Invasion of the Browser Snatchers

Ron Zorko was only trying to get to PC World's web site. But when he accidentally mistyped the URL, a porn site popped up.

"I suppose I should learn to type better," he says. But a typo that took him to mycpworld.com was only the beginning of his troubles. He soon discovered that this porn site was now both his home and default search page. He changed the settings back in Internet Explorer. But with his next system boot, www.mycpworld.com was back.

"No matter what I did, that was my home page," he says. Zorko was one of three readers within two weeks to e-mail PC World's Answer Line address with a tale of a hijacked home page that renewed itself with every boot.

Several of these sites, including mycpworld.com, redirect you to a harder-to-trace foreign site. That one uses JavaScript to insert a new command into your Registry. This command runs at every boot, changing your home page.

PC consultant Rod Ream first saw this condition on a client's system in January. He believes it was made from the Js_exception.gen JavaScript Trojan Horse.

"It's a kit," intended for setting up such aggressive Web sites, Ream explains. "Webmasters can tailor this to do different manipulations." Whoever created the site, "picked some stuff that other people haven't chosen," Ream says.

Searching for a Motive

But why would anyone do something like this? Pornographers, after all, are in the business of keeping customers happy--and their customers have an interest in discretion. Offending potential customers, and increasing the likelihood that their Web surfing habits will be detected, doesn't seem to make good business sense.

Jim Wilson, whose scumware.com site fights such Internet traffic-stealing tricks, disagrees.

"Porn sites love doing this because for them, it works. A certain percentage of this hijacked traffic will buy access."

It's also more malicious than some more common circumstances when outsiders try to crawl onto your PC. For example, a group of German hackers last fall alerted Symantec to an alleged flaw in its antivirus LiveUpdate program that could redirect the LiveUpdate connection and download damaging code instead of virus definitions. And some online ads have been poking a little closer to your PC, occasionally downloading ad-enhancing software.

Ream has found another possible, more sinister motive for the redirect operation. At least some such sites install what appears to be a dialer program onto the victim's PC. Such a program could use your modem to dial an international pay-per-call number without your knowing it.

That's scary stuff, especially for non-technical users. According to Ream, "People have been formatting their machines to get rid of it."

Preventions and Cures

But you don't have to resort to a complete reformat to cleanse and protect your computer. You could turn off your browser's scripting, although that will stop legitimate JavaScripts as well as these hijackings. At least one free downloadable program, StartPage Guard, claims to block such intrusions while letting harmless scripts through.

If you get caught, here is a cure:

First, use Internet Explorer's Internet Options dialog box to reset your home and search pages back to what they were before.

Next, select Start, choose Run, type msconfig, and press Enter. Click the Startup tab. In the resulting list, look for a command with either the word 'regedit' or '.reg' in it (the command Zorko found was 'C:\Windows\regedit.exe/s C\Windows\System\radB9819.tmp'). When you find it, uncheck it, then click OK.

That's probably all you need to do, but to be safe, it wouldn't hurt to delete the file mentioned in that line. Don't delete regedit.exe--you need that--but delete the other file referenced there. And it wouldn't hurt to edit the Registry, searching for and removing all references to the offending site.

Who's responsible? The domain name mycpworld.com is registered to Joseph Wise of E-Town (short for Elizabethtown), Kentucky. There is no answer, not even a recording, at the listed number. The domain name's technical contact is VeriSign. A VeriSign spokesperson says that because the URL merely redirected surfers to the offending site, the company had no cause to terminate the account.

In the meantime, the redirection has changed; mycpworld.com now points you to a dead URL. The site is gone, but others will doubtless turn up. As Zorko says, understandably, "I'm still mad about it."