(idea) by ring_wraith Wed Dec 18 2002 at 1:20:43
Xupiter is a particularly aggressive, intrusive, obnoxious, and annoying piece of spyware/malware. Originating, as best as I have been able to determine, from somewhere in Hungary, it delivers itself by way of ActiveX automatic component installation technology, and proceeds to ruin your life.

This little piece of work preys, as best as I can determine, exclusively on Microsoft Internet Explorer users, since that browser is built around support for ActiveX. (If there are any alternate platform/browser users out there who fall victim, please /msg me and I'll correct this.)

Being ActiveX, the Xupiter component depends on cooperation from its victims in order for it to successfully infect a new system. Probably the most common way this happens is a user inadvertently leaving his or her IE security settings to allow ActiveX installation automatically. If you're an IE user, you can quickly check this, as follows: (note...these instructions apply for IE 6 - earlier versions have similar settings, which you should be able to easily find.) At the top of your browser window, find the "Tools" menu. From the Tools menu, select "Internet Options..." In the dialog that appears, select the "Security" tab. There should be several choices on this tab, namely "Internet", "Local Intranet", "Trusted Sites", and "Restricted Sites". Click on "Internet" to make sure it is selected, then click a button labeled "Custom Level..." a little further down on the dialog tab. Yet ANOTHER dialog will pop up, with a longish list of "radio buttons" grouped under headings that allow you to fine tune your security settings. At the top of this list are 5 settings that control your degree of openness to ActiveX content. These are, in order:

Download signed ActiveX controls (enable, disable, prompt),

Download unsigned ActiveX controls (enable, disable, prompt),

Initialize and Script ActiveX controls not marked as safe (yada, yada, yada...),

Run ActiveX controls and plugins, and, finally,

Script ActiveX controls marked safe for scripting.

Now, you can drive yourself crazy with the choices you make here. You can lock yourself down totally, in which case you'll not be able to view a lot of legitimate content on the web that is delivered via ActiveX. Or, you can set it to prompt you before executing any ActiveX content, in which case you'll have nightmares about having to dismiss endless ActiveX prompt dialogs, and your left mouse button finger will get Carpal Tunnel. Or you'll forget out of distraction some time, and inadvertently click 'Yes' to one of these prompts, letting the intruder in anyway. You're on your own, I won't advise you, save to say you should definitely NOT leave the first 2 groups here (download signed/unsigned ActiveX controls) set to "enable". If you do, you've left your castle gates open, and you've invited Attila the Hun in off the steppes to do the nasty with your womenfolk.

It happened to me, and I'm supposedly technically savvy enough to know better.

Anyway, back to the Xupiter saga. Once installed, the Xupiter component has the following charming little features:

...It installs an IE toolbar, like Google's

...It copies in one or more "stealth" .ini files.

...It cheerfully sets your home page to their brain-damaged search-engine/home page.

...It substitutes the same search-engine page for your "file-not found" page. So you go to Xupiter whenever a file's not found.

...It begins periodically sending packets back to the mother ship. On this I could find nothing authoritative, at least on a cursory search, but by several accounts this is statistical data gathering on your web habits that will be sold to Xupiter's advertisers.

...Finally, Xupiter parties on your system registry like it's 1999.

All of which, in sum, should be enough to get another addition to the axis of evil, at least by my reckoning. A lesser ring of hell should be reserved for Xupiter's advertisers (at one point Verizon was among these, according to reports) and website proprietors that host this little nasty. As mentioned, some of the files Xupiter installs are "stealthed." So it's very difficult if not impossible for a non-technical user to delete the Xupiter component unassisted. There is no obvious "uninstall" procedure visible on the Xupiter toolbar (or anyplace else in the software that Xupiter installs.) There is an "uninstall" procedure available on the Xupiter web site (you have to look for it), but bulletin-board correspondance (okay, the poop on the street) suggests that this may not completely disable all the spyware features. I certainly would not be inclined to Xupiter's uninstall, knowing what I know.

So it's a sign of the times that "scumware" like this has fostered a market for third-party "cleanup" tools that claim to prevent and ameliorate this problem (and others.) I make no endorsements, and won't even list any of them here. More information than you can physically consume is just a click away.

Best to be on your guard, and prevent infection in the first place. Or, hey, there are other browsers... Good luck!

**************************************************

Update, 30 Jan 2003. Much thanks to fellow-poster Servo5678, who informs me that Xupiter actually has a Terms of Service Agreement. This is a truly mind-blowing concept; it's hard to imagine any reasonable court holding this to resemble anything like an enforceable contract. But hey, I'm not a lawyer. Anyway, Servo5678 relates that, according to this exemplar of legal writing, Xupiter software components may transmit back to the "mother ship" data including the following:

User time zone.

URLs visited.

Time spent at a website.

How the site was entered and exited (link vs. manually typed URL).

What software is installed, at what versions.

Somehow, this does not make me detest them any the less.

del.icio.us Facebook Digg StumbleUpon Reddit   (I like it!) 1 C!
Y'know, if you log in, you can write something here, or contact authors directly on the site. Create a New User if you don't already have an account.