mailing list archives
From: "Polazzo Justin" <Justin.Polazzo () facilities gatech edu>
Date: Mon, 2 Aug 2004 14:53:09 -0400
Welcome to the world of Malware. There are many IE flaws that allow for the installation of spy/mal/ad :ware.
Either disable install on demand, apply XP SP2, or switch them to Mozilla to prevent future installs of this type.
Making HKLM\Software|Microsoft|Windows|CurrentVersion|Run read only via regedt32 will help as well.
Also install spybot (freeware from security.kolla.de, downloadable from download.com) version 1.3 _with_ tea timer,
which will protect your system settings and notify you if one is changed. Convince the user that No is his favorite
button to click on as well :)
From: aborg () mca org mt [mailto:aborg () mca org mt]
Sent: Monday, August 02, 2004 9:20 AM
To: Windows NTBugtraq Mailing List; bugtraq () securityfocus com
Has anyone heard of this IE hijacker?
One of our uses went through a devastating Sunday when he
tried to remove
this piece of software from his PC. It appears as a side
panel (on the
left) and prompts with suggestions when the user utilises
Google to perform
a search. Essentially, it notices what Google searches you
do and comes up
with suggestions in its own little window. However, if you
try to remove
the item using "Add/Remove Programs" (since it's listed),
you can end up
with massive problems with your computers. This user ended
up losing all
files on a secondary partition of his hard disk. I found
one post in a
forum where the poster claimed that it "trashed his OS" but
did not say
what was specifically affected.
The user was wise enough to try an undelete utility which
restored most but
not all of his files and then used XP's system restore
feature to attempt
to restore things back to a day before but this obviously
meant that the
utility re-appeared in "Add/Remove" and under "Program Files".
I didn't find much help on the net and no one seems to be
flagging it as a
potentially disturbing piece of malware except for the
above. Disassembling it showed that it has an embedded
and by using that I removed all traces to it from the registry.
The only files that were not recovered were images (mainly
belonging to his
daughter - and which weren't backed up; hereby proving
Murphy's law) and it
seems as if there was some kind of cross-linked references
in the file
table since opening some pics in an ASCII viewer shows quite
they are not pics but either PDFs, MP3s, etc. I renamed a
few of the files
and they worked. I'm not sure if this is SideFind or the
that did this though ...
What I'd like is more information as to how this damn
itself on the user's PC. He claims to have never
it and he's a reliable enough user for me to believe that he
click on "Yes" w/o reading the dialog first ...
Malta Communications Authority
Suite 43/44, "Il-Piazzetta"
Sliema SLM 16
Tel: +356 21 336840
Fax: +356 21 336846
Mob: +356 79 271852
"This is a lesson that the stars in the sky teach us - they
may be related
to the sun, and just as brilliant, but they never appear in
Baltasar Gracian, 1601 - 1658
- SideFind aborg (Aug 02)
- <Possible follow-ups>
- RE: SideFind Polazzo Justin (Aug 02)