idsearch.com and googleMS.DLL
Hi everyone,
Here is a peice of information i'd like to share. Sorry of its
old or irrelevant but I haven't noticed a mention of this on
bugtraq, so am posting my experience with "the arrogant idsearch
default homepage".
For about two weeks we've been getting complaints from various
stand-alone cutomers about automatic setting of idgsearch.com as
their default homepage. Symantec and McAfee also had nothing
initially (around 2nd November). So we sat down and started
exploring.
Now during these days, some interesting facts were observed. The
spyware/worm seems to use many of the exploits/bugs mentioned on
bugtraq, like those mentioned by Jelmer, Thor Larholm, Liu Die Yu
(IE, XML amd WMP related) and mindWarper(Internet Explorer and
Opera local zone restriction bypass).
Once the user gets this syware/worm into their computer, it uses
the MediaPlayer.exe to trigger set registry entries.
When "infected" mediaplayer is run, it drops the googleMS.dll
file in user's application data folder. Even after removal of the
registry entries, they again are set unless the googleMS.dll file
is not deleted. we also found some entries in trusted zones of
the affected computers, despite Norton Personal Firewall running
(with updates) on two of the systems. All the systems had at
least one anti-virus program, mostly Norton.
Besides manual editing, we were able to locate the registry
entries using HijackThis!. SpybotPro typically failed to identify
the entries or the file.
The cause, as usual, is unpatched versions of IE, possibly the
patched versions may also be susceptible to the infection.
More information on how it gets initiated would be appreciated.
Best wishes.
Inderjeet S Sodhi
IT Consultant, S/W and E-Security Solution Provider,
Web/WAP Developer and Beta Tester.
wwwDOTinderjeetsodhiDOTcom
This text online at: http://www.inderjeetsodhi.com/eSec/index.php