Re: 030 igetnet ignkeywords

"Waitman C. Gobble" <waitman@emkdesign.com> wrote:

> I have found more information regarding my original 030.com post.

Seems as if either the user has cluelessly agreed to installing the "IGetNet (IGN) Keywords" browser "extension" (which locates sites registered to "keywords' at IGetNet by typing those keywords into the "location" or "address" bar of their browser) or some site silently installs the same via some browser security flaw (the IGetNet keywords extension installer is utterly silent once you accept the signed ActiveX control anyway -- I did not try the Netscape-compatible version the website alleges exists).

When run, the IE version copies the main EXE to %windir%\system (yes, even on NT-based OSes) and also unpacks BHO.DLL and RSP.DLL to that directory. It also sets a registry value named WinStart under HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run "<path>WinStart.exe -boot", which ensures the DLLs are unpacked (and replaced) at each system startup. It also adds the following domain redirects to your system's HOSTS file:

216.177.73.139   auto.search.msn.com
216.177.73.139   search.netscape.com
216.177.73.139   ieautosearch

This "utility" does not add "uninstall" information to the registry, so cannot be uninstaleld through the usual means. An uninstaller is available from the download page of IGetNet's web site, should you trust them to properly uninstall the beast:

   http://igetnet.com/iGetNet_IGNDownloads.html

This seems to leave one of the DLLs but removes the other, the HOSTS entries and WinStart.exe.

> Also, this file exists: C:\WINDOWS\prefetch\WINSTART.EXE-2C11637C.pf.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Not sure about that -- didn't see it myself, but then I only let it run for a few minutes...

> The machine now seems to go to ignkeywords.com, however sometimes it
> goes to 030.com, which is what we originally observed.

The IGN Keywords product depends on a registration database which I guess is centrally maintained, so it has to report keyword attempts to the server to get the correct URL to redirect the browser to. Aside from that, ignkeywords.com is 216.177.73.139.

> The WinStart file is labelled as a "Browser Upgrade" in the file
> properties thingy.

I guess "upgrade" is a relative term...

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com