The Arrogant idgsearch.com (and Coolwebsearch)
(Updated on October 17, 2004, 2:41PM +0530GMT)
Original Post(Nov 2k3) is here. Removal/Cleaning instructions are here.
Details of Newer Variant are here
(see update 17 Oct. below)
|
Last Update (17 October
2004): In last one year or so, many variants of this "trojan"
have been seen. The most arrogant one being homepage being reset to
coolwebsearch.com and popping-up of many unintentional windows. Many of the
variants are identified by Antivitus software as "Downloader.Digits",
"Downloader.Trojan" (NAV) or similar. Rossano Ferraris and
Andrew Aronoff have done some new research and also offer Removal script for a
common and dreaded variant that use shield-dll installed by the trojan as BHO.
Read more or download at http://www.silentrunners.org/sr_cwsremoval.html
|
Last Update (17 March2k4): This
trojan is identified by most Antivirus Software now. It is commonly known as
Trojan.Digits and you may have ignored the Antivirus Warning in case you are
"infected" by the trojan. You simply need to clean your system now
using the removal tool.
|
Update 20 December 2003: Download removal tool for Cool Web Search hijack - a problem similar to idgsearch...
Comments maybe sent to comments@inderjeetsodhi.com
|
Norton Updated with Definitions dated 11 Nov. detects the files as infected with downloader.Trojan. At least one file, ddm_d.exe downloaded in c:\program files\ddm_d.exe was found to have initiated the process (but this does not mean it is THE ONLY trojan file).
|
Problem: MS Internet Explorer keeps re-setting default page to idgsearch.com and upon clicking on a link on the results page of some search engine, opens some other URL (or does not open a page)-referred to as URL hijacking by some people.
Symptoms: a) Internet explorer sets idgsearch.com as default home page and opens the same when IE is started.
b) When a link is opened in a new window, another window with some other URL opens automatically.
c) Windows Media Player fails to open
d) Changed Windows Media Player icon (version 9)
e) Presence of unwanted entries in "Trusted Sites" list of Internet Explorer
Inference: Possible spyware/worm affecting the system.
Cause: Multiple Vulnerabilities in unpatched Internet Explorer's javascript:somecode() type URL handling functions and cross domain safe zone entries.
Patch Status: MS03-48, Available
|
Thanks to everyone who responded with more information, and specifically Jelmer, who provided the links mentioned herein.
Here is the new summary:
The affected systems not only comprise Windows XP but also Windows 98/ME/2K. Windows 2003 and others were not available for testing. Probably all systems that have unpatched IE installed are susceptible to this problem. The threats are very serious as there is no user intervention required to reach some of the core security configuration areas of Internet Explorer. There can be more serious outcomes based on these flaws. The current "worm" does not open malicious site, but another similar worm maybe on its way that sets the homepage to a malicious site which can futher download some code that, perhaps, erases the harddisk.
The exploit and technical details are here:
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-09/0654.html
Patch by Microsoft (MS03-48) is available from:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-048.asp
The patch covers issues in the Cross Domain Security model (by Liu Die Yu) :
File Protocol Proxy Vulnerabilty: http://safecenter.net/liudieyu/WsOpenFileJPU/WsOpenFileJPU-Content.HTM
The javacript:code() placement and history.back() caching related issue
http://safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-Content.HTM
Opening a javascript:code() type URL in the search pane:
http://safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-Content.HTM
There have been further advances in the above flaws in last 3 days or so and it seems unpatched systems may face a lot of trouble in the coming time. The vendor, Microsoft, as usual is following their evergreen plug-the-current-hole-forget-the-rest attitude.
|
Old Post(as sent to Bugtraq on 15 Nov 2003) |
Hi everyone,
Here is a piece of information i'd like to share. Sorry of its old or irrelevant but I haven't noticed a mention of this on bugtraq, so am posting my experience with "the arrogant idsearch homepage".
For about two weeks we've been getting complaints from various stand-alone cutomers about automatic setting of idgsearch.com as their default homepage. Symantec and McAfee also had nothing initially (around 2nd November). So we sat down and started exploring.
Now during these days, some interesting facts were observed. The spyware/worm seems to use many of the exploits/bugs mentioned on bugtraq, like those mentioned by Jelmer, Thor Larholm, Liu Die Yu(IE, XML amd WMP related) and mindWarper(Internet Explorer and Opera local zone restriction bypass).
Once the user gets this syware/worm into their computer, it uses the MediaPlayer.exe to trigger set registry entries. When "infected" mediaplayer is run, it drops the googleMS.dll file in user's application data folder. Even after removal of the registry entries, they again are set unless the googleMS.dll file is not deleted. we also found some entries in trusted zones of the affected computers, despite Norton Personal Firewall running (with updates) on two of the systems. All the systems had at least one anti-virus program, mostly Norton.
Besides manual editing, we were able to locate the registry entries using HijackThis!. SpybotPro typically failed to identify the entries or the file.
The cause, as usual, is unpatched versions of IE, possibly the patched versions may also be susceptible to the infection.
|