coolpics hijacker

November 12, 2006 on 10:05 pm | In Malware analysis | 4 Comments

A few victims came looking for help at WildersSecurity forums.

One of them provided me with the installer.
A trick I hadn’t seen before was to remove the Run option from the Startmenu.

I noticed this by finding this entry in a Combofix log:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoRun”=dword:00000001

Together with the victims at WildersSecurity forums a fix was thought out and tested:
http://www.geekstogo.com/forum/How_to_remove_the_coolpicscom_hijacker-t137346.html

Running the installer produced the following
Total Uninstall log

MyComputer
===============

File System
===============
(FOLDER) C:\WINDOWS\Prefetch
(+)(FILE) SVCHOST32.EXE-20192F81.pf = 19:39 06/11/06 21320 bytes
(+)(FILE) SVCHOST32.EXE-2633C3EE.pf = 20:05 06/11/06 13294 bytes
(FOLDER) C:\WINDOWS\system
(+)(FILE) svchost32.exe = 19:39 06/11/06 185386 bytes
(+)(FILE) svhost.exe = 20:05 06/11/06 10752 bytes

Registry
===============

(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View\YMSGR_buzz
(+)(REG VAL) content url = ‘http://thecoolpics.com’
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View\YMSGR_Launchcast
(+)(REG VAL) content url = ‘http://thecoolpics.com’
(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Microsoft\Internet Explorer\Main
(*)(REG VAL) Start Page
‘http://www.oldhomepage.com’ ==> ‘http://thecoolpics.com’
(+)(REG KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
(+)(REG VAL) DisableRegistryTools = 1
(+)(REG VAL) DisableTaskMgr = 1
(REG KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
(+)(REG VAL) NoRun = 1
(+)(REG KEY) HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
(+)(REG VAL) Homepage = 1


4 Comments »

RSS feed for comments on this post. TrackBack URI

  1. A new variant was found as described here by Sophos: http://www.sophos.com/security/analyses/w32sohanap.html

    Comment by pieterarntz — May 4, 2007 #

  2. And another one.
    http://www.sophos.com/security/analyses/w32sohanaw.html

    Don’t click those links folks. It’s a pain to get rid off.

    Comment by pieterarntz — May 18, 2007 #

  3. look at the bitdefender forum, they detected this yahoo messenger virus since the begining.
    join: http://www.BitDforum.com

    Comment by Wersi — May 22, 2007 #

  4. Isn’t this the official BitDefender forum?
    http://forum.bitdefender.com/

    Besides, detecting and removing are not necessarily the same. (With which I’m not saying that BitDefender can’t remove this worm.)

    Comment by pieterarntz — May 23, 2007 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^

The cookies on this site are just the ones Wordpress needs to work properly. By continuing to use this site, you are accepting them. Close