<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2873" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=4>While checking for spyware this morning I came across a well
known spyware program used by many firms called Backweb. Before
quarantining this program I decided to see who was receiving the information
this program is sending.</FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4>The IP being sent to is 6.1.4.68.</FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4>This IP is registered to:</FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT color=#0000ff>OrgName: DoD Network Information
Center <BR>OrgID:
DNIC<BR>Address: 3990 E. Broad
Street<BR>City: Columbus<BR>StateProv:
OH<BR>PostalCode: 43218<BR>Country: US</FONT></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><FONT color=#0000ff>NetRange: 6.0.0.0 - 6.255.255.255
<BR>CIDR: 6.0.0.0/8
<BR>NetName: YUMA-NET<BR>NetHandle:
NET-6-0-0-0-1<BR>Parent: <BR>NetType:
Direct Allocation<BR>NameServer: NS01.ARMY.MIL<BR>NameServer:
NS02.ARMY.MIL<BR>NameServer: NS03.ARMY.MIL<BR>Comment: Army
Information Systems Center<BR>Comment: U.S. Army Yuma Proving
Ground<BR>Comment: Building 2105<BR>Comment:
Yuma, AZ 85365-9110 US<BR>RegDate:
<BR>Updated: 2002-10-07</FONT></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><FONT color=#0000ff>OrgTechHandle:
MIL-HSTMST-ARIN<BR>OrgTechName: Network DoD <BR>OrgTechPhone:
+1-800-365-3642<BR>OrgTechEmail: </FONT><A
href="mailto:HOSTMASTER@nic.mil">HOSTMASTER@nic.mil</A></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><FONT color=#0000ff># ARIN WHOIS database, last updated 2006-05-29
19:10<BR># Enter ? for additional hints on searching ARIN's WHOIS
database.</FONT></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><FONT color=#0000ff>OrgName: DoD Network Information
Center<BR>OrgID:
DNIC<BR>Address: 3990 E. Broad
Street<BR>City: Columbus<BR>StateProv:
OH<BR>PostalCode: 43218<BR>Country:
US<BR>Comment: <BR>RegDate:
<BR>Updated: 2005-09-30</FONT></DIV>
<DIV><FONT color=#0000ff size=4></FONT> </DIV>
<DIV><FONT color=#0000ff>AdminHandle: MIL-HSTMST-ARIN<BR>AdminName:
Network DoD <BR>AdminPhone: +1-800-365-3642<BR>AdminEmail: </FONT><A
href="mailto:HOSTMASTER@nic.mil">HOSTMASTER@nic.mil</A></DIV>
<DIV><FONT color=#0000ff></FONT> </DIV>
<DIV><FONT color=#0000ff>TechHandle: MIL-HSTMST-ARIN<BR>TechName:
Network DoD <BR>TechPhone: +1-800-365-3642<BR>TechEmail: </FONT><A
href="mailto:HOSTMASTER@nic.mil">HOSTMASTER@nic.mil</A></DIV>
<DIV> </DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4>Very curious. Is this an instance of more domestic
spying?</FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4>If you wish to check your computers for this particular
version of this spyware:</FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4>Use Windows Explorer to open the Programs folder on your main
hard disk, probably C:</FONT></DIV>
<DIV><FONT size=4>Click on Search</FONT></DIV>
<DIV><FONT size=4>Click on all files and folders</FONT></DIV>
<DIV><FONT size=4>Enter backweb in the top search parameter</FONT></DIV>
<DIV><FONT size=4>Carefully look at the results, if any.</FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4>The Receiving IP can be sometimes be found in the file entry,
for example:</FONT></DIV>
<DIV><FONT size=4>C:\Program Files\Logitech\Desktop
Messenger\8876480\6.1.4.68-8876480L\Program\backweb.tlb</FONT></DIV>
<DIV> </DIV>
<DIV>Comments or discoveries?</DIV>
<DIV> </DIV>
<DIV><BR>Art Deco (Wayne A. Fox)<BR><A
href="mailto:deco@moscow.com">deco@moscow.com</A><BR></DIV>
<DIV> </DIV>
<DIV> </DIV></FONT></DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV><FONT size=4></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT size=4><FONT size=3># ARIN WHOIS database, last updated 2006-05-29
19:10<BR># Enter ? for additional hints on searching ARIN's WHOIS
database.</FONT><BR></FONT></DIV></BODY></HTML>