Re: Microsoft hotmail spyware ADSAdClient Advertising Delivery Service
From: Daniel Crichton (msnews_at_worldofspack.co.uk)
Date: Tue, 1 Nov 2005 17:09:32 -0000
Bob wrote on 31 Oct 2005 14:30:21 -0800:
> Canopus wrote:
>> What can I do about this complete lack of evidence that I am infected
>> by no pop-ups or ad server ads?
> I'm confused too.
> It seems obvious that there definately is a "legitimate" Microsoft
> ADSAdClient Advertising Delivery Service and there definately is a
> "legitimate" rad.msn.com redirect advertising site run by Microsoft.
> But why?
> My question is what is the real PURPOSE of these two "legitimate"
> Will someone please summarize what the PURPOSE of these two Microsoft
> actions are (the downloaded programs & registry keys vs the redirected
> advertisements once the programs are downloaded)?
> What does Microsoft get out of these two confusing things?
The legitimate one doesn't download any programs, or create registry keys -
the DLL is an ISAPI DLL that runs on the rad.msn.com server and spits out
possibly other sites. That's all it does.
It's possible that the attempted download of the DLL was a server glitch -
instead of executing the ISAPI DLL on the server it decided to send the
binary instead - in which case it's still harmless as the DLL would end up
in the TIF folder and do nothing else. There are however some posts on the
web in forums which indicate prior infection by something more malign, that
adds an entry to the hosts file to redirect requests to rad.msn.com to a
different IP (the one I saw earlier pointed to an IP that resolved to an
address in ev1servers.net) where a subsequent visit to Hotmail would cause a
malicious DLL with the same name as the MS ISAPI one to be download the TIF,
however it would still require a process on the PC to then do something with