While designed to be stealthy, the malicious code was revealed to many puzzled victims in recent weeks when it began causing instability in their PCs or crashed them.

Others discovered the program after updating their anti-virus signature files. Sam Evans, security analyst for a Midwestern semiconductor firm, said an anti-virus update in late April caused a sudden flood of reports from company employees. Cleaning the code off affected computers was complex and required editing the PC's system registry.

"We thought we disinfected all the computers, but our intrusion detection system is still reporting that internal machines are attempting to send information out," said Evans, who added that the company had "black-holed" (blocked access to) the range of Internet protocol addresses used by KoolKatalog and related sites.

Trend Microsystems, which since April 23 has received nearly 5,000 reports of infections by TROJ_SUA.A, as it calls the software, has released a free tool that automates the 49 steps required to remove IntelliTech's code from an infected PC.

IntelliTech itself has done little to clear up the mystery surrounding the surreptitious installation of its spyware.

Frank Bigott, a resident of Santa Monica, Calif., who holds the domain registration for KoolKatalog, said he had "zero knowledge" of the backdoor program prior to being contacted by Salon. Bigott referred all other questions to his attorney.

The lawyer, William W. Bloch of Beverly Hills, said Bigott resigned his position in sales and marketing at IntelliTech after learning of the incident from Salon. Bloch also gave Salon the cellphone numbers of three men whom he identified as IntelliTech management, but voice-mail messages left at those numbers were not returned.

Bloch says that Bigott determined that IntelliTech's management had placed the spyware programs on users' computers "to gain certain things that would result in increased revenue," such as commissions from affiliate marketing programs.

Susan Henrichsen, deputy attorney general for the state of California, declined to comment on specifics of the IntelliTech situation. But she noted that downloading software onto someone's computer without permission is tantamount to hacking.

"If, on top of that, you track people with spyware with the intent of selling the information, that goes way over into unfair and deceptive practices. It's really pretty appalling," she said.

The spyware tar pit that users encountered at KoolKatalog may have been connected to an earlier software development effort by a company called Volton Technologies, which also had ties to IntelliTech.

The agent of record for the incorporation of Beverly Hills-based Volton Technologies is Michael Osborn, one of the names provided by the lawyer Bloch as a member of IntelliTech management. Volton Technologies previously offered for download an apparently legitimate program that may have provided the technical foundation for KoolKatalog's twisted creation.

The program, which Volton termed a "browser toolbar enhancement," offered access to search engines and e-mail from a control panel at the bottom of Web browsers. According to the program's license, in exchange for the free software, users agreed to allow Volton to collect "anonymous" data on Web page views and responses to ads, as well as an inventory of the software on the user's PC.

The front door of Volton's search site, BestoftheWeb.com, invites users to download the toolbar. But the download page offers no link to the software and merely states, "Our new and improved toolbar is coming soon."

Similarly, a download link at Volton's BrowserToolbar.com site was disabled for weeks -- before suddenly reappearing May 3, when the site was relocated from an IntelliTech-owned hosting firm in Los Angeles, New Directions, to a new ISP in Canada.

Click the download link at Volton's new version of BrowserToolbar.com, hosted by Alberta-based Myrias Computer Technologies, and a message says a file called Coolstuff4.cab is being installed. But the toolbar installation fails because the server containing the file, online1net.com, is unreachable.

Online1net.com, along with wwws1.com and KoolKatalog, was summarily unplugged last week by Alchemy Communications, the Internet collocation facility that services New Directions.

When contacted by Salon on April 26 about reports of malicious code at the IntelliTech sites, Alchemy's vice president Jamie Daquino said his position was Shut down first, ask questions later.

"For someone to get written up as a virus, that's pretty serious. If they're doing what people are saying, it's illegal. We don't want to be associated with that," said Daquino.

Daquino noted that New Directions, which also goes by aliases including AlphaHostCo, Online Connect Group, Zones Now, Interhostland and Quik-Net, appears to be "companies within companies."

With its sites darkened by Alchemy, and its devious pop-up ads pulled by eUniverse, IntelliTech's misguided experiment in viral marketing appears to have been halted.

But Roger Thompson, malicious-code expert for TruSecure, said that spyware like that found at KoolKatalog.com remains a serious threat to the thousands of users who are infected and not aware of it.

"They are definitely still at risk. Only the original authors know exactly how compromised those PCs are. No one should want any uninvited back door on any PC," said Thompson.

Recent Stories