• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Guest dieter

yet another Smartsearch

1 post in this topic

I took a little time to track some version of Smartsearch, which attacked my computer about a week ago. This version was not listed by spyware removers and not was detected/removed by any of them.

So i did some snooping to find out from where did it possibly become and what does this trojan contain.

 

Symptoms of this versions were:

IE starting page overtake each time when closing IE.

hosts file overwriten each time when closing IE.

about:blank page itself was okey and pressing Homepage button or Alt+Home was working fine.

As i didnt look for a behaviour of this trojan for a long time, i cant tell, does it some connections to outside world for spamming or confidential information grabbing purposes or etc.

 

Trojan basically puts on your harddrive at least 2 files. Some startup executable named as wmscrop.exe which after execution downloads residently installable trojan itself, which name is possibly "floating". Previously it had constant name like msxword.dll, but later i saw it uses names something like SYSTEMXXXXXXXX.DLL.

This X is replaced by some other letter each time.

Filesize is constant in both cases, and it is exactly 41472 bytes and file date&time is 29-01-2000 20:35.

Both files, onetime executable wmscrop.exe and main executale with COM/OLE classes msxword.dll (or this SYSTEMXXXXXXXX.DLL) are located in SYSTEMROOT directory (\windows\system or \windows\system32).

 

It adds some keys to registry for its COM/OLE classes:

HKEY_CLASSES_ROOT\CLSID\{53B95211-7D77-11D2-9F81-00104B107C96}

HKEY_CLASSES_ROOT\TypeLib\{53B95204-7D77-11D2-9F81-00104B107C96}

HKEY_CLASSES_ROOT\Interface\{53B95210-7D77-11D2-9F81-00104B107C96}

 

It changes or adds some values to HKEY_CLASSES_ROOT\PROTOCOLS\Handlers.

"about" and "start" are replaced with GUID to trojan COM/OLE classes.

Possibly there does not exist a "start" key previously. I just deleted it.

 

How to remove trojan.

 

Close all instantces of IE.

Look for a DLL name there in first three pointed registry keys, which were writen here above. There below in \InprocServer it should say, what a name is.

Delete this dll (msxword.dll or SYSTEMXXXXXXXX.DLL or something other) and wmscrop.exe.

Delete those 3 first registry keys with all of their contents.

Trojan COM/OLE classes GUIDs are {53B95***-7D77-11D2-00104B107C96}.

Replace HKEY_CLASSES_ROOT\PROTOCOLS\Handlers\about with

GUID like {3050F406-98B5-11CF-BB82-00AA00BDCE0B}

(default handler by IE).

Delete HKEY_CLASSES_ROOT\PROTOCOLS\Handlers\start or replace its content with something suitable.

 

 

From where does this trojan came?

On possible variant for that is server like zloeboogle.biz, which possbily is hosted by some kind of russians, as this page does say:

http://www.tanger.ru/board/forum.php?mode=...&nick=-infinity

 

Trojan uses Microsoft-Java VM VerifyBug.

 

Locations of trojan files are currently those:

NOTICE!!! DONT CLICK THEM HERE, USE WGET OR SOME OTHER SOFTWARE TO DOWNLOAD IT SAFELY! (just if intrested in trojan background and techniques)

http://zloeboogle.biz/connect.cgi?wmid=

http://zloeboogle.biz/stats.php?wmid=

http://zloeboogle.biz/dialarch.jar

http://zloeboogle.biz/BlackBox.class

http://zloeboogle.biz/Dummy.class

http://zloeboogle.biz/VerifierBug.class

http://zloeboogle.biz/Beyond.class

http://213.159.117.236/counter.css

http://zloeboogle.biz/dialer.exe

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0