Jump to content

yet another Smartsearch

  • Please log in to reply
No replies to this topic

#1 Guest_dieter_*

  • Guests

Posted 27 June 2004 - 06:20 AM

I took a little time to track some version of Smartsearch, which attacked my computer about a week ago. This version was not listed by spyware removers and not was detected/removed by any of them.
So i did some snooping to find out from where did it possibly become and what does this trojan contain.

Symptoms of this versions were:
IE starting page overtake each time when closing IE.
hosts file overwriten each time when closing IE.
about:blank page itself was okey and pressing Homepage button or Alt+Home was working fine.
As i didnt look for a behaviour of this trojan for a long time, i cant tell, does it some connections to outside world for spamming or confidential information grabbing purposes or etc.

Trojan basically puts on your harddrive at least 2 files. Some startup executable named as wmscrop.exe which after execution downloads residently installable trojan itself, which name is possibly "floating". Previously it had constant name like msxword.dll, but later i saw it uses names something like SYSTEMXXXXXXXX.DLL.
This X is replaced by some other letter each time.
Filesize is constant in both cases, and it is exactly 41472 bytes and file date&time is 29-01-2000 20:35.
Both files, onetime executable wmscrop.exe and main executale with COM/OLE classes msxword.dll (or this SYSTEMXXXXXXXX.DLL) are located in SYSTEMROOT directory (\windows\system or \windows\system32).

It adds some keys to registry for its COM/OLE classes:

It changes or adds some values to HKEY_CLASSES_ROOT\PROTOCOLS\Handlers.
"about" and "start" are replaced with GUID to trojan COM/OLE classes.
Possibly there does not exist a "start" key previously. I just deleted it.

How to remove trojan.

Close all instantces of IE.
Look for a DLL name there in first three pointed registry keys, which were writen here above. There below in \InprocServer it should say, what a name is.
Delete this dll (msxword.dll or SYSTEMXXXXXXXX.DLL or something other) and wmscrop.exe.
Delete those 3 first registry keys with all of their contents.
Trojan COM/OLE classes GUIDs are {53B95***-7D77-11D2-00104B107C96}.
Replace HKEY_CLASSES_ROOT\PROTOCOLS\Handlers\about with
GUID like {3050F406-98B5-11CF-BB82-00AA00BDCE0B}
(default handler by IE).
Delete HKEY_CLASSES_ROOT\PROTOCOLS\Handlers\start or replace its content with something suitable.

From where does this trojan came?
On possible variant for that is server like zloeboogle.biz, which possbily is hosted by some kind of russians, as this page does say:

Trojan uses Microsoft-Java VM VerifyBug.

Locations of trojan files are currently those:
NOTICE!!! DONT CLICK THEM HERE, USE WGET OR SOME OTHER SOFTWARE TO DOWNLOAD IT SAFELY! (just if intrested in trojan background and techniques)

Member of UNITE
Support SpywareInfo Forum - click the button