Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
Search SpywareGuide Database & Site
Security Email Alerts & Updates
SpywareGuide powered by FaceTime Security Labs

Dissection of Rogue Google Toolbar Payload

by Chris Criswell, Wayne Porter

For background on this supporting article see Boyd: "The Rogue Google Toolbar: History and Variants"


For testing purposes the CHM file (File Extension for a Microsoft Compressed HTML Help Files)?was acquired and decompiled using  specialized forensic tools.


Three files emerged from this analysis:

  1. Index.exe
  2. index.html
  3. index.hhp

Install.exe was unpacked using UPX1

BinText was utilized to?view contents.


Two CLSIDs were located: For more information see Wikipedia entry on Globally Unique Identifiers of which the
CLSID (class identifier)?is a GUID subtype.

000079A8?? 004079A8????? 0?? SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E427A57F-1A94-0BFC-6D7A-6DC214946AD4}


00007A0C?? 00407A0C????? 0?? SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111157}


First CLSID:? {E427A57F-1A94-0BFC-6D7A-6DC214946AD4}


Using standard search procedures it was trivial to locate this CLSID via a search engine query which returned the 
following results:


CastleCops: http://castlecops.com/p598484-ABI_Network_direct_revenue.html

O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhost.com/~zone14/z/index.chm::/index.exe




Tomcoyote: http://tomcoyote.org/forums/lofiversion/index.php/t43312.html


O16 - DPF: {E427A57F-1A94-0BFC-6D7A-6DC214946AD4} - ms-its:mhtml:file://c:\\nosuch.mht!http://users.perfhost.com/~zone14/z/index.chm::/index.exe



Of notable interest regarding this exploit is the methodology discovered with analysis using X-RayPC, a FaceTime process forensic tool,
The result is highlighted in yellow.


This string shows up in the downloaded files area (Active X portion) of X-RayPC.

ms-its: mhtml:file://


This search string can be chronologically located as far back?as 2003.?
The sample below is from May 26, 2004

pqnelhleyy 23acd9ae 61752f07

Reference Spywareinfo.com Forums: http://forums.spywareinfo.com/lofiversion/index.php/t2561.html

Second CLSID: {11111111-1111-1111-1111-111111111157}

Reference CastleCops: http://castlecops.com/atx-200.html

Reference: WildersSecurity.com http://www.wilderssecurity.com/showthread.php?p=182524

Based on the CLSIDs and other behaviors the file exhibits it is apparent the responsible parties are related to or are controlled by the CWS family of spyware.

1. Executable Packing is the process of compressing an executable file and
prepending adecompression stub, which is responsible for decompressing the
executable and initiating execution. The decompression stub is a standalone executable,
making packed and unpacked executables indistinguishable to the casual user as they are
not required to perform any additional steps to start execution. Software distributors
use executable packing for a variety of reasons, primarily to reduce the secondary storage
requirements of their software, however as UPX is specifically designed to compress executable
code it often achieves better compression ratios than standard data compression facilities
such as gzip, zip or bzip2. Source: Wikipedia

Unless otherwise noted this article is Copyright © 2021 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.

Related Articles

Read other articles (back to full list)

Help with the BUST!
Click here and give us what details you have and let our international research team take it from there. If you desire your report will remain anonymous.
Recent Blog Posts
Notice: Undefined index: version in /data/www/spywareguide/magpierss/rss_parse.inc on line 228
  • A Year In Security
  • Youtube Comment Bot Spams In Waves
  • VGA Awards Trailers Used As Bait For Spam Offers
  • Fake Visa Electronic Report Serves Up Zbot Data Stealer
  • Banned Console Owners Beat The System - With Stickers
  • Spot The Hack
  • The Futility Of EULAs
  • Auto Whaler Spears Phishers
  • Fake Porn Grabbers Snag Nothing But Malware
  • Console DDoS Botnets - A Thriving Industry
  • Recent Modifications
    2021-8-24  Adult Networks/Services
    2017-2-10  Adult Hosts
    2016-3-30  CoolWebSearch
    2015-9-29  Malicious URLS
    2015-5-19  Dialers
    2015-1-5  Email Threats
    2013-7-20  Date Manager
    2013-4-10  BeeBus
    2012-12-18  JT.Moonwalk
    2012-12-18  Sadbiz

    Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide Japan Japanese

    © Copyright 2007, FaceTime Communications, Inc. All rights reserved.