ZHPDiag – Module O69 (SBI)

ZHPDIAG – MODULE O69 (SBI)

The module SBI-related (Search Browser Infection), O69 of ZHPDiag module is designed to search the internet browsers redirects.

At the beginning of the creation of the module, the search was limited to the Mozilla/Firefox browser. He had to verify the presence of Yoog search engine in the folder ' plugIn’ of the user as well as in its 'prefs.js' preferences file.

Subsequently, the module has changed its name to make a wider search by extending it to other malware search engines.

A supplementary search is made in the key «» Internet ExplorerSearchScopes« . SearchScopes allows you to specify Internet search providers. The data of the value «» DefautScope ' contains the CLSID that will point to the default search provider.

– The default search provider will be identified in the list by the presence of the string [DefaultScope] for example, Google :
O69 – SBI: SearchScopes {6A1806CD-94D4-4689-BA73-E35EA1EA9990} [DefaultScope] – (Google) – http://www.Google.com

– Search in Base of registry keys :
[HKEY_CURRENT_USER\SOFTWAREMicrosoftInternet ExplorerSearchScopes]
[HKEY_USERS. DEFAULTSOFTWAREMicrosoftInternet ExplorerSearchScopes]
[HKEY_USERSS-1-5-18SOFTWAREMicrosoftInternet ExplorerSearchScopes]
[HKEY_USERSS-1-5-19SOFTWAREMicrosoftInternet ExplorerSearchScopes]
[HKEY_USERSS-1-5-20SOFTWAREMicrosoftInternet ExplorerSearchScopes]
[HKEY_CLASSES_ROOTSOFTWAREMicrosoftInternet ExplorerSearchScopes]

– It is easy for an attacker to use a WMD program in order to create a CLSID with a value of URL pointing to its own search engine and then change the default value data «» DefautScope« . This type of redirection is notably used by engines known as cherche.us, Yoog or Ask.com.

Overview ZHPDiag

—\\ Infection Yoog search (SYI) (O69)
O69 – SYI: C:\Documents and Settings{userName}\Application DataMozillaFirefoxProfiles{random}.default\searchplugins\Yoog Search.xml
O69 – SYI: C:\Users{userName}\AppData\Roaming\Mozilla\Firefox\Profiles\{random}.default\searchplugins\Yoog Search.xml
O69 – SYI: prefs.js [{userName} – {random}.default] user_pref(« browser.search.selectedEngine », « Yoog Search »);

–\\ Recherche Infection Navigateur (SBI) (O69) v1.25.1347
O69 – SBI: C:\Documents and Settings{userName}\Application DataMozillaFirefoxProfiles{random}.default\searchplugins\askcom.xml
O69 – SBI: prefs.js [{userName} – {random}.default] user_pref(« browser.search.selectedEngine », « Ask Search »);

—\\ Search Browser Infection (SBI) (O69) v1.26.18
O69 – SBI: SearchScopes {CF739809-1C6C-47C0-85B9-569DBB141420} – (Ask Search) – http://toolbar.ask.com
O69 – SBI: SearchScopes {67A2568C-7A0A-4EED-AECC-B5405DE63B64} [DefaultScope] – (Google) – http://www.Google.com

O69 – SBI: SearchScopes {0633EE93-D776-472f-A0FF-E1416B8B2E3A} [DefaultScope] – (@ieframe.dll,-12512) – http://search.live.com

—\\ Search Browser Infection (SBI) (O69)
O69 – SBI: SearchScopes [HKCU] {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} – (WebSearch) – http://websearch.mocaflix.com
O69 – SBI: SearchScopes [HKCU] {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} [DefaultScope] – (WebSearch) – http://websearch.searchrocket.info
O69 – SBI: SearchScopes [HKCU] {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} [DefaultScope] – (WebSearch) – http://websearch.wisesearch.info

Equivalence MBAM

Elément(s) de données du Registre infecté(s):
HKEY_USERS. DEFAULTSOFTWAREMicrosoftInternet ExplorerSearchScopesURL (Hijack.SearchPage) -> Bad: (http://findgala.com /.?&UID = 1002&q={searchTerms}) Good: (http://www.Google.com/)

Examples of diversion

The data of the "DefautScope" value contains the CLSID that will point to the default search provider ' findgala.com’ which is a site deemed dangerous.
O69 – SBI: SearchScopes {0633EE93-D776-472f-A0FF-E1416B8B2E3A} [DefaultScope] – (Bing) – http://findgala.com

Trojan: Troj/Zbot-JS
HKCUSoftwareMicrosoftInternet ExplorerSearchScopes{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}\
""URL ="http://fastbrowsersearch.com/results/results.aspx?q={searchTerms}&c = web&s = DSP&v = 9″

BrowserModifier:Win32/MindQuizSearch
Added value: "DisplayName".
With data: "Bing"
Added value: 'FaviconURLFallback '.
With data: http://www.bing.com/favicon.ico
Added value: 'SuggestionsURLFallback '.
With data: « http://API.bing.com/qsml.aspx?query ={searchTerms}&market ={Language}&form = IE8SSC&maxWidth ={IE:maxWidth}&RowHeight ={IE:rowHeight}&= sectionHeight{IE:sectionHeight} »
""URL ="http://TMQ.bingstart.com/s /.?q={searchTerms}&iesrc = IE-SearchBox&site = Bing&cfg = 2-168-0-1nUEv"
Subkey to: HKCUSoftwareMicrosoftInternet ExplorerSearchScopes{E5F5D888-2587-E012-A817-7038F5690F26}

Action ZHPFix (Case N ° 1)

O69 – SBI: SearchScopes [{RucheName}] {CLSIDKey} [DefaultScope] – () – {DataKey}

{RucheName} : Name of the hive (HKCU,HKCR,HKUS).
{Key} : Registry key [HKEY_USERS…\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CLSIDKey}]
{CLSIDKey} : Sous clé de {Key}
{DataKey} : The value data «» Url "the key {CLSIDKey}.

1) Remplace la donnée {DataKey} par « http://www.Google.com/ »
2) Supprime la clé {CLSIDKey} If malware.

Action ZHPFix (Case N ° 2)

O69 – SBI: prefs.js [{userName} – {random}.default] user_pref( {Line} );

{Line} : Ligne du fichier de préférence.

1) La ligne {Line} est placée en commentaire et devient inactive lors du rechargement du fichier de préférences du navigateur.

Action ZHPFix (Cas N°3)

O69 – SBI: {FileName}

1) Supprime le fichier {FileName}

Report ZHPFix (Example)

Lines entered :
O69 – SBI: SearchScopes [HKCU] {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59} – (Web Search) – http://search.imesh.com
O69 – SBI: SearchScopes [HKCU] {afdbddaa-5d3f-42ee-b79c-185a7020515b} – (Messenger more Live France Customized Web Search) – http://Search.conduit.com

Report of ZHPFix v1.12.3143 by Nicolas Coolman, Update of the 01/09/2010

= Item(s) data from the registry.
O69 – SBI: SearchScopes [HKCU] {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A59} – (Web Search) – http://Search.iMesh.com => Data replaced with success
O69 – SBI: SearchScopes [HKCU] {afdbddaa-5d3f-42ee-b79c-185a7020515b} – (Messenger more Live France Customized Web Search) – http://Search.conduit.com => Data replaced with success

= Summary =.
2 : Elément(s) data from the registry

Links

Microsoft : How to create a custom .adm files
Understanding and Working in Protected Mode Internet Explorer (Microsoft)
Adding Entries to the Standard Context Menu


Total views 563 (Today 1 )