Re: 030 igetnet ignkeywords

[Nick FitzGerald <nick () virus-l demon co uk>]

"Waitman C. Gobble" <waitman () emkdesign com> wrote:

> I have found more information regarding my original 030.com post.
>
> The machine that is infected is running Windows XP Professional with all
> service packs and hotfixes.
>
> Additionally, it is running Norton Antivirus 2003 with the latest
> database, and the machine checks clean.
>
> There is a file running on boot:
>
> C:\WINDOWS\WinStart.exe (the date of this file is November 11, 2002)
>
> The file properties indicate that it originates from IGetNet, LLC. The
> whois information shows that this is the owner of ignkeywords.com

Seems as if either the user has cluelessly agreed to installing the 
"IGetNet (IGN) Keywords" browser "extension" (which locates sites 
registered to "keywords' at IGetNet by typing those keywords into the 
"location" or "address" bar of their browser) or some site silently 
installs the same via some browser security flaw (the IGetNet 
keywords extension installer is utterly silent once you accept the 
signed ActiveX control anyway -- I did not try the 
Netscape-compatible version the website alleges exists).

When run, the IE version copies the main EXE to %windir%\system (yes, 
even on NT-based OSes) and also unpacks BHO.DLL and RSP.DLL to that
directory.  It also sets a registry value named WinStart under
HKLM\Software\Microsoft\Windows\CurrentVersion\Run to run 
"<path>WinStart.exe -boot", which ensures the DLLs are unpacked (and 
replaced) at each system startup.  It also adds the following domain 
redirects to your system's HOSTS file:

216.177.73.139   auto.search.msn.com
216.177.73.139   search.netscape.com
216.177.73.139   ieautosearch

This "utility" does not add "uninstall" information to the registry,
so cannot be uninstaleld through the usual means.  An uninstaller is 
available from the download page of IGetNet's web site, should you 
trust them to properly uninstall the beast:

   http://igetnet.com/iGetNet_IGNDownloads.html

This seems to leave one of the DLLs but removes the other, the HOSTS 
entries and WinStart.exe.

> Also, this file exists: C:\WINDOWS\prefetch\WINSTART.EXE-2C11637C.pf.

Not sure about that -- didn't see it myself, but then I only let it 
run for a few minutes...

> The machine now seems to go to ignkeywords.com, however sometimes it
> goes to 030.com, which is what we originally observed.

The IGN Keywords product depends on a registration database which I 
guess is centrally maintained, so it has to report keyword attempts 
to the server to get the correct URL to redirect the browser to.  
Aside from that, ignkeywords.com is 216.177.73.139.

> The WinStart file is labelled as a "Browser Upgrade" in the file
> properties thingy.

I guess "upgrade" is a relative term...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com