<<< Date Index >>>     <<< Thread Index >>>

RE: SideFind



Welcome to the world of Malware. There are many IE flaws that allow for the 
installation of spy/mal/ad :ware.

Either disable install on demand, apply XP SP2, or switch them to Mozilla to 
prevent future installs of this type.

Making HKLM\Software|Microsoft|Windows|CurrentVersion|Run read only via 
regedt32 will help as well.

Also install spybot (freeware from security.kolla.de, downloadable from 
download.com) version 1.3 _with_ tea timer, which will protect your system 
settings and notify you if one is changed. Convince the user that No is his 
favorite button to click on as well :)

HTH

jp

>> -----Original Message-----
>> From: aborg@xxxxxxxxxx [mailto:aborg@xxxxxxxxxx]
>> Sent: Monday, August 02, 2004 9:20 AM
>> To: Windows NTBugtraq Mailing List; bugtraq@xxxxxxxxxxxxxxxxx
>> Subject: SideFind
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> Hi ..
>> 
>> Has anyone heard of this IE hijacker?
>> 
>> One of our uses went through a devastating Sunday when he 
>> tried to remove
>> this piece of software from his PC.  It appears as a side 
>> panel (on the
>> left) and prompts with suggestions when the user utilises 
>> Google to perform
>> a search.  Essentially, it notices what Google searches you 
>> do and comes up
>> with suggestions in its own little window.  However, if you 
>> try to remove
>> the item using "Add/Remove Programs" (since it's listed), 
>> you can end up
>> with massive problems with your computers.  This user ended 
>> up losing all
>> files on a secondary partition of his hard disk.  I found 
>> one post in a
>> forum where the poster claimed that it "trashed his OS" but 
>> did not say
>> what was specifically affected.
>> 
>> The user was wise enough to try an undelete utility which 
>> restored most but
>> not all of his files and then used XP's system restore 
>> feature to attempt
>> to restore things back to a day before but this obviously 
>> meant that the
>> utility re-appeared in "Add/Remove" and under "Program Files".
>> 
>> I didn't find much help on the net and no one seems to be 
>> flagging it as a
>> potentially disturbing piece of malware except for the 
>> poster mentioned
>> above.  Disassembling it showed that it has an embedded 
>> registry resource
>> and by using that I removed all traces to it from the registry.
>> 
>> The only files that were not recovered were images (mainly 
>> belonging to his
>> daughter - and which weren't backed up; hereby proving 
>> Murphy's law) and it
>> seems as if there was some kind of cross-linked references 
>> in the file
>> table since opening some pics in an ASCII viewer shows quite 
>> clearly that
>> they are not pics but either PDFs, MP3s, etc.  I renamed a 
>> few of the files
>> and they worked.  I'm not sure if this is SideFind or the 
>> undelete utility
>> that did this though ...
>> 
>> What I'd like is more information as to how this damn 
>> utility installed
>> itself on the user's PC.  He claims to have never 
>> intentionally installed
>> it and he's a reliable enough user for me to believe that he 
>> didn't just
>> click on "Yes" w/o reading the dialog first ...
>> 
>> Antoine Borg
>> Network Administrator
>> 
>> Malta Communications Authority
>> Suite 43/44, "Il-Piazzetta"
>> Tower Road
>> Sliema SLM 16
>> Malta G.C.
>> 
>> Tel: +356 21 336840
>> Fax: +356 21 336846
>> Mob: +356 79 271852
>> 
>> ----------
>> "This is a lesson that the stars in the sky teach us - they 
>> may be related
>> to the sun, and just as brilliant, but they never appear in 
>> her company"
>> Baltasar Gracian, 1601 - 1658
>> 
>>