its spyware a quick peek inside the installer reveals links to toolbarshopper.com so definatly not google (although the toolbar does have links to use google as well as the usual affiliate links to other sites (using linksynergy)
the site at ipaddress where the installer is located has links selling an ebook ,following the money (purchase) leads to a site called moreinfo4you.net a whois of this site reveals domain: moreinfo4you.net status: production organization: CSI owner: James Real jackson email: [EMAIL PROTECTED] address: 23244 Avenida Pico city: San Clemente state: CA postal-code: 92654 country: US admin-c: [EMAIL PROTECTED] tech-c: [EMAIL PROTECTED] billing-c: [EMAIL PROTECTED] nserver: ns.dnsfree.biz nserver: ns2.dnsfree.biz registrar: JORE-1 created: 2004-08-22 19:53:30 UTC JORE-1 modified: 2004-08-22 22:25:43 UTC JORE-1 expires: 2005-08-22 15:53:28 UTC source: joker.com db-updated: 2004-08-26 20:40:16 UTC fake details and joker.com is a public dns service often used by scammers because they can change domain ipaddresses (where the domain points to) quickly the ipaddress where the exe is located is based in korea (probably a compromised adsl machine) inetnum: 61.248.0.0 - 61.255.255.255 netname: KRNIC-KR descr: KRNIC descr: Korea Network Information Center country: KR admin-c: HM127-AP tech-c: HM127-AP remarks: ****************************************** remarks: KRNIC is the National Internet Registry remarks: in Korea under APNIC. If you would like to remarks: find assignment information in detail remarks: please refer to the KRNIC Whois DB remarks: http://whois.nic.or.kr/english/index.html remarks: ****************************************** mnt-by: APNIC-HM mnt-lower: MNT-KRNIC-AP changed: [EMAIL PROTECTED] 20010321 changed: [EMAIL PROTECTED] 20010606 status: ALLOCATED PORTABLE source: APNIC person: Host Master address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu, address: Seoul, Korea, 137-857 country: KR phone: +82-2-2186-4500 fax-no: +82-2-2186-4496 e-mail: [EMAIL PROTECTED] nic-hdl: HM127-AP mnt-by: MNT-KRNIC-AP changed: [EMAIL PROTECTED] 20020507 source: APNIC regards On Tue, 24 Aug 2004 21:49:41 -0400, Jeremy Heslop <[EMAIL PROTECTED]> wrote: > Not sure who this should go to, but I received an email the other day > and it is advertising the google toolbar. It installs a toolbar, but not > googles. Looks sketchy to me and similar to other phishing attempts. URL > to valuebar_setup.exe was in email. > > Jeremy > > Html email here: http://footon.jheslop.com/block%20all%20popups.html > txt email here: http://footon.jheslop.com/block%20all%20popups.txt > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
