New Morpheus contains dodgy DLL...??
andrew_webby at hotmail
Couldn't figure out where it was coming from. I'd delete it and then
some time later, there it was back again. Naturally, stuff like this
gets you interested...
Then I noticed when I clicked a URL containing an order from ebuyer in
Outlook and IE fired up, the file arrived.
So I ran BHOCaptor (http://www.webattack.com/get/bho.shtml) to see
what DLLs IE had hooked into it. And sure enough, there was a
bpboh.dll which had properties belonging to one "Wurld Media". Not
much shows up about Wurld Media that particularly relates to Spyware
on the web, save for a google newsgroup post - to which I've added.
Is this important? After all, Morpheus makes no bones about the fact
that it includes advertising. It just seemed logical to me that this
was done through simple HTML embedded within the app as opposed to
actual spyware. After all, it's obvious if you right-click an advert
in MPE that it's the IE menu that appears. So why would they need to
hook IE at all? Why not just use it as a COM/ActiveX module and
control it via the usual methods to load specified URLs?
Just to prove that MPE installed this, if you do a custom uninstall,
it goes to remove:
c:\windows\rdxr020305.dat
c:\windows\system32\rdxr020305.dat
c:\windows\bpboh.dll
There's also a reg key "SOFTWARE\rdxr" containing the key "mv" with
value "1.3.3.1".
It gets slightly more interesting. If you then clean-install Morpheus
again, then without even running MPE you'll find that IE has already
got the DLL hooked in and running. If you never run Morpheus, this DLL
will still be doing whatever it does behind the scenes...
Also, the DLL contains references to (among others)
barnesandnoble.com, sephora.com, inmotiongolf.com and maplehollow.com.
Which kinds of sounds ad-related to me. And the rather worring
sounding winbpupd.exe (auto-updater perhaps?).
Like I said, I was obviously aware that it's ad-supported, but I
suspect a lot of folk didn't realise it was done this way. If it had
just been plain HTML in the app itself, then fair enough. And there's
no mention of 'adware' on CNETs download page like there is with most
other apps.
Bunging DLLs into IE itself seems a bit sneaky/un-necessary.
Jeff Claggett
It gets more interesting. This evening I happened to be looking at
my Apache log file at just the right moment (I run Apache/W32 ... and
have a tail -f on the access.log all the time) ... and low to my
wondering eyes should appear, but this ...
127.0.0.1 - - [17/Mar/2002:02:33:40 -0500] "HEAD /bpboh.dll HTTP/1.1"
404 0
So now, I start to get concerned. Very much a backdoor type
activity. So I investigate a bit more. That hit happens every time
IE is loaded. Did the researh to find this Wurld Media group (There's
a few references on Google). But of course I'm still confused as to
where this comes from, and so far your's seems to be the only posting
about the file.
But now, I am about to "explore" some. I'm moving a copy of that
file over to my wwwroot. Gonna see what might happen.
Well, nothing omonious(sp) seems to have happened. Just a 200
instead of a 404. Guess we would need someone to be able to take this
DLL apart to tell us what all it is doing inside itself. Anyone out
there know enough about DLLs to do that? :)
Hawk
Gary Ashwell
symptoms mentioned below (after installing the new Morpheus), plus my Norton
is reporting a connection with www.inmotiongolf.com ever few seconds and
earlier on a local area connection was showing as connected which I know
nothing about!
Help?!
Roberto Taurino
I had the same problem.
I installed the new mpe release on 13rd but I didn't know it could be an
Helper Object (cause i didn't know the exists...until now!).
Every time I launched IExplorer, the connection rise up (i use a router to
connect), then I installed a demo version of ZoneAlarm that tell me that was
exactly explorer to try to connect to the net and that the searched address
was 206.142.53.204 (that is www.musiccity.com).
So i removed the Morpheus Preview version....
But no way to understand what can hook iexplorer...this morning i installed
a trial version Sniff'em that lists to me the outgoing packets ... In some
packet directed to musiccity I found info about a http request or similar,
with info like the date i installed morpheus...So i searched for files
created that date and found dhe bpboh.dll...Simply renaming it I noticed
that Iexplorer returned ok...no more connection..
In the DLL there are a lot of infos... all the countries (probably they get
my country and send only a code), other great names like (and this is really
great...) barnesandnoble.com etc...
So this Wurld Media has a good job...
I think they get infos with this dll (the .dat file), send them, and send
the correct advertise to me by Morpheus...is it possible???? Am I in the
right way?
Instead of renaming the dll I make also a "regsvr32 /u winpath/bpboh.dll"
but Ididn't verified what you said about the registry key (it probably
remains there).
see ya.
rob
"andrew_webby at hotmail" <andrew...@hotmail.com> ha scritto nel
messaggio news:f45d9b0.02031...@posting.google.com...
Jarry Jayo
cheers to you.
On 16 Mar 2002 08:43:20 -0800, andrew...@hotmail.com (andrew_webby
andrew_webby at hotmail
the excellent Ad-Aware's signature file, so it can be picked up and
cleaned by Ad-Aware easily/automatically now.
Get Ad-Aware at http://tomcoyote.com/lsindex.html
Jarry Jayo <Jarr...@someplace.com> wrote in message news:<dp1g9uodgboa3md36...@4ax.com>...
Jarry Jayo
morpheus again?
thanks for the info. updating ad-aware...
On 20 Mar 2002 14:28:58 -0800, andrew...@hotmail.com (andrew_webby