coolpics hijacker
November 12, 2006 on 10:05 pm | In Malware analysis | 4 CommentsA few victims came looking for help at WildersSecurity forums.
One of them provided me with the installer.
A trick I hadn’t seen before was to remove the Run option from the Startmenu.
I noticed this by finding this entry in a Combofix log:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoRun”=dword:00000001
Together with the victims at WildersSecurity forums a fix was thought out and tested:
http://www.geekstogo.com/forum/How_to_remove_the_coolpicscom_hijacker-t137346.html
Running the installer produced the following
Total Uninstall log
MyComputer
===============
File System
===============
(FOLDER) C:\WINDOWS\Prefetch
(+)(FILE) SVCHOST32.EXE-20192F81.pf = 19:39 06/11/06 21320 bytes
(+)(FILE) SVCHOST32.EXE-2633C3EE.pf = 20:05 06/11/06 13294 bytes
(FOLDER) C:\WINDOWS\system
(+)(FILE) svchost32.exe = 19:39 06/11/06 185386 bytes
(+)(FILE) svhost.exe = 20:05 06/11/06 10752 bytes
Registry
===============
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View\YMSGR_buzz
(+)(REG VAL) content url = ‘http://thecoolpics.com’
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View\YMSGR_Launchcast
(+)(REG VAL) content url = ‘http://thecoolpics.com’
(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Microsoft\Internet Explorer\Main
(*)(REG VAL) Start Page
‘http://www.oldhomepage.com’ ==> ‘http://thecoolpics.com’
(+)(REG KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
(+)(REG VAL) DisableRegistryTools = 1
(+)(REG VAL) DisableTaskMgr = 1
(REG KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
(+)(REG VAL) NoRun = 1
(+)(REG KEY) HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
(+)(REG VAL) Homepage = 1
4 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
A new variant was found as described here by Sophos: http://www.sophos.com/security/analyses/w32sohanap.html
Comment by pieterarntz — May 4, 2007 #
And another one.
http://www.sophos.com/security/analyses/w32sohanaw.html
Don’t click those links folks. It’s a pain to get rid off.
Comment by pieterarntz — May 18, 2007 #
look at the bitdefender forum, they detected this yahoo messenger virus since the begining.
join: http://www.BitDforum.com
Comment by Wersi — May 22, 2007 #
Isn’t this the official BitDefender forum?
http://forum.bitdefender.com/
Besides, detecting and removing are not necessarily the same. (With which I’m not saying that BitDefender can’t remove this worm.)
Comment by pieterarntz — May 23, 2007 #