idsearch.com and googleMS.DLL

From: trappers (trappers_at_mail15.com)
Date: 11/15/03

  • Next message: A***: "[Exploit]: Microsoft FPSE fp30reg.dll Overflow Remote Exploit (MS03-051)" 
    Date: Sat, 15 Nov 2003 18:21:31 +0300 (MSK)
To: bugtraq@securityfocus.com

    Hi everyone,
    Here is a peice of information i'd like to share. Sorry of its
    old or irrelevant but I haven't noticed a mention of this on
    bugtraq, so am posting my experience with "the arrogant idsearch
    default homepage".
     
    For about two weeks we've been getting complaints from various
    stand-alone cutomers about automatic setting of idgsearch.com as
    their default homepage. Symantec and McAfee also had nothing
    initially (around 2nd November). So we sat down and started
    exploring.
     
    Now during these days, some interesting facts were observed. The
    spyware/worm seems to use many of the exploits/bugs mentioned on
    bugtraq, like those mentioned by Jelmer, Thor Larholm, Liu Die Yu
    (IE, XML amd WMP related) and mindWarper(Internet Explorer and
    Opera local zone restriction bypass).
     
    Once the user gets this syware/worm into their computer, it uses
    the MediaPlayer.exe to trigger set registry entries.
    When "infected" mediaplayer is run, it drops the googleMS.dll
    file in user's application data folder. Even after removal of the
    registry entries, they again are set unless the googleMS.dll file
    is not deleted. we also found some entries in trusted zones of
    the affected computers, despite Norton Personal Firewall running
    (with updates) on two of the systems. All the systems had at
    least one anti-virus program, mostly Norton.
     
    Besides manual editing, we were able to locate the registry
    entries using HijackThis!. SpybotPro typically failed to identify
    the entries or the file.
     
    The cause, as usual, is unpatched versions of IE, possibly the
    patched versions may also be susceptible to the infection.
     
    More information on how it gets initiated would be appreciated.
     
    Best wishes.
     
    Inderjeet S Sodhi
    IT Consultant, S/W and E-Security Solution Provider,
    Web/WAP Developer and Beta Tester.
     
    wwwDOTinderjeetsodhiDOTcom
    This text online at: http://www.inderjeetsodhi.com/eSec/index.php
     

  • Next message: A***: "[Exploit]: Microsoft FPSE fp30reg.dll Overflow Remote Exploit (MS03-051)"