RE: idsearch.com and GoogleMs.dll

["Sarbjit Singh Gill" <ssgill () gilltechnologies com>]

I had the exact problem a week or two back.

Spybod-S&D  did the job of cleaning it up for me.

Sarbjit Singh Gill


-----Original Message-----
From: trappers [mailto:trappers () mail15 com] 
Sent: Sunday, November 16, 2003 11:25 PM
To: incidents () securityfocus com
Subject: idsearch.com and GoogleMs.dll

Hi everyone, Here is a peice of information i'd like to share. 
Sorry of its old or irrelevant but I haven't noticed a mention of this on
bugtraq, so am posting my experience with "the arrogant idsearch homepage". 

For about two weeks we've been getting complaints from various stand-alone
cutomers about automatic setting of idgsearch.com as their default homepage.
Symantec and McAfee also had nothing initially (around 2nd November). So we
sat down and started exploring. 

Now during these days, some interesting facts were observed. The
spyware/worm seems to use many of the exploits/bugs mentioned on bugtraq,
like those mentioned by Jelmer, Thor Larholm, Liu Die Yu (IE, XML amd WMP
related) and mindWarper(Internet Explorer and Opera local zone restriction
bypass). 

Once the user gets this syware/worm into their computer, it uses the
MediaPlayer.exe to trigger set registry entries. 
When "infected" mediaplayer is run, it drops the googleMS.dll file in user's
application data folder. Even after removal of the registry entries, they
again are set unless the googleMS.dll file is not deleted. we also found
some entries in trusted zones of the affected computers, despite Norton
Personal Firewall running (with updates) on two of the systems. All the
systems had at least one anti-virus program, mostly Norton. 

Besides manual editing, we were able to locate the registry entries using
HijackThis!. SpybotPro typically failed to identify the entries or the file.


The cause, as usual, is unpatched versions of IE, possibly the patched
versions may also be susceptible to the infection. 

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security at
the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and see
demos from more than 250 industry vendors. If your job touches security, you
need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------