Invasion of the browser snatchers

Ron Zorko was only trying to get to PC World's web site. But when he accidentally mistyped the URL (Uniform Resource Locator), a porn site popped up.

"I suppose I should learn to type better," he says. But a typo that took him to mycpworld.com was only the beginning of his troubles. He soon discovered that this porn site was now both his home and default search page. He changed the settings back in Internet Explorer. But with his next system boot, www.mycpworld.com was back.

"No matter what I did, that was my home page," he says. Zorko was one of three readers within two weeks to e-mail PC World's Answer Line address with a tale of a hijacked home page that renewed itself with every boot.

Several of these sites, including mycpworld.com, redirect you to a harder-to-trace foreign site. That one uses JavaScript to insert a new command into your Registry. This command runs at every boot, changing your home page.

PC consultant Rod Ream first saw this condition on a client's system in January. He believes it was made from the Js_exception.gen JavaScript Trojan Horse.

"It's a kit," intended for setting up such aggressive Web sites, Ream explains. "Webmasters can tailor this to do different manipulations." Whoever created the site, "picked some stuff that other people haven't chosen," Ream says.

Searching for a motive

But why would anyone do something like this? Pornographers, after all, are in the business of keeping customers happy--and their customers have an interest in discretion. Offending potential customers, and increasing the likelihood that their Web surfing habits will be detected, doesn't seem to make good business sense.

Jim Wilson, whose scumware.com site fights such Internet traffic-stealing tricks, disagrees.

"Porn sites love doing this because for them, it works. A certain percentage of this hijacked traffic will buy access."

It's also more malicious than some more common circumstances when outsiders try to crawl onto your PC. For example, a group of German hackers last fall alerted Symantec to an alleged flaw in its antivirus LiveUpdate program that could redirect the LiveUpdate connection and download damaging code instead of virus definitions. And some online ads have been poking a little closer to your PC, occasionally downloading ad-enhancing software.

Ream has found another possible, more sinister motive for the redirect operation. At least some such sites install what appears to be a dialer program onto the victim's PC. Such a program could use your modem to dial an international pay-per-call number without your knowing it.

That's scary stuff, especially for non-technical users. According to Ream, "People have been formatting their machines to get rid of it."

Preventions and cures

But you don't have to resort to a complete reformat to cleanse and protect your computer. You could turn off your browser's scripting, although that will stop legitimate JavaScripts as well as these hijackings. At least one free downloadable program, StartPage Guard, claims to block such intrusions while letting harmless scripts through.

If you get caught, here is a cure:

First, use Internet Explorer's Internet Options dialog box to reset your home and search pages back to what they were before.

Next, select Start, choose Run, type msconfig, and press Enter. Click the Startup tab. In the resulting list, look for a command with either the word 'regedit' or '.reg' in it (the command Zorko found was 'C:\Windows\regedit.exe/s C\Windows\System\radB9819.tmp'). When you find it, uncheck it, then click OK.

That's probably all you need to do, but to be safe, it wouldn't hurt to delete the file mentioned in that line. Don't delete regedit.exe--you need that--but delete the other file referenced there. And it wouldn't hurt to edit the Registry, searching for and removing all references to the offending site.

Who's responsible? The domain name mycpworld.com is registered to Joseph Wise of E-Town (short for Elizabethtown), Kentucky. There is no answer, not even a recording, at the listed number. The domain name's technical contact is VeriSign. A VeriSign spokesperson says that because the URL merely redirected surfers to the offending site, the company had no cause to terminate the account.

In the meantime, the redirection has changed; mycpworld.com now points you to a dead URL. The site is gone, but others will doubtless turn up. As Zorko says, understandably, "I'm still mad about it."

For more information about how the porn industry lures online surfers read "Born Again Porn" on page 22 of the March 2002 issue of PC World (currently on sale).

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lincoln Spector

PC World

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?