Bugtraq: RE: SideFind

["Polazzo Justin" <Justin.Polazzo () facilities gatech edu>]

Welcome to the world of Malware. There are many IE flaws that allow for the installation of spy/mal/ad :ware.

Either disable install on demand, apply XP SP2, or switch them to Mozilla to prevent future installs of this type.

Making HKLM\Software|Microsoft|Windows|CurrentVersion|Run read only via regedt32 will help as well.

Also install spybot (freeware from security.kolla.de, downloadable from download.com) version 1.3 _with_ tea timer, 
which will protect your system settings and notify you if one is changed. Convince the user that No is his favorite 
button to click on as well :)

HTH

jp

> > -----Original Message-----
> > From: aborg () mca org mt [mailto:aborg () mca org mt]
> > Sent: Monday, August 02, 2004 9:20 AM
> > To: Windows NTBugtraq Mailing List; bugtraq () securityfocus com
> > Subject: SideFind
> >
> >
> >
> >
> >
> >
> >
> > Hi ..
> >
> > Has anyone heard of this IE hijacker?
> >
> > One of our uses went through a devastating Sunday when he 
> > tried to remove
> > this piece of software from his PC.  It appears as a side 
> > panel (on the
> > left) and prompts with suggestions when the user utilises 
> > Google to perform
> > a search.  Essentially, it notices what Google searches you 
> > do and comes up
> > with suggestions in its own little window.  However, if you 
> > try to remove
> > the item using "Add/Remove Programs" (since it's listed), 
> > you can end up
> > with massive problems with your computers.  This user ended 
> > up losing all
> > files on a secondary partition of his hard disk.  I found 
> > one post in a
> > forum where the poster claimed that it "trashed his OS" but 
> > did not say
> > what was specifically affected.
> >
> > The user was wise enough to try an undelete utility which 
> > restored most but
> > not all of his files and then used XP's system restore 
> > feature to attempt
> > to restore things back to a day before but this obviously 
> > meant that the
> > utility re-appeared in "Add/Remove" and under "Program Files".
> >
> > I didn't find much help on the net and no one seems to be 
> > flagging it as a
> > potentially disturbing piece of malware except for the 
> > poster mentioned
> > above.  Disassembling it showed that it has an embedded 
> > registry resource
> > and by using that I removed all traces to it from the registry.
> >
> > The only files that were not recovered were images (mainly 
> > belonging to his
> > daughter - and which weren't backed up; hereby proving 
> > Murphy's law) and it
> > seems as if there was some kind of cross-linked references 
> > in the file
> > table since opening some pics in an ASCII viewer shows quite 
> > clearly that
> > they are not pics but either PDFs, MP3s, etc.  I renamed a 
> > few of the files
> > and they worked.  I'm not sure if this is SideFind or the 
> > undelete utility
> > that did this though ...
> >
> > What I'd like is more information as to how this damn 
> > utility installed
> > itself on the user's PC.  He claims to have never 
> > intentionally installed
> > it and he's a reliable enough user for me to believe that he 
> > didn't just
> > click on "Yes" w/o reading the dialog first ...
> >
> > Antoine Borg
> > Network Administrator
> >
> > Malta Communications Authority
> > Suite 43/44, "Il-Piazzetta"
> > Tower Road
> > Sliema SLM 16
> > Malta G.C.
> >
> > Tel: +356 21 336840
> > Fax: +356 21 336846
> > Mob: +356 79 271852
> >
> > ----------
> > "This is a lesson that the stars in the sky teach us - they 
> > may be related
> > to the sun, and just as brilliant, but they never appear in 
> > her company"
> > Baltasar Gracian, 1601 - 1658