Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Aureate 'Spying' case


Aliases:


Aureate 'Spying' case
Aureate rumours

Malware

W32

Summary

A message appeared to one Internet forum in March, 2000, which accused Aureate.com of spying computer users that have Aureate components installed.

F-Secure and other companies have been unable to confirm these rumours to be true or false. The company behind Aureate, called Radiate, has denied all such allegations.



Disinfection & Removal

F-Secure Anti-Virus doesn't detect Aureate, TimSink and other 'adware'.



Technical Details

Here's the original message that was forwarded to the forum by another person:

It seems that a company named aureate.com has been secretly
 collecting data off everyone who uses applications that
 incorprate their banner ad software. Look at the below e-mail
 for details. Also its true last night the freind that sent me
 this ran netstat -a to monitor his ports and sure enough while
 running gozilla and downloaading something through it.
 The following is a listing of all software known to install the
 Aureate spy on your system. The Aureate spy keeps track of your
 Internet activities and sends a report to Aureate every time you
 open your browser. The Aureate spy places the following files on
 a Windows machine. [It is not known, yet, to affect Macintosh or
 Linux machines.]
 The installed files are some or all of:
 adimage.dll
 advert.dll
 advpack.dll
 amcis.dll
 amcis2.dll
 amcompat.tlb
 amstream.dll
 anadsc.ocx
 anadscb.ocx
 htmdeng.exe
 ipcclient.dll
 msipcsv.exe
 tfde.dll
 ========== ========== ========== ==========
 Dale said:
 OK folks, living up to my reputation as a 'bulldog' when I get
 my teeth into something, I have been busy 'reviewing' the
 contents and code contained in the DLL's that Aureate makes use
 of. Here are a few of my findings up to this point:
 advert.dll
 =======
 This DLL creates a hidden window every time you open your
 browser. It creates and sends 4 pages of information to the
 Aureate servers using port 1749 on your system, these pages
 include:
 1. Your name as listed in the system registry ( not the name you
    installed one of the programs with )
 2. Your IP address
 3. The reverse DNS match of your address. ( tells them what ISP
    and area of country you are in )
 4. A listing of ALL software that is shown in your registry as
    being installed. ( Not just the companies they work with )
 5. This DLL sends the following information to their server on
    all URL's you visit:
   A.) ad banners you may click on
   B.) all downloads you do showing the filename/file
       size/date/time/type of file(image,  zip,executable, etc)
   C.) full time and date stamps of all your actions while using
       your browser
   D.) the remote dialup number you are dialing in on (taken out
       of your dialer configuration)
   E.) dialup password if saved, does not "appear" at first
       glance to send this through to them.
  6. Contains programmers note: "Show me the money! I want to be Mike!"
  advpack.dll
 =========
 Used during the installation only to check for other needed
 files.
 amcis.dll
 =======
 This DLL modifies the following registry keys:
 1. HKEY_CURRENT_CONFIG
 2. HKEY_DYN_DATA
 3. HKEY_PERFORMANCE_DATA
 4. HKEY_USERS
 5. HKEY_LOCAL_MACHINE
 6. HKEY_CURRENT_USER
 7. HKEY_CLASSES_ROOT
 Unregisterss oleaut32.dll from memory as provided by M$oft and
 replaces with its own calls. Switches back to M$oft's when
 browser is closed. Creates stub processes to be started anytime
 your browser is opened.
 amcompat.tlb
 ===========
 This guy tracks any multimedia clips ( video/pictures/sound )
 that you view It tracks the rating level on the
 video/picture/sound and title / location Contains references to
 DblClick ( still digging on this one! )
 amstream.dll
 ==========
 Setups TWO way communications between your system and theirs.
 Used to send info and receive update commands/files Open port
 1749 for communications
 ==================================================
 The programs that are known to install the Aureate spy are:
 123Search
 3d Anarchy
 3D-FTP
 3rd block
 Abe's FTP Client
 Abe's Image Viewer
 Abe's MP3 Finder
 Abe's Picture Finder
 Abe's SMB Client
 Access Diver III
 Acorn Email
 AcqURL
 ActionOutline Light 1.6
 Active 'Net
 Add URL
 Add/Remove Plus!
 Address Rover 98
 Admiral VirusScanner
 Advanced Call Center
 Advanced Maillist Verify
 AdWizard
 Alive and Kicking
 alphaScape QuickPaste
 ASP1-A3
 Auction Explorer
 Aureate Group Mail
 Aureate SpamKiller
 AutoFTP PRO
 AutoWeb
 AxelCD
 Beatle
 Binary Boy
 BinaryVortex
 Blue Engine
 BookSmith : Original
 buddyPhone 2
 Calypso E-mail
 CamGrab
 Capture Express 2000
 Cascoly Screensaver
 CDDB-Reader
 CDMaster32
 ChanStat
 Charity Banner
 Cheat Machine
 Check4New
 ChinMail
 Clabra clipboard viewer
 Classic Peg Solitaire
 ComTry Music Downloader
 Crystal FTP
 CSE HTML Validator Lite
 CuteFTP 3.0
 CuteFTP 3.0
 CuteFTP/Tripod
 CuteMX
 CutePage
 Danzig Pref Engine
 DateTime
 Delphi Component Test
 Delphi Tester
 Dialer 2000
 DigiBand NewsWatch
 DigiCams - The WebCam Viewer
 Digital Postman
 DirectUpdate
 DL-Mail Pro 2000
 DNScape
 Doorbell 1.18
 Download Minder 1.5
 Download Wonder
 DownLoader v.1.1
 Dwyco Video Conferencing
 EasySeeker
 EmmaSoft ChatCat
 EmmaSoft dBrow
 EmmaSoft KeepLan
 EmmaSoft Soundz
 EnvoyMail
 EZ-Forms FREE
 File Mag-Net
 FileSplit
 Folder Guard Jr.
 FourTimes
 Free Picture Harvester
 Free Solitaire
 Free Spades
 Free Submitter Pro
 FreeImageEditor
 FreeIRC
 FreeNotePad
 FreeSite
 FreeWebBrowser
 FreeWebMail
 FreeZip!
 FTPEditor
 GetRight
 Go!Zilla
 Go!Zilla WebAttack
 GovernMail
 Grafula
 Gunther's PasswordSentry
 HangWeb
 hesci Private Label
 HTML Translator
 HTTP Proxy-Spy
 Huey v1.8 Color Picker
 Iban Technologies IP Tools 3.1
 Idyle GimmIP
 Idyle GimmIP
 iFind Graphics
 imageN
 Infinite Patience
 InfoBlast
 InnovaClub
 InstallZIP
 Internet Tree
 Internetrix
 InterWebWord Companion
 JetCar
 JFK Research
 jIRC
 JOC Email Checker
 JOC Web Finder
 JOC Web Spider
 KVT Diplom
 LapLink FTP
 LineSoft Download
 LOL Chat
 LOL Chat
 Mail Them
 Meracl FontMap
 Meracl ImageMap Generator
 Midnight Oil Solitaire
 MirNik Internet Finder
 More Space 99
 MouseAssist
 MP3 Album Finder
 MP3 Fiend
 MP3 Grouppie
 MP3 Mag-Net
 MP3 Renamer
 Mp3 Stream Recorder
 MP3INFO-Editor
 MultiSender
 Music Genie
 MX Inspector BIG AD
 My Genie Patriots
 My Genie SE
 My GetRight
 NeatFTP
 Net CB
 Net Scan 2000
 Net Vampire
 Net-A-Car Feature Car Screensaver
 NetAnts
 NetBoard
 Netbus Pro 2.10
 NetCaptor 5.0
 Netman Downloader
 NetNak
 NetSuck 3.10.5
 NetTime Thingy
 Network Assistant
 NeuroStock
 NewsBin
 NewsShark
 NewsWire
 NfoNak
 NotePads+
 Notificator 1.0b
 Octopus
 Pattern Book
 People Seek 98
 Personal Search Agent
 Photocopier
 PicPluck
 Pictures In News
 Ping Thingy
 PingMaster
 Planet.Billboard
 Planet.MP3Find
 PMS
 ProtectX 3
 ProxyChecker
 QuadSucker/Web
 Quadzle Puzzles
 QuikLink Autobot
 QuikLink Explorer
 QuikLink Explorer Gold Edition
 QuoteWatch
 QWallet
 Real Estate Web Site Creator
 Recipe Review
 ReGet 1.6
 Resume Detective
 RingSurf
 RoboCam 1.10
 Rosemary's Weird Web World
 SaberQuest Page Burner
 SBJV
 SBWcc
 Scout's Game
 ScreenFIRE
 ScreenFIRE - FileKing
 ScreenFlavors
 Sea Battle
 Shizzam
 Simple Submit
 SimpleFind
 SimpleSubmit v1.0
 SK-111
 Smart 'n Sticky
 SmartBoard 200 FREE Edition
 SmartSum calculator
 SonicMail
 Sound Agent
 Space Central Screen Saver
 Splash! Siterave
 StartDrive
 Static FTP
 StockBrowser
 Subscriber
 SunEdit 2K
 SuperIDE
 Sweep
 SweepsWinner
 Text Transmogrifier
 The Mapper
 TheNet
 TI-FindMail
 TIFNY
 Total Finger
 Total Whois
 Tracking The Eye
 Trade Site Creator
 TWinExplorer Standard
 TypeWriter 1.0
 UK Phone Codes
 Vagabond's Realm
 VeriMP3
 Vertigo QSearch
 Virtual Access
 Visual Cyberadio
 Visual Surfer
 VOG Backgammon Main
 VOG Backgammon Table
 VOG Chess Main
 VOG Chess Table
 VOG Reversi Main
 VOG Reversi Table
 VOG Shell
 VOG Shell
 VOG Shell History
 W3Filer
 Web Coupon
 Web Page Authoring Software
 Web Registrant PRO
 Web Resume
 Web SurfACE
 WEB2SMS
 WebCamVCR
 WebCopier
 Web-N-Force
 WebSaver
 Website Manager
 WebStripper
 WebType
 WhoIs Thingy
 Win A Lotto
 WinEdit 2000
 Word+
 Wordwright
 WorldChat Client
 Worm
 www.devgames.com
 xBlock
 Your ESP Test
 Zion
 Zip Express 2000

Here is Aureate's answer to the published allegations:

A variety of false rumors have been started, and we would
 appreciate your help in finding the source of these rumors so
 that we can clarify what our technology actually does and put
 these to rest.
 As you may already know, what Aureate Media does is work with
 software companies to make their products advertising supported.
 Aureate's technology allows for these advertisements to be
 delivered and displayed within the software products of these
 software products.
 The following concerns are those that have been brought to our
 attention.  If you have additional concerns, please do contact
 us directly.
   Advert.dll creates a hidden window every time you open your
   browser
 This is true, but this happens because of the way that Microsoft
 Windows networking works.  You will find that in running almost
 any windows program that hidden windows are created as this is
 how the OS was designed.
   Advert.dll creates and sends 4 pages of information to Aureate
   on port 1749
 We aren't sure exactly what is being referred to here.  The
 first time someone installs software they are presented with an
 optional demographic survey (none of the information is
 required), and this information is sent to us one time (after
 the survey is completed). Prior to answering these questions,
 the user is presented with information explaining why we ask
 these questions and how the answers are used.  The information
 sent is only the information provided.
 The use of port 1749 is misleading, as again this is something
 built into the way that Microsoft Windows networking works.
 Windows will pick a high numbered port (1500+) in a largely
 random fashion.  Again, this is how the OS works.
   Advert.dll will send your name to Aureate as it is listed in
   the system registry
 Completely false.
   Advert.dll will send your IP address to Aureate
 Your IP address is sent, again because of the way that Microsoft
 Windows networking and TCP/IP protocol works.  An IP address is
 obviously required in order to communicate with an internet
 server in any instance.
   Advert.dll performs a reverse DNS lookup on your IP address
 Here again, it is Microsoft Windows networking that does this as
 part of the OS networking system.
   Advert.dll creates a process anytime your browser is open.
 This is true.  This process delivers advertisements to a cache
 on the users PC which are displayed while the software is being
 run. This works in a similar way to how the browser works, with
 content and images (including ads) being delivered to a cache on
 the users PC and then are displayed in the browser window.
   Advert.dll sends a list of all software listed in your
   registry
 Completely false.
   Advert.dll sends a list of all URL's you click on/visit
 Completely false.
   Advert.dll sends a list of all ad banners you click on
 Completely false.  We will of course know when you click on an
 ad banner that we delivered such that we can send the user to
 that advertisers web site in the same way that any ad network
 works.
   Advert.dll will send all downloads you perform and related
   information
 Completely false.
   Advert.dll will send full time and date stamps of all your
   actions while you use your browser.
 Completely false.
   Advert.dll contains the string "Show me the money!  I want to
   be Mike!"
 This is true.  It's a text string used by the DLL.  DLLs contain
 many text strings which are used by the DLL itself.  For
 example, if a particular program displayed a window which
 contained the text "Hello World", then the "Hello World" text
 string would be present inside that DLL.
   Advpack.dll (and all comments relating to it)
 Completely false.  Advpack.dll is not one of our DLLs.
   Amcis.dll modifies the following registry keys: (list of keys
   removed)
 Amcis.dll will only add itself to the HKEY_CLASSES_ROOT registry
 key, as does any DLL installed on your system.  It simply tells
 Windows where to find the DLLs your programs use.
   Amcompat.tlb (and all comments relating to it)
 Completely false.  Amcompat.tlb is not one of our files.
   Amstream.dll (and all comments relating to it)
 Completely false.  Amstream.dll is not one of our DLLs.

We performed our own investigation and we can not confirm these rumours to be true or false. Aureate components cause some extra Internet traffic when you browse the Net. 60-100 bytes long data packets are periodically sent to several websites including Aureate and its business partners.

We have found no indication that any confidential details of the user or any data is sent out with those packets and so we can not give conclusive statement whether Aureate is a privacy threat or not.

To use Aureate or not to use? F-Secure Corporation cannot make this decision for you.

There is no fate but what we make for ourselves.

[F-Secure Corp., 2000]







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.