Windows 98 User-Agent
is intended primarily to catch spyware and downloaders that are using Windows 98 user agent strings as fakes. The side benefit is that you can catch any old workstations that are still on your network. Just a reminder, Win98 hasn't been supported or patched for YEARS. If you've still got them running you're just a disaster waiting to happen.
- 13 Nov 2007
I have tracked those Win98 alerts down to a piece of malware that ships (Free!) with dell
computers from 2005-2007. It is part of the Dell online support system. Dell licenced
the client code from "Gteko". It may not be easily removable. It does phone home to dell
support web site several times a day. It reports hardware configurations and some other
Normally we ignore the spyware from Dell machines (they have always had lots of spyware
on their boxes), but in this case the GtekClient?
contains it's own browser code that for
whatever reason emulates a win98 box.
wierd. Throw it on the pile of "Essential Dell Spyware".
13:41:01.224108 IP 10.1.1.66.4501 > 22.214.171.124.80: P 175:426(251) ack 356 win 65180
0x0000: 4500 0123 7278 4000 8006 8283 0a01 0142 E..#rx@........B
0x0010: d188 280e 1195 0050 5187 6820 5ee8 5d84 ..(....PQ.h.^.].
0x0020: 5018 fe9c 035e 0000 4745 5420 2f6e 6577 P....^..GET./new
0x0030: 5f64 656c 6c5f 6167 656e 742f 656d 6572 _dell_agent/emer
0x0040: 6765 6e63 795f 3031 2f75 636c 732f 7665 gency_01/ucls/ve
0x0050: 7273 696f 6e2e 6366 673f 7261 6e64 3d35 rsion.cfg?rand=5
0x0060: 3834 4546 3432 3026 6369 643d 3337 3561 84EF420&cid=375a
0x0070: 3335 3762 2d62 3832 622d 3464 6630 2d38 357b-b82b-4df0-8
0x0080: 3039 382d 3563 6538 6531 3362 3665 6631 098-5ce8e13b6ef1
0x0090: 2673 7276 5f74 6167 3d33 504a 5758 4231 &srv_tag=3PJWXB1
0x00a0: 2048 5454 502f 312e 310d 0a55 7365 722d .HTTP/1.1..User-
0x00b0: 4167 656e 743a 204d 6f7a 696c 6c61 2f34 Agent:.Mozilla/4
0x00c0: 2e30 2028 636f 6d70 6174 6962 6c65 3b20 .0.(compatible;.
0x00d0: 4d53 4945 2035 2e35 3b20 5769 6e64 6f77 MSIE.5.5;.Window
0x00e0: 7320 3938 3b20 4774 656b 436c 6965 6e74 s.98;.GtekClient
0x00f0: 290d 0a48 6f73 743a 2064 732e 6465 6c6c )..Host:.ds.dell
0x0100: 6669 782e 636f 6d0d 0a43 6f6e 6e65 6374 fix.com..Connect
0x0110: 696f 6e3a 204b 6565 702d 416c 6976 650d ion:.Keep-Alive.
Fri Nov 16 18:38:37 UTC 2007
* Previous message: [Bleeding-sigs] RBN Sigs
* Next message: [Bleeding-sigs] (no subject)
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
It looks like there is a company that sells an agent that has
Windows 98 coded into the User-Agent string. I have seen a couple
systems going to dellfix.com (registrant is Dell) and
linksysfix.com (registrant is Microsoft) with the following
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; GtekClient?
A little searching revealed the following about Dell's agent:
It seems like this may be the company that sells the agent:
- 17 Aug 2012
It appears that this sig is now being triggered by Dells phoning Akamai Technologies IPs.
Specifically IPs in the 126.96.36.199/24 and 188.8.131.52/24 ranges.
The devices triggering the alerts on my network seem to all be Dells, so it may be that the software has changed to phoning Akamai.
- base_packet_4-1254606.pcap: This signature has incorrectly detected a Windows 7 Enterprise SP1 system as Windows 98 machine. Please refer the pcaps atatched and the payload
- payload_4-1254606.bin: This signature has incorrectly detected a Windows 7 Enterprise SP1 system as Windows 98 machine. Please refer the pcaps atatched and the payload