PassThisOn

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Detection and Removal ·
· Research ·

Overview

Summary:

 Formerly, a hijacker distributed via SPAM that encouraged visits to a web site, where machines with low security settings would experience a drive-by install. A visit to http://www.default-homepage-network.com/ or http://www.passthison.com/ shows this message: 'Due to new laws being enacted and controversy surrounding our business model, we have voluntarily decided to implement the cease of all current business practices by the end of June 2004.' passthison.com is now maintained by SmartBot.Net, Inc. - ZERO TOLERANCE SPAM POLICY! 3 COBBLESTONE CT RICHBORO, PA 18954-1374 US 215-953-7291 fax: 215-942-4338

But http://www.passthison.com/sketch/ and http://www.passthison.com/esecrets/ and http://www.passthison.com/angel2/?exit=no and http://www.passthison.com/milk/?exit=no live on.

Vendor Notes:

 "PassThisOn.com prompts and changes consumers' browser behaviors to offer a better user experience and a more targeted advertiser-to-consumer communication system... PassThisOn.com utilizes several technical and business methods to change users' default homepage to one that PassThisOn.com controls... Some users do not wish to see pop-ups on their web browsers. It is easy to install 'pop blockers' which will dissallow that feature. PassThisOn.com does not attempt to cause any damage or harm in any way. It will, however, use NON-DESTRUCTIVE 'scare tactics'... to demonstrate the importance that users' secure their computers from malicious hackers, and then PassThisOn.com attempts to sell products designed to secure users' computers. PassThisOn.com enforces a zero-tolerance anti-spam policy."

Category:

Homepage Hijacker: Any software that changes your browser's home page to some other site. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

Similar Pests:

 Homepage Hijacker

Origins

Author:

Key players in this spamming project appear to be:

  • Sanford Adam Wallace (215-953-7291) of 3 Cobblestone Court, Richboro, PA 18954, phone: 215-953-7291, fax: 215-942-4338
  • Mike Cayer of Seismic Entertainment Productions, Inc./li>,

    • Group:

    		 Seismic Entertainment Productions, Inc.

    Mailing Address:

    		 Cayer, Mike Seismic Entertainment Productions, Inc. 11 Farmington Road Rochester, NH 03867 US

    Phone:

    		 603-664-5777

    URL:

    		 http://www.spydeleter.com/spydeleter.php?KBID=1004 is the ultimate destination for the hijacking.

    ISPs/Servers involved include ServInt Internet Services (passthison.com), Excalibur Internet (default-homepage-network.com) and Service Telematique Service Internet de Montreal (smartbotpro.net).

    Programming Language:

    		 Visual Basic

    Date of Origin:

    		 April, 2004

    Distribution

    Distribution:

    		 a visitor to http://www.passthison.com/r4/?s43 is redirected to http://default-homepage-network.com/newspynotice.html where this is displayed: 

    IMPORTANT SECURITY NOTICE!
     Is your computer suffering from any of the following symptoms: 1. Has your browser's START PAGE changed? or 2. Are you seeing a recent increase in annoying POP UPS? or 3. Have PORN ads appeared in your browser or email? or 4. Has your computer been acting wierd lately? or 5. Is your Internet slower or even crashing? or 6. Do you think your computer may have a virus? or 7. Have new programs or toolbars been added without your permission? If your computer is experiencing any of these symptoms... It is almost certain that "spyware" has taken over your computer, and the problems will only get worse quickly. Plus your sensitive information like credit cards and all of your passwords can be retrieved by criminals all around the world. This is a very scary problem that needs immediate attention! You NEED to get this fixed now! Click on THIS LINK TO DOWNLOAD THE #1 BEST SPYWARE ELIMINATION SOFTWARE and your computer will be back to normal and secure again in just a few minutes.

    Prevalence:
  • PassThisOn: 11.5%
    • More Info

    Clot Factor:
  • PassThisOn: 2

    • The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.

    Growth:
  • PassThisOn: Insufficient data to report growth
    		•

    Operation

    Advertising:

    		 Yes. Displays popunder ads from http://addictivetechnologies.net Sample ad:

    'Message from Internet Service Provider consultant:

    This window should NOT remain maximized on most computers. It is SUPPOSED to remain invisible to launch time-delayed pop up messages in accordance with an ad-supported software product that you may have installed on your computer.

    If your computer will NOT hide this big white window, you may have spyware on your system which is interfering with your ability to control hidden windows. Spyware also sends you unsolicited advertising, slows down your computer and could capture private information like credit card numbers and social security numbers, etc.

    I recommend that you install a "spyware removal" program so you can rid your computer of these parasites.

    I strongly recommend this link.

    P.S. If you are experiencing a higher frequency of pop up messages, you should definately consider downloading the spyware removal program. It will remove all of those annoying advertisements for good.

    Some users have reported that clicking on the white screen will make the task bar appear below.'

    Storage Required:
  • PassThisOn: at least 1197 KB
    		•

    Browser Performance:

    		 Likely to slow performance of Internet Explorer.

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    		 Follow these steps to remove PassThisOn from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Clean Registry:

    Remove these registry items (if present) with RegEdit:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Remove Directories:

    Remove these directories (if present) with Windows Explorer:

    Restore Settings:

    After following the instructions above, you will still need to restore your original settings and prevent this from happening again. Here''s how.

    Research

    File Analyses:

    More Info:
  • Salon.com
  • Sanford Wallace and passthison.com
  • Bug Net
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • Wizards Computer Consultants
  • Richard's Ramblings
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 April 04, 2005