Re: Malware(?) inserting porn links into registration/profile data for unsuspecting users

[Joe Stewart <jstewart () lurhq com>]

On Thursday 15 July 2004 8:47 am, SF Lists wrote:
> At this point, I suspect that this is the work of some
> sort of malware or virus that detects the presence of
> an input field with the name "homepage" and inserts
> one of these addresses upon submitting the form,
> however have been unsuccessful in finding any
> references to a known application that uses this
> behavior. Keep in mind that this is simply based on
> observation and I have not attempted to change the
> fields in the registration form to see if the affected
> registrations stop. Are there any known viruses or
> malware that exhibit this type of
> behavior? 

Your culprit is a little-known DLL called "submithook.dll" that is 
bundled with CWS/WinShow/IEFeats among other browser-hijacker trojans. 
Submithook is a BHO that searches your outgoing HTTP requests for web 
form post fields with the name "url", "homepage", "page", "www", 
".cl1", and "site". In the background it queries a site such as 

http://www.fdadfswr.com/?r=%url&i=%nid 

where it receives a URL to insert into the the named field in the form. 
The request then continues to the destination site with the newly 
inserted data. This is probably being done in an attempt increase the 
inserted site's Google ranking.

Symantec calls it "Adware.FreeComm", and it is also known as "LizardBar" 
or "Free Community"

http://sarc.com/avcenter/venc/data/pf/adware.freecomm.html
http://www.kephyr.com/spywarescanner/library/lizardbar/index.phtml

However, I haven't seen a correct writeup of it on any site, which 
explains why you were unable to find any descriptions that matched its 
behavior.
 
-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/