Re: Lop Problem

From: Sven Ehret (sation_at_web.de)
Date: 06/18/03 

Date: Wed, 18 Jun 2003 03:09:00 +0200

Nehmo Sergheyev wrote:

> On my Windows XP Home SP-1, Spybot-S&D v 1.2 finds these registry
> items:
>
> DSO Exploit: Data source object exploit (Registry change, nothing done)
> HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\Zones\0\1004=W=3
>
> DSO Exploit: Data source object exploit (Registry change, nothing done)
> HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\Zones\0\1004=W=3
>
> DSO Exploit: Data source object exploit (Registry change, nothing done)
> HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\Zones\0\1004=W=3
>
> DSO Exploit: Data source object exploit (Registry change, nothing done)
> HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\Zones\0\1004=W=3
>
> "Description
> There's a security hole in IE allowing websites to execute code without
> asking you first. You can find more information at
> http://security.greymagic.com/adv/gm001-ie/
> "The only possible solution must come in the form of a patch from
> Microsoft."
>
> GreyMagic has a proof-of-concept demonstration:
> http://security.greymagic.com/adv/gm001-ie/simplebind.html
>
> I'm up to date on Microsoft's IE6 patches ,and I pass the demonstration
> tests from GreyMagic (the code doesn't cause Notepad to execute), so is
> there any need to "fix the ... problem" as SpyBot offers? On the other
> hand, even though they don't seem to be currently causing a problem,
> shouldn't I delete them?
>
> This question is actually part of a larger problem: I somehow got one of
> the lop variants (AKA Troj/Tubmo or C2).
>
> http://www.doxdesk.com/parasite/lop.html
>
> Jim Byrd's post on lop
> http://www.ericseven.com?id=165
>
http://www.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=OVUHGoTIDHA.3692%40tk2msftngp13.phx.gbl
>
> The lop version I got added spam to the favorites, hijacked the
> homepage, and hijacked the search from the address bar.
> I didn't deliberately download anything to get lop and my IE Active X
> security settings are to disable unsigned and disable not marked as
> safe.
>
> I've ran
> Ad-Aware 6 http://www.lavasoftusa.com/support/download/,
> Spybot
> http://spybot.eon.net.au/
> HijackThis
> http://www.spywareinfo.com/~merijn/files/hijackthis.zip
>
> The lop homepage-takeover and the added items to IE6's favorites I
> easily corrected manually, but I didn't stop the address-bar-search
> takeover until I ran PestPatrol http://www.safersite.com/ , which
> identified a eight (probably identical) programs with different names in
> my
> C:\Documents and Settings\Nehmo Sergheyev (my profile name)\Local
> Settings\Temp folder
> Now I no longer get lop as an error-default from the address bar, but I
> don't get the MSN search either. Does anybody know how I can retrun the
> address-bar search back to MSN?
>
> IE maintoolbar search button> customize> customize search settings does
> nothing. Changes I make there don't effect anything.
>
> To repeat, I'm asking two questions:
> Should I delete the registry entries listed by SpyBot above?
> How do I rerun IE's address bar search back to MSN?
>
>
>
>
>

It seems that you are the victim of one of IE's *unpatched* security holes.
There's a list of the known ones at http://www.pivx.com/larholm/unpatched/.
I think you should remove lop with one of the mentioned methods described on
http://www.doxdesk.com/parasite/lop.html, but i think you are not safe from
getting it again, since there are these many unpatched security issues.
My advise would be to use another browser, e.g. Mozilla (101 things that the
Mozilla browser can do that IE cannot:
http://www.xulplanet.com/ndeakin/arts/reasons.html).
Or better: don't use Micros~1 at all. I'm serious. 

-- 
Sven Ehret
If there were a school for, say, *** metal workers, that after three
years left its graduates as unprepared for their careers as does law
school, it would be closed down in a minute, and no doubt by lawyers.
                -- Michael Levin, "The Socratic Method
Quantcast