[35937] in bugtraq
RE: SideFind
daemon@ATHENA.MIT.EDU (Polazzo Justin)
Mon Aug 2 16:30:44 2004
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Date: Mon, 2 Aug 2004 14:53:09 -0400
Message-ID: <FEBC66CCD411744381228574BAB53A9B35C22D@MAIL.fac.gatech.edu>
From: "Polazzo Justin" <Justin.Polazzo@facilities.gatech.edu>
To: <aborg@mca.org.mt>
Cc: <bugtraq@securityfocus.com>, <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Content-Transfer-Encoding: 8bit
Welcome to the world of Malware. There are many IE flaws that allow for the installation of spy/mal/ad :ware.
Either disable install on demand, apply XP SP2, or switch them to Mozilla to prevent future installs of this type.
Making HKLM\Software|Microsoft|Windows|CurrentVersion|Run read only via regedt32 will help as well.
Also install spybot (freeware from security.kolla.de, downloadable from download.com) version 1.3 _with_ tea timer, which will protect your system settings and notify you if one is changed. Convince the user that No is his favorite button to click on as well :)
HTH
jp
>> -----Original Message-----
>> From: aborg@mca.org.mt [mailto:aborg@mca.org.mt]
>> Sent: Monday, August 02, 2004 9:20 AM
>> To: Windows NTBugtraq Mailing List; bugtraq@securityfocus.com
>> Subject: SideFind
>>
>>
>>
>>
>>
>>
>>
>> Hi ..
>>
>> Has anyone heard of this IE hijacker?
>>
>> One of our uses went through a devastating Sunday when he
>> tried to remove
>> this piece of software from his PC. It appears as a side
>> panel (on the
>> left) and prompts with suggestions when the user utilises
>> Google to perform
>> a search. Essentially, it notices what Google searches you
>> do and comes up
>> with suggestions in its own little window. However, if you
>> try to remove
>> the item using "Add/Remove Programs" (since it's listed),
>> you can end up
>> with massive problems with your computers. This user ended
>> up losing all
>> files on a secondary partition of his hard disk. I found
>> one post in a
>> forum where the poster claimed that it "trashed his OS" but
>> did not say
>> what was specifically affected.
>>
>> The user was wise enough to try an undelete utility which
>> restored most but
>> not all of his files and then used XP's system restore
>> feature to attempt
>> to restore things back to a day before but this obviously
>> meant that the
>> utility re-appeared in "Add/Remove" and under "Program Files".
>>
>> I didn't find much help on the net and no one seems to be
>> flagging it as a
>> potentially disturbing piece of malware except for the
>> poster mentioned
>> above. Disassembling it showed that it has an embedded
>> registry resource
>> and by using that I removed all traces to it from the registry.
>>
>> The only files that were not recovered were images (mainly
>> belonging to his
>> daughter - and which weren't backed up; hereby proving
>> Murphy's law) and it
>> seems as if there was some kind of cross-linked references
>> in the file
>> table since opening some pics in an ASCII viewer shows quite
>> clearly that
>> they are not pics but either PDFs, MP3s, etc. I renamed a
>> few of the files
>> and they worked. I'm not sure if this is SideFind or the
>> undelete utility
>> that did this though ...
>>
>> What I'd like is more information as to how this damn
>> utility installed
>> itself on the user's PC. He claims to have never
>> intentionally installed
>> it and he's a reliable enough user for me to believe that he
>> didn't just
>> click on "Yes" w/o reading the dialog first ...
>>
>> Antoine Borg
>> Network Administrator
>>
>> Malta Communications Authority
>> Suite 43/44, "Il-Piazzetta"
>> Tower Road
>> Sliema SLM 16
>> Malta G.C.
>>
>> Tel: +356 21 336840
>> Fax: +356 21 336846
>> Mob: +356 79 271852
>>
>> ----------
>> "This is a lesson that the stars in the sky teach us - they
>> may be related
>> to the sun, and just as brilliant, but they never appear in
>> her company"
>> Baltasar Gracian, 1601 - 1658
>>
>>
