Date: 08/02/04

  • Next message: Nicholas Knight: "Re: New possible scam method : forged websites using XUL (Firefox)"
    To: Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
    Date: Mon, 2 Aug 2004 15:20:13 +0200

    Hi ..

    Has anyone heard of this IE hijacker?

    One of our uses went through a devastating Sunday when he tried to remove
    this piece of software from his PC. It appears as a side panel (on the
    left) and prompts with suggestions when the user utilises Google to perform
    a search. Essentially, it notices what Google searches you do and comes up
    with suggestions in its own little window. However, if you try to remove
    the item using "Add/Remove Programs" (since it's listed), you can end up
    with massive problems with your computers. This user ended up losing all
    files on a secondary partition of his hard disk. I found one post in a
    forum where the poster claimed that it "trashed his OS" but did not say
    what was specifically affected.

    The user was wise enough to try an undelete utility which restored most but
    not all of his files and then used XP's system restore feature to attempt
    to restore things back to a day before but this obviously meant that the
    utility re-appeared in "Add/Remove" and under "Program Files".

    I didn't find much help on the net and no one seems to be flagging it as a
    potentially disturbing piece of malware except for the poster mentioned
    above. Disassembling it showed that it has an embedded registry resource
    and by using that I removed all traces to it from the registry.

    The only files that were not recovered were images (mainly belonging to his
    daughter - and which weren't backed up; hereby proving Murphy's law) and it
    seems as if there was some kind of cross-linked references in the file
    table since opening some pics in an ASCII viewer shows quite clearly that
    they are not pics but either PDFs, MP3s, etc. I renamed a few of the files
    and they worked. I'm not sure if this is SideFind or the undelete utility
    that did this though ...

    What I'd like is more information as to how this damn utility installed
    itself on the user's PC. He claims to have never intentionally installed
    it and he's a reliable enough user for me to believe that he didn't just
    click on "Yes" w/o reading the dialog first ...

    Antoine Borg
    Network Administrator

    Malta Communications Authority
    Suite 43/44, "Il-Piazzetta"
    Tower Road
    Sliema SLM 16
    Malta G.C.

    Tel: +356 21 336840
    Fax: +356 21 336846
    Mob: +356 79 271852

    "This is a lesson that the stars in the sky teach us - they may be related
    to the sun, and just as brilliant, but they never appear in her company"
    Baltasar Gracian, 1601 - 1658

  • Next message: Nicholas Knight: "Re: New possible scam method : forged websites using XUL (Firefox)"