Bugtraq mailing list archives
Re: idsearch.com and googleMS.DLL
From: Jelmer <jkuperus () planet nl>
Date: Sun, 16 Nov 2003 01:34:15 +0100
----- Original Message ----- From: "trappers" <trappers () mail15 com> To: <bugtraq () securityfocus com> Sent: Saturday, November 15, 2003 4:21 PM Subject: idsearch.com and googleMS.DLL
Hi everyone, Here is a peice of information i'd like to share. Sorry of its old or irrelevant but I haven't noticed a mention of this on bugtraq, so am posting my experience with "the arrogant idsearch default homepage". For about two weeks we've been getting complaints from various stand-alone cutomers about automatic setting of idgsearch.com as their default homepage. Symantec and McAfee also had nothing initially (around 2nd November). So we sat down and started exploring. Now during these days, some interesting facts were observed. The spyware/worm seems to use many of the exploits/bugs mentioned on bugtraq, like those mentioned by Jelmer, Thor Larholm, Liu Die Yu (IE, XML amd WMP related) and mindWarper(Internet Explorer and Opera local zone restriction bypass). Once the user gets this syware/worm into their computer, it uses the MediaPlayer.exe to trigger set registry entries.
thats this issue : http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-09/0654.html Unfortunatly I imagine it's being used pretty heavily to install malware since I had some run ins with it myself just browsing some sites
When "infected" mediaplayer is run, it drops the googleMS.dll file in user's application data folder. Even after removal of the registry entries, they again are set unless the googleMS.dll file is not deleted. we also found some entries in trusted zones of the affected computers, despite Norton Personal Firewall running (with updates) on two of the systems. All the systems had at least one anti-virus program, mostly Norton.
I am running an updated norton 2k4 and it doesn't catch any of the most recent wave of major public IE remote code execution exploits. I know some other AV solutions do a better job in this regard. Though you shouldn't rely on them
Besides manual editing, we were able to locate the registry entries using HijackThis!. SpybotPro typically failed to identify the entries or the file. The cause, as usual, is unpatched versions of IE, possibly the patched versions may also be susceptible to the infection.
Up untill a couple of days ago there was no patch only workarounds So your users probably got infected before that MS03-048 (http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/M S03-048.asp) patches three vulnerabilities that involve the cross-domain security model of Internet Explorer all 3 by liu die yu, one of them being the file-protocol proxy vulnerability (http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content.HTM), which is an integrate part of both liu's 6 step compromise exploit and my mediaplayer / adodb issue, the 2 most recent public vulnerabilities that allow for execution of arbitrary code the other 2 being - an issue with placing a javascript:code() style url in the history then caching the history.back function and calling it after another url has been loaded (http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-Content.HTM) - an issue with opening a javascript:code() style url in the search pane by calling the open method of a frame contained in the searchpane (http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-Content.HTM) which could probably with some work both be swapped in, in place of the file proxy issue so for the time being you're "save" if your machines are fully patched since there currently is no way to access the my computer zone *but* when another way is found and a while back these popped up on a bi weekly basis, all the stuff starts working again. Unfortunatly microsoft is treating symptoms not administering a cure (yet anyway)
More information on how it gets initiated would be appreciated. Best wishes. Inderjeet S Sodhi IT Consultant, S/W and E-Security Solution Provider, Web/WAP Developer and Beta Tester. wwwDOTinderjeetsodhiDOTcom This text online at: http://www.inderjeetsodhi.com/eSec/index.php
--jelmer
Current thread:
- idsearch.com and googleMS.DLL trappers (Nov 15)
- Re: idsearch.com and googleMS.DLL Jelmer (Nov 17)
- Re: idsearch.com and googleMS.DLL Gary Flynn (Nov 18)
- Re: idsearch.com and googleMS.DLL Jelmer (Nov 17)