Posted on 03/03/2005 1:39:36 PM PST by holymoly
Security experts issued a warning this morning after detecting infections caused by Searchmeup, the first adware to use the Exploit/LoadImage vulnerability which downloads itself onto computers without the user's permission.
Panda Software's PandaLabs warned that the pages from which Searchmeup are downloaded also contain a series of exploits to download other malware onto the computer, such as the Tofger.AT Trojan, which steals banking passwords, Dialer.BB and Dialer.NO, and adware called Adware/TopConvert.
Searchmeup is downloaded onto the computer when the user visits maliciously coded web pages. Once installed it changes the home page to that of a search engine that displays pop-ups every time it loads with the aim of installing spyware and diallers on infected computers.
Searchmeup affects computers running Windows 2003, XP, 2000, NT, Me and 98, and allows arbitrary code to be run.
It could be exploited by an attacker hosting a specially crafted cursor or icon on a malicious web page or HTML email. Microsoft has released a patch to correct this problem, and users are advised to install it immediately.
The web pages from which Searchmeup is downloaded also drop Tofger.AT onto computers, a Trojan which runs every time Internet Explorer is opened.
Tofger.AT keeps track of the user's internet activity, logging passwords for secure 'https' connections which are often used for connections with online banks. Once it has collected this information, Tofger.AT sends it to a remote server.
Searchmeup can also generate an error in the 'services.exe' file, informing users that the computer will be restarted in one minute.
After the restart, the computer operates perfectly. On some occasions Searchmeup can also display blue screen errors, and Tofger.AT can actually update itself to a new version.
"The Exploit/LoadImage vulnerability can be used on web pages or HTML email by crafting a special icon or image file that causes a buffer overflow that in turn can be used to take control of the user's computer," said Patrick Hinojosa, chief technology officer at Panda Software US.
"This can be very serious as the user does not have to do anything unusual like opening a suspicious attachment. This is what is sometimes referred to as a 'drive by' attack."
Luis Corrons, director of PandaLabs, added: "The appearance of Searchmeup is a sign of the continuous evolution of malware, and of spyware and adware in particular.
"The first stage was that adware reached computers as a component of a freeware application, then web pages appeared that installed adware on users' computers using ActiveX.
"Now they have gone a step further, as Searchmeup exploits a vulnerability that even virus creators had not used until now."
Amazing information, absolutely amazing.
Anyway, yes, the Gnomes of Redmond hide lots of stuff from users. Some claim those index.dat file that ccleaner removes ( which you normally can't delete ) are spyware. I just don't like stuff I can't locate or get rid of if I so desire.
BTTT for later
Immediate Care.....they tend to be oxymorns names. Easy to spend half a day in one of those immediate care offices. I hope she feels better soon.
What purpose does it serve them to have information on someones computer that the owner doesn't know is there?
What purpose does it serve them to have information on someones computer that the owner doesn't know is there?
Well... you read all sorts of sorta-wacky conspiracy theories-- I think MS mainly hides things so it is harder for you to damage the installation inadvertently. Unfortunately, malware writers saw this as a fine opportunity to secrete their "wares." XP's system restore is notorious for being exploited by virus writers.
Ahhhh, for people like me. :-) Those who can turn their computers on and off, post pictures and hit the printer button. I understand now. lol
Under Little Big Fraud® we would have had a "rush to judgement;" a flurry of breast-beating, self-serving speeches, and further curtailments of freedom & civil rights- if not outright martial law.
Let's see what happens with "W"- what I'll hope for is a reasoned, but thourough, investigation, and if indeed this is a terrorist act, full prosecution of the guilty.
In short, if "W"'s the man I think he is, this will not affect average citizens much at all. We'll see.....
170 posted on 09/11/2001 8:24:54 AM CDT by backhoe [ Post Reply | Private Reply | To 88 | View Replies | Report Abuse ]
I hope you don't mind I looked at your links. I've wanted to see what was said on 9-11 for a long time.
You got Dubya right backhoe. He is the man you thought he would become. It was a defining moment.
bump
I'm not really awake bump! ;-)
Thanks for the post. I'm downloading the patch now.
Bump
When I click on a link I frequently get:
Error
Not Found
The requested URL was not found on this server.
and the url that comes up is:
http://www.adsourcecorp.com/404_not_found.htm
Can you help or direct me to someone that can? Thanks Mcenedo
Here's a post from SWI forums Log File review request
The poster states:
"It started earlier this week with floods and floods of pop-ups (at least 12 every 30 seconds) freezing my lap top. Then, my Yahoo Messenger will no longer launch. Then I noticed when I tried to click links from Search results on Google, or download items from the internet - my landing page would default to: www.adsourcecorp.com/404 File Not found."
Since you are having problems navigating with your current browser, you may wish to download "Off By One" http://www.offbyone.com/. It is a very small browser, with no java, plugins, etc.
If I were in your position (and assuming you haven't done any of these already), I would:
Download and install both Ad-Aware SE http://www.lavasoftusa.com/ and Spybot - Search and Destroy http://www.safer-networking.org/en/index.html
Update both programs. Run Ad-Aware, then Spybot S&D.
If these fail to correct the problem, you may need expert help. One of the best places to find this is at SpywareWarrior.com http://www.spywarewarrior.com/.
They offer a great deal of help, including a Tech forum.
You may need to look around SpywareWarrior.com and find a link for a program called "HiJackThis!". This program will generate a log of running programs, registry, etc. which can be posted to the SpywareWarrior forum, where experts will review it and offer advice & help.
If you post to a Tech Help (or other) forum, be sure to include:
1.) Your OS
2.) Hardware specs (CPU, total amount of RAM, etc.)
3.) Your browser (i.e. MSIE 6, Mozilla 1.7.7)
4.) Any software running on your system (anti-virus, firewall, etc.)
Bump
See this yet backhoe?
Cheers,
knews hound
Thanks- I'll pass it along.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.