idgsearch.com and googleMS.dll

From: trappers (trappers_at_mail15.com)
Date: 11/16/03

  • Next message: Jesus Salvador: "RE: Strange Port 0 Traffic" 
    Date: Sun, 16 Nov 2003 22:01:57 +0300 (MSK)
To: incidents@securityfocus.com

    *** This is a repost earlier one was not complete ***
      
     Hi everyone,
     Here is a peice of information i'd like to share. Sorry of its
     old or irrelevant but I haven't noticed a mention of this on
     bugtraq, so am posting my experience with "the arrogant
    idsearch
     default homepage".
      
     For about two weeks we've been getting complaints from various
    stand-alone cutomers about automatic setting of idgsearch.com as
     their default homepage. Symantec and McAfee also had nothing
     initially (around 2nd November). So we sat down and started
     exploring.
      
    Now during these days, some interesting facts were observed. The
    spyware/worm seems to use many of the exploits/bugs mentioned on
    bugtraq, like those mentioned by Jelmer, Thor Larholm, Liu Die Yu
    (IE, XML amd WMP related) and mindWarper(Internet Explorer and
    Opera local zone restriction bypass).
      
    Once the user gets this syware/worm into their computer, it uses
    the MediaPlayer.exe to trigger set registry entries.
    When "infected" mediaplayer is run, it drops the googleMS.dll
    file in user's application data folder. Even after removal of the
    registry entries, they again are set unless the googleMS.dll file
    is not deleted. we also found some entries in trusted zones of
    the affected computers, despite Norton Personal Firewall running
    (with updates) on two of the systems. All the systems had at
    least one anti-virus program, mostly Norton.
      
    Besides manual editing, we were able to locate the registry
    entries using HijackThis!. SpybotPro typically failed to identify
    the entries or the file.
      
    The cause, as usual, is unpatched versions of IE, possibly the
    patched versions may also be susceptible to the infection.
      
    Best wishes.
      
     Inderjeet S Sodhi
     IT Consultant, S/W and E-Security Solution Provider,
     Web/WAP Developer and Beta Tester.
      
    wwwDOTinderjeetsodhiDOTcom
    This text online at: http://www.inderjeetsodhi.com/eSec/index.php
    (updated on 17 nov 2k3, 0:05 am IST +530GMT)

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_incidents_031023
    and use priority code SF4.
    ----------------------------------------------------------------------------

  • Next message: Jesus Salvador: "RE: Strange Port 0 Traffic"

    Relevant Pages

    • Release of Default Account Database v4.00
      ... 850 entries to about 1,650 -- nearly doubled in size. ... and I'm sure its just really, really rotten luck since I'm not the only site ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Pen-Test)
    • Re: Fonts are faded
      ... Of course there are not any catalog entries for 'darker fonts'. ... 1) you've set the display controller parameters incorrectly and are ... Config 1 - CRT Port ... Following are the registry entries ...
      (microsoft.public.windowsce.platbuilder)
    • idsearch.com and GoogleMs.dll
      ... the MediaPlayer.exe to trigger set registry entries. ... Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • Re: Error Message [Office 2007 & BDE -( Borland Data Engine)] error
      ... There was a 'branding' change in B2TR registry entries that affects apps that use the Borland Database Engine (BDE) that MS is ... There are a couple of workarounds you can try, that others have reported helped via editing registry entries, but be cautious on ... Add: new String value 'DLL' ...
      (microsoft.public.office.misc)
    • idsearch.com and googleMS.DLL
      ... bugtraq, like those mentioned by Jelmer, Thor Larholm, Liu Die Yu ... the MediaPlayer.exe to trigger set registry entries. ... despite Norton Personal Firewall running ...
      (Bugtraq)