T
Tarapia Tapioco
From: Spyware Weekly Newsletter > September 3, 2003
Surferbar: A Nasty New Hijacker
A nasty new browser hijacker/trojan has been discovered and is spreading
across the web at a rapid pace. Dozens of threads have sprung up
at the
support forums started by people infected with the Surferbar
hijacker.
There are two known variants of this hijacker currently, which
I'll call
Surferbar.a and Surferbar.AFlooder. Both variants hijack Internet
Explorer's
start page to www.surferbar.com.
Surferbar.a is a simple browser hijacker and can be cleaned up
easily using
HijackThis (download). Look for the following entries in
HijackThis and have
it remove them:
O4 - HKCU..RunOnce: [win32] c
rogram fileswinsrv32.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =
http://www.surferbar.com/
O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B}
-
cROGRA~1win32.dll
When you have done that, find and delete crogram
fileswinsrv32.exe.
A few victims are convinced they received Surferbar.a after
downloading and
installing Kazaa Lite K++. I haven't had a chance to clarify if
they meant the
software itself installed the hijack, if a pop up ad on a mirror
site installed it,
or if they both used the same download mirror. Presently, this
information is
very much unconfirmed. However, I recommend staying away from
Kazaa
Lite even without this problem, as it's an unauthorized cracked
version of the
real Kazaa.
Surferbar.AFlooder is rather more complicated. In addition to
hijacking the
start page and adding an unwanted toolbar, this variant appears
also to be
either a keylogger or a remote access trojan (or both), and
possibly an SMTP
proxy for spammers to use to relay spam.
Surferbar.AFlooder uses an obscure method of writing data to an
NTFS-formatted hard drive to embed itself directly into your
system32 folder.
Not inside the folder, actually embedded within the folder
itself. It sounds
nuts, but the NT File System allows that to happen using
something called
"Alternate Data Streaming" (ADS).
ADS allows you to store information "under the hood" of the file
system,
where normally you cannot see or manipulate it. Think of ADS
information as
metadata, similar to track/artist/title information that can be
stored in an MP3.
Unfortunately, Microsoft has provided no way to view or
manipulate this ADS
information without the use of third-party tools.
Fortunately, this parasite includes a not-so-secret uninstall
command, which is
revealed in a string of text within the file. If you or someone
you are helping
has been hijacked to surferbar.com, but you do not have the
winsrv32.exe
startup entry, then you probably have the AFlooder variant. Your
HijackThis
results will be similar to this:
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =
http://www.surferbar.com/
O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B}
-
cROGRA~2win32.dll
O4 - HKLM..Run: [tywsmhd] rundll32
C:WINDOWSSystem32:tywsmhd.dll,Init 1
Removing these entries with HijackThis is of no use. A program
running in
the background immediately will reinstall any entries that are
removed. Even
booting to safe mode won't help with this.
Pay attention to the path of the dll file,
C:WINDOWSSystem32:tywsmhd.dll
in the example above. The exact name of the dll will be different
each time.
Click the "Start" menu, select "Run", and type: rundll32
C:WINDOWSSystem32:tywsmhd.dll,Uninstall. Remember to change the
name of dll file to match that found on your computer. Click on
"OK", and
that should uninstall the parasite completely.
Those of you reading this online, please bear in mind that is
information was
written on September 2, 2003, and may be out of date by the time
you read
this. If these instructions do not help you remove this parasite,
please ask for
assistance at our support forums.
Links:
http://tomcoyote.org/hjt/ :: Download HijackThis
http://www.spywareinfo.com/forums/ :: SWI Forums
http://patriot.net/~carvdawg/docs/dark_side.html :: Alternate
Data Streaming explained
Surferbar: A Nasty New Hijacker
A nasty new browser hijacker/trojan has been discovered and is spreading
across the web at a rapid pace. Dozens of threads have sprung up
at the
support forums started by people infected with the Surferbar
hijacker.
There are two known variants of this hijacker currently, which
I'll call
Surferbar.a and Surferbar.AFlooder. Both variants hijack Internet
Explorer's
start page to www.surferbar.com.
Surferbar.a is a simple browser hijacker and can be cleaned up
easily using
HijackThis (download). Look for the following entries in
HijackThis and have
it remove them:
O4 - HKCU..RunOnce: [win32] c
rogram fileswinsrv32.exeR0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =
http://www.surferbar.com/
O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B}
-
c
ROGRA~1win32.dllWhen you have done that, find and delete c
rogramfileswinsrv32.exe.
A few victims are convinced they received Surferbar.a after
downloading and
installing Kazaa Lite K++. I haven't had a chance to clarify if
they meant the
software itself installed the hijack, if a pop up ad on a mirror
site installed it,
or if they both used the same download mirror. Presently, this
information is
very much unconfirmed. However, I recommend staying away from
Kazaa
Lite even without this problem, as it's an unauthorized cracked
version of the
real Kazaa.
Surferbar.AFlooder is rather more complicated. In addition to
hijacking the
start page and adding an unwanted toolbar, this variant appears
also to be
either a keylogger or a remote access trojan (or both), and
possibly an SMTP
proxy for spammers to use to relay spam.
Surferbar.AFlooder uses an obscure method of writing data to an
NTFS-formatted hard drive to embed itself directly into your
system32 folder.
Not inside the folder, actually embedded within the folder
itself. It sounds
nuts, but the NT File System allows that to happen using
something called
"Alternate Data Streaming" (ADS).
ADS allows you to store information "under the hood" of the file
system,
where normally you cannot see or manipulate it. Think of ADS
information as
metadata, similar to track/artist/title information that can be
stored in an MP3.
Unfortunately, Microsoft has provided no way to view or
manipulate this ADS
information without the use of third-party tools.
Fortunately, this parasite includes a not-so-secret uninstall
command, which is
revealed in a string of text within the file. If you or someone
you are helping
has been hijacked to surferbar.com, but you do not have the
winsrv32.exe
startup entry, then you probably have the AFlooder variant. Your
HijackThis
results will be similar to this:
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =
http://www.surferbar.com/
O3 - Toolbar: SurferBar - {FF7FD490-34E7-4FA1-927A-F5799E6AAD7B}
-
c
ROGRA~2win32.dllO4 - HKLM..Run: [tywsmhd] rundll32
C:WINDOWSSystem32:tywsmhd.dll,Init 1
Removing these entries with HijackThis is of no use. A program
running in
the background immediately will reinstall any entries that are
removed. Even
booting to safe mode won't help with this.
Pay attention to the path of the dll file,
C:WINDOWSSystem32:tywsmhd.dll
in the example above. The exact name of the dll will be different
each time.
Click the "Start" menu, select "Run", and type: rundll32
C:WINDOWSSystem32:tywsmhd.dll,Uninstall. Remember to change the
name of dll file to match that found on your computer. Click on
"OK", and
that should uninstall the parasite completely.
Those of you reading this online, please bear in mind that is
information was
written on September 2, 2003, and may be out of date by the time
you read
this. If these instructions do not help you remove this parasite,
please ask for
assistance at our support forums.
Links:
http://tomcoyote.org/hjt/ :: Download HijackThis
http://www.spywareinfo.com/forums/ :: SWI Forums
http://patriot.net/~carvdawg/docs/dark_side.html :: Alternate
Data Streaming explained
