Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

idsearch.com and GoogleMs.dll

From: trappers <trappers () mail15 com>
Date: Sun, 16 Nov 2003 18:24:50 +0300 (MSK)
Hi everyone, Here is a peice of information i'd like to share. 
Sorry of its old or irrelevant but I haven't noticed a mention of 
this on bugtraq, so am posting my experience with "the arrogant 
idsearch homepage". 

For about two weeks we've been getting complaints from various 
stand-alone cutomers about automatic setting of idgsearch.com as 
their default homepage. Symantec and McAfee also had nothing 
initially (around 2nd November). So we sat down and started 
exploring. 

Now during these days, some interesting facts were observed. The 
spyware/worm seems to use many of the exploits/bugs mentioned on 
bugtraq, like those mentioned by Jelmer, Thor Larholm, Liu Die Yu
(IE, XML amd WMP related) and mindWarper(Internet Explorer and 
Opera local zone restriction bypass). 

Once the user gets this syware/worm into their computer, it uses 
the MediaPlayer.exe to trigger set registry entries. 
When "infected" mediaplayer is run, it drops the googleMS.dll 
file in user's application data folder. Even after removal of the 
registry entries, they again are set unless the googleMS.dll file 
is not deleted. we also found some entries in trusted zones of 
the affected computers, despite Norton Personal Firewall running 
(with updates) on two of the systems. All the systems had at 
least one anti-virus program, mostly Norton. 

Besides manual editing, we were able to locate the registry 
entries using HijackThis!. SpybotPro typically failed to identify 
the entries or the file. 

The cause, as usual, is unpatched versions of IE, possibly the 
patched versions may also be susceptible to the infection. 

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: