lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200311151521.hAFFLVLT042316@www.mail15.com>
Date: Sat, 15 Nov 2003 18:21:31 +0300 (MSK)
From: trappers <trappers@...l15.com>
To: bugtraq@...urityfocus.com
Subject: idsearch.com and googleMS.DLL


Hi everyone,
Here is a peice of information i'd like to share. Sorry of its 
old or irrelevant but I haven't noticed a mention of this on 
bugtraq, so am posting my experience with "the arrogant idsearch  
default homepage".
 
For about two weeks we've been getting complaints from various 
stand-alone cutomers about automatic setting of idgsearch.com as 
their default homepage. Symantec and McAfee also had nothing 
initially (around 2nd November). So we sat down and started 
exploring.
 
Now during these days, some interesting facts were observed. The 
spyware/worm seems to use many of the exploits/bugs mentioned on 
bugtraq, like those mentioned by Jelmer, Thor Larholm, Liu Die Yu
(IE, XML amd WMP related) and mindWarper(Internet Explorer and 
Opera local zone restriction bypass).
 
Once the user gets this syware/worm into their computer, it uses 
the MediaPlayer.exe to trigger set registry entries. 
When "infected" mediaplayer is run, it drops the googleMS.dll 
file in user's application data folder. Even after removal of the 
registry entries, they again are set unless the googleMS.dll file 
is not deleted. we also found some entries in trusted zones of 
the affected computers, despite Norton Personal Firewall running 
(with updates) on two of the systems. All the systems had at 
least one anti-virus program, mostly Norton.
 
Besides manual editing, we were able to locate the registry 
entries using HijackThis!. SpybotPro typically failed to identify 
the entries or the file. 
 
The cause, as usual, is unpatched versions of IE, possibly the 
patched versions may also be susceptible to the infection.
 
More information on how it gets initiated would be appreciated.
 
Best wishes.
 
Inderjeet S Sodhi
IT Consultant, S/W and E-Security Solution Provider,
Web/WAP Developer and Beta Tester.
 
wwwDOTinderjeetsodhiDOTcom
This text online at: http://www.inderjeetsodhi.com/eSec/index.php

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ