Re: Spyware installs with no interaction in IE on fully patched XP SP2 box

["Geraldo Rivera" <iamafraud () hotmail com>]

themexp.org

I should have logged all the files and reg entries I deleted, but it was 
late at night and I wasn't really thinking about that at the time. I just 
checked my IE history for some of the things I googled and I found a bunch 
of them:

SahAgent.exe
webrebates0.exe
lu.dat
preInsln.exe
Systb.dll
wupdater.exe
eakrfu.exe
wupdt.exe
megasearch toolbar (www.megasearchbar.com)
IEPlugin
localnrd.dll
multimpp.dll

> From: "Joel R. Helgeson" <joel () helgeson com>
> To: "Geraldo Rivera" 
> <iamafraud () hotmail com>,<full-disclosure () lists netsys com>
> Subject: Re: [Full-disclosure] Spyware installs with no interaction in IE 
> on fully patched XP SP2 box
> Date: Sun, 3 Oct 2004 14:13:52 -0500
>
> What was the site?
>
> Joel R. Helgeson
> Director of Networking & Security Services
> SymetriQ Corporation
>
> "Give a man fire, and he'll be warm for a day; set a man on fire, and he'll 
> be warm for the rest of his life."
> ----- Original Message ----- From: "Geraldo Rivera" <iamafraud () hotmail com>
> To: <full-disclosure () lists netsys com>
> Sent: Sunday, October 03, 2004 1:16 PM
> Subject: [Full-disclosure] Spyware installs with no interaction in IE on 
> fully patched XP SP2 box
>
>
> > Last night I went to a site that I have been to on and off for years. The 
> > page loaded and then in IE's status bar I saw something suspicious: 
> > "installing components...atpartners.cab". I could not close out of IE, and 
> > I could not kill the iexplorer.exe process. It totally locked up and I had 
> > to reboot my machine. When my machine came back up, I had at least 6 
> > different pieces of spyware/adware on my machine. IT took me almost 2 hrs 
> > to clean up. I manually deleted a bunch of crap (stuff I had found through 
> > the run key in the registry, suspicious processes running, suspicious 
> > files in the usual dir's, and by searching for all files modified at the 
> > time this happened). Even after all that, Ad-Aware found 143 entries (none 
> > were cookies, mostly registry entries and a few dll's) and then Spybot 
> > found an additional 2 registry entries.
> >
> > This machine is a fully patched XP SP2 box, with the default security 
> > settings for IE's Internet Zone. Does anybody know what method this crap 
> > could be using to install without any user interaction?
> >
> > _________________________________________________________________
> > Express yourself instantly with MSN Messenger! Download today - it's FREE! 
> > hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html