PandaLabs has detected the appearance of Searchmeup, the first adware to use the Exploit/LoadImage vulnerability to download onto computers without users’ permission. The pages from which Searchmeup are downloaded also contain a series of exploits to download other malware on the computer, such as the Tofger.AT Trojan -which steals banking passwords-, Dialer.BB and Dialer.NO, and another adware called Adware/TopConvert.
Searchmeup is downloaded onto the computer when the user visits certain web pages. Once it is installed on a computer it changes the home page to that of a search engine that displays pop-ups every time it loads with the aim of installing spyware and dialers on the computer.
The web pages from which Searchmeup is downloaded also drop Tofger.AT onto computers, a Trojan which runs every time Internet Explorer is opened. Tofger.AT keeps track of what the user of the computer is doing on the Internet, logging the passwords used in secure “https’ connections, often used for secure connections with online banks. In addition, whenever it detects certain names in the url, it tries to capture the passwords used for the following banks: cajamadrid, bpinet, millenniumbcp, hsbc, barclays, lloydstsb, halifax, autorize, bankofamerica; bancodevalencia, cajamar, portal.ccm, bancaja, caixagalicia, caixapenedes, ebankinter, caixasabadell, bes, banif, millenniumbcp, totta, bancomais, montepiogeral, bpinet, patagon, lacaixa, citibank, bbvanet, banesto, e-trade and unicaja. Once it has collected this information, Tofger.AT sends it to a server.
Searchmeup can also generate an error in the “services.exe’ file, and then informs that the computer will be restarted in one minute. After the restart, the computer operates perfectly. On some occasions, Searchmeup can also display blue screen errors. Tofger.AT can actually update itself to a new version.
“The appearance of Searchmeup is a sign of the continuous evolution of malware, and of adware and spyware in particular. The first stage was that adware reached computers as a component of a freeware application, then web pages appeared that installed adware on users’ computers using ActiveX. Now they have gone a step further, as Searchmeup exploits a vulnerability that even virus creators had not used until now,” explains Luis Corrons, director of PandaLabs.
The Exploit/LoadImage vulnerability exploited by Searchmeup affects computers with Windows 2003/XP/2000/NT/Me/98, and allows arbitrary code to be run on the computer. It could be exploited by an attacker hosting a specially-crafted cursor or icon on a malicious web page or HTML email. Microsoft has released a patch to correct this problem, and it is advisable to install it. For more information: http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx
Given the danger posed by Searchmeup and Tofger.AT, Panda Software advises users to take precautions and keep their antivirus software updated. Panda Software clients already have the updates available to detect and disinfect the new malicious code.
Panda Software’s clients can already access the updates for installing the new TruPreventTM Technologies along with their antivirus protection, providing a preventive layer of protection against new malicious code. For users with a different antivirus program installed, Panda TruPreventTM Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPreventTM Technologies at http://www.pandasoftware.com/truprevent.
Users can also scan and disinfect their computers using Panda ActiveScan, the free, online scanner available from: www.pandasoftware.com.
More information about Searchmeup and Tofger.AT is available from: http://www.pandasoftware.com/virus_info/encyclopedia/
On receiving a possibly infected file, Panda Software’s technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.