Home page logo

bugtraq logo Bugtraq mailing list archives

RE: SideFind
From: "Polazzo Justin" <Justin.Polazzo () facilities gatech edu>
Date: Mon, 2 Aug 2004 14:53:09 -0400

Welcome to the world of Malware. There are many IE flaws that allow for the installation of spy/mal/ad :ware.

Either disable install on demand, apply XP SP2, or switch them to Mozilla to prevent future installs of this type.

Making HKLM\Software|Microsoft|Windows|CurrentVersion|Run read only via regedt32 will help as well.

Also install spybot (freeware from security.kolla.de, downloadable from download.com) version 1.3 _with_ tea timer, 
which will protect your system settings and notify you if one is changed. Convince the user that No is his favorite 
button to click on as well :)



-----Original Message-----
From: aborg () mca org mt [mailto:aborg () mca org mt]
Sent: Monday, August 02, 2004 9:20 AM
To: Windows NTBugtraq Mailing List; bugtraq () securityfocus com
Subject: SideFind

Hi ..

Has anyone heard of this IE hijacker?

One of our uses went through a devastating Sunday when he 
tried to remove
this piece of software from his PC.  It appears as a side 
panel (on the
left) and prompts with suggestions when the user utilises 
Google to perform
a search.  Essentially, it notices what Google searches you 
do and comes up
with suggestions in its own little window.  However, if you 
try to remove
the item using "Add/Remove Programs" (since it's listed), 
you can end up
with massive problems with your computers.  This user ended 
up losing all
files on a secondary partition of his hard disk.  I found 
one post in a
forum where the poster claimed that it "trashed his OS" but 
did not say
what was specifically affected.

The user was wise enough to try an undelete utility which 
restored most but
not all of his files and then used XP's system restore 
feature to attempt
to restore things back to a day before but this obviously 
meant that the
utility re-appeared in "Add/Remove" and under "Program Files".

I didn't find much help on the net and no one seems to be 
flagging it as a
potentially disturbing piece of malware except for the 
poster mentioned
above.  Disassembling it showed that it has an embedded 
registry resource
and by using that I removed all traces to it from the registry.

The only files that were not recovered were images (mainly 
belonging to his
daughter - and which weren't backed up; hereby proving 
Murphy's law) and it
seems as if there was some kind of cross-linked references 
in the file
table since opening some pics in an ASCII viewer shows quite 
clearly that
they are not pics but either PDFs, MP3s, etc.  I renamed a 
few of the files
and they worked.  I'm not sure if this is SideFind or the 
undelete utility
that did this though ...

What I'd like is more information as to how this damn 
utility installed
itself on the user's PC.  He claims to have never 
intentionally installed
it and he's a reliable enough user for me to believe that he 
didn't just
click on "Yes" w/o reading the dialog first ...

Antoine Borg
Network Administrator

Malta Communications Authority
Suite 43/44, "Il-Piazzetta"
Tower Road
Sliema SLM 16
Malta G.C.

Tel: +356 21 336840
Fax: +356 21 336846
Mob: +356 79 271852

"This is a lesson that the stars in the sky teach us - they 
may be related
to the sun, and just as brilliant, but they never appear in 
her company"
Baltasar Gracian, 1601 - 1658

  By Date           By Thread  

Current thread:
  • SideFind aborg (Aug 02)
    • <Possible follow-ups>
    • RE: SideFind Polazzo Justin (Aug 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]