help! (excessive queries for www.brodcast.net, stage.broder.c om)

John Coutts administrator at yellowhead.com
Sat Jan 6 19:32:48 UTC 2001 

The requests are coming from a program called dssagent.exe. The domain site 
requested is registered to:

Broderbund Software (BRODCAST2-DOM)
   500 Redwood Blvd
   Novato, CA 94948-6121
   US

   Domain Name: BRODCAST.NET

   Administrative Contact, Billing Contact:
      HostMaster  (HO653-ORG)  hostmaster at BRODER.COM
      Broderbund Software
      500 Redwood Blvd
      Novato, CA 94948
      US
      415-382-4400 Fax- 415-382-3280
   Technical Contact:
      Christopherson, Jon  (JCV364)  JON at BRODER.COM
      Broderbund Software
      500 Redwood Blvd.
      Novato, CA 94948-6121
      415.382.3188 (FAX) 415.382.3171
---------------------
The program was apparently written for Broderbund (now Mattel Interactive), and 
was installed direct from CD's written for children. It is Spyware software 
intended to report back to the designer and is supposed to be activated every 
time the installed computer connects to the Internet. The Web site is no longer 
active, but that doesn't stop installed programs from attempting to connect. 
Hence the DNS requests.

There is apparently no uninstall program. Therefore, the registry must be 
edited to stop it from loading automatically. So far, we have only detected it 
on one customer's computer, but it could be disasterous if a few high speed 
connections were to have this program running.

J.A. Coutts
Systems Engineer
Edsonet/TravPro
************** SEPARATER *************
In article <92g9d9$454 at pub3.rc.vix.com>, Randy.Adams at Telus.com says...
>
>
>We've had a similar item here. different host, but it turned out to be some
>of this spyware software..
>
>Reporting back to the 'mothership' to get user specific advertising and post
>local details...
>
>It ended up choking one of the firewalls by filling the logs. even after the
>software was uninstalled, the software dll kept puking out these requests...
>
>Good luck.
>
>
>-----Original Message-----
>From: Scott Bertilson [mailto:scott at nts.umn.edu]
>Sent: Thursday, December 28, 2000 1:41 PM
>To: Duane Cox
>Cc: bind-users at isc.org
>Subject: Re: help! (excessive queries for www.brodcast.net,
>stage.broder.com)
>
>
>
>  We've also had a number of machines wildly querying for
>"stage.broder.com".  Both of these addresses show up as
>belonging to Broderbund Software.  Any ideas as to what
>is generating these queries or how to eliminate them would
>be most helpful.
>                                Thanks, Scott
>
>> our nameservers are for the past week getting way overworked..
>> when i started looking into this, i found out that our dialup customers
>> apparently, unless the ip is spoofed, all of them seem to be sending this
>> request
>> below.. all for the same place, that does not exist... whats up?
>> 
>> this is bind 8.2.2-p7 on redhat linux 7.0.
>> 
>> duane cox
>> 
>> --------------------------------------------------------
>> 
>> 28-Dec-2000 14:19:59.930 queries: info:
>> XX+/63.146.45.67/www.brodcast.net/A/IN
>> 28-Dec-2000 14:20:00.150 queries: info:
>> XX+/63.146.45.129/www.brodcast.net/A/IN
>
>
>
>

More information about the bind-users mailing list