  I am not
> crazy and I am not imagining things.  This is actually happening to me.
> How do I get rid of a sticky-stay?"

I grabbed the files and zipped them (w/comments), but decided not to
attach it and send it to the list, as this may be against the rules or
cause a problem. I didn't really look over it, but it seems to be
relying on Javascript to do it's thing. I'd bet if you turned off js it
wouldn't work. I sent wget after stay.html and random.php. I'd check the
Windows registery, as that's the first place malware seems to tie into. It
probably has an entry someplace (encoded, of course)- that would explain
why your reinstall didn't work, because the Reg.Key is still there. Anyone
running a Windows machine should backup the reg. in full, frequently, with
Export Registry ALL (not just one key!), and rename the resulting file
with the date you saved it:  reg-backup-Feb.09.04.dat. This way if you get
something hooking into the reg, it can be restored to a previous, working,
state. Most worms/virus will hook HKLM run or run-once.
If anyone is interested in the zip and can't safely view the url
themselves, let me know, I'll keep it around of a couple days or so.

-- jayjwa

Version: 3.12
GCS d- s+: a- C+++ UL++++ P+ L+++ E- W+++ N++ o- K- w---
O-- M-- V-- PS+++ PE Y PGP+ t- 5- X- R* tv-- b++ DI-- D-
G e h+ r% y--

More information about the list mailing list