The opinions expressed herein are entirely my own and do not represent the opinions of any other entity with which I am affiliated. Opinions expressed in comments and trackbacks are those of their respective authors and do not necessarily reflect my own point of view.
All works are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
© Copyright 2006-2009 MalwareTeks
IE Defender is a rogue security program that uses flawed, inadequate detections scheme and the false positives work as goad to purchase. Possibly Ultimate Defender clone.
You read about some starlet on CNN.com, and decided to Google her name. While checking out the pages returned from your search; You encounter a page with a supposed video of her in a compromising situation. You are greeted with something that looks like this:
Shortly afterwards, as in mere seconds, you are present with a download prompt to download and install a file you believe to be a Codec needed to view the Video on the site.
As soon as you install the “Fake Codec” you immediately start recieving pop-ups.
Clicking OK results in IE Defender being installed.
Other signs you have been infected:
HijackThis entries to look for:
O2 - BHO: 3GP - {5D67E2E7-0C2B-4491-87C4-37F2AC6033D2} - C:\WINDOWS\system32\a3gpcodec.dll
O2 - BHO: AlphaDivX - {3B236BEE-8200-421D-919D-CA17D5739D8F} - C:\WINDOWS\system32\aDivX.dll
O2 - BHO: BetaDivX - {48BF2BC0-2945-11D8-8CAC-00080FC65465} - C:\WINDOWS\system32\IR9V0_QCX.dll
O2 - BHO: BetaDivX - {D99BACC6-6289-4D4F-8BAF-4192016AF547} - C:\Windows\System32\bDivX.dll
O2 - BHO: IntelVideoCodec - {04F7FAC5-F506-4F29-9094-9CB9144B192C} - C:\WINDOWS\system32\IntelVideo.dll
O2 - BHO: IntelVideoCodec - {33A12BEB-3219-4CA8-99B4-733192704C62} - C:\WINDOWS\system32\IntelVideoDivX.dll
O2 - BHO: IntelVideoCodec - {AF36E90A-44CA-4EE3-B578-C07383623217} - C:\Windows\System32\Video32.dll
O2 - BHO: Mp3 Video - {2B659BB5-3E85-4BC6-BAFC-98FEDFF3AE99} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Mp3 Video - {5DE176A4-B5FF-4D50-B084-E047526B8E97} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Mp3 Video - {6FFE49B7-F475-4EAB-8E80-E5D74C4E8D5F} - C:\WINDOWS\system32\VideoMP3.dll
O2 - BHO: Mp3 Video - {D4FD35A3-101C-4FAA-A9CA-E8C9461C3CEF} - C:\WINDOWS\system32\mp3avi.dll
O2 - BHO: Mp3 Video - {9A1EF21C-B0D4-4EB0-894F-CBAE2F4D0A82} - C:\WINDOWS\system32\mp3avi.dll
O2 - BHO: RealMedia - {0EEDB911-C5FA-486F-8334-57288578C627} - C:\WINDOWS\system32\XunLeiBHO_Now.dll
O2 - BHO: RealMedia - {87B570FB-D2CF-4D3C-8E1B-E1E7018BBA95} - C:\WINDOWS\system32\dx50codec.dll
O2 - BHO: Video DivX 3.12 - {09D72564-27E2-4F12-8AB6-03F83E4567DE} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: Video DivX 3.12 - {7A23A1E8-B2AB-4C50-AD12-9E19B747E17C} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: Video DivX 3.12 - {F02B8C83-C817-4EA2-A499-29257DA0373A} - C:\WINDOWS\system32\sysdivx.dll
O2 - BHO: Video On-line - {032706C0-EB72-4DF0-ABF6-B89958D2A6CC} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {323301C5-CB6B-490C-B59F-E7FAD4D69C93} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {66D69CC1-5373-4730-AB8E-24D2AB7FF95F} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll
O2 - BHO: Video On-line - {BD907325-42B2-4077-BA63-F636B627C998} - C:\Windows\System32\PowerVideo.dll
On the Desktop:
In the System Tray:
Screenshot of the IE Defender website:
IE Defender WHOIS information: http://whois.domaintools.com/iedefender.com
Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.comDomain Name: IEDEFENDER.COM
Registrant:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676Creation Date: 05-Oct-2007
Expiration Date: 05-Oct-2008Domain servers in listed order:
ns2.iedefender.com
ns1.iedefender.comAdministrative Contact:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676Technical Contact:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676Billing Contact:
PrivacyProtect.org
Domain Admin (Whois Privacy and Spam Prevention by DomainTools.com)
P.O. Box 97
All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676Status:ACTIVE
There is now an automated removal script for this infection. You can download the fix at http://www.malwareteks.com/FixIEDef.php
Comment Meta:
XHTML:
More Options ...
Categories
Tag Cloud
Blog RSS
Comments RSS
Void « Default
Life 
Earth 
Wind 
Water 
Fire Light
Previous: 
Next: 
Last 50 Posts 
Back