Bugtraq mailing list archives
RE: SideFind
From: "Polazzo Justin" <Justin.Polazzo () facilities gatech edu>
Date: Mon, 2 Aug 2004 14:53:09 -0400
Welcome to the world of Malware. There are many IE flaws that allow for the installation of spy/mal/ad :ware. Either disable install on demand, apply XP SP2, or switch them to Mozilla to prevent future installs of this type. Making HKLM\Software|Microsoft|Windows|CurrentVersion|Run read only via regedt32 will help as well. Also install spybot (freeware from security.kolla.de, downloadable from download.com) version 1.3 _with_ tea timer, which will protect your system settings and notify you if one is changed. Convince the user that No is his favorite button to click on as well :) HTH jp
-----Original Message----- From: aborg () mca org mt [mailto:aborg () mca org mt] Sent: Monday, August 02, 2004 9:20 AM To: Windows NTBugtraq Mailing List; bugtraq () securityfocus com Subject: SideFind Hi .. Has anyone heard of this IE hijacker? One of our uses went through a devastating Sunday when he tried to remove this piece of software from his PC. It appears as a side panel (on the left) and prompts with suggestions when the user utilises Google to perform a search. Essentially, it notices what Google searches you do and comes up with suggestions in its own little window. However, if you try to remove the item using "Add/Remove Programs" (since it's listed), you can end up with massive problems with your computers. This user ended up losing all files on a secondary partition of his hard disk. I found one post in a forum where the poster claimed that it "trashed his OS" but did not say what was specifically affected. The user was wise enough to try an undelete utility which restored most but not all of his files and then used XP's system restore feature to attempt to restore things back to a day before but this obviously meant that the utility re-appeared in "Add/Remove" and under "Program Files". I didn't find much help on the net and no one seems to be flagging it as a potentially disturbing piece of malware except for the poster mentioned above. Disassembling it showed that it has an embedded registry resource and by using that I removed all traces to it from the registry. The only files that were not recovered were images (mainly belonging to his daughter - and which weren't backed up; hereby proving Murphy's law) and it seems as if there was some kind of cross-linked references in the file table since opening some pics in an ASCII viewer shows quite clearly that they are not pics but either PDFs, MP3s, etc. I renamed a few of the files and they worked. I'm not sure if this is SideFind or the undelete utility that did this though ... What I'd like is more information as to how this damn utility installed itself on the user's PC. He claims to have never intentionally installed it and he's a reliable enough user for me to believe that he didn't just click on "Yes" w/o reading the dialog first ... Antoine Borg Network Administrator Malta Communications Authority Suite 43/44, "Il-Piazzetta" Tower Road Sliema SLM 16 Malta G.C. Tel: +356 21 336840 Fax: +356 21 336846 Mob: +356 79 271852 ---------- "This is a lesson that the stars in the sky teach us - they may be related to the sun, and just as brilliant, but they never appear in her company" Baltasar Gracian, 1601 - 1658
Current thread:
- SideFind aborg (Aug 02)
- <Possible follow-ups>
- RE: SideFind Polazzo Justin (Aug 02)