Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
Search SpywareGuide Database & Site
Security Email Alerts & Updates
SpywareGuide powered by FaceTime Security Labs

Shop At Home Select- What's Happened.

by Chris Boyd, Wayne Porter

Date: October 18, 2005

Spyware Reseach

A recent install from a website pushing photographs of celebrities installs numerous programs onto the end-user's PC, including Shop at Home Select, Sidefind, Your Site Bar, Powerscan, Bullseye Networks and Internet Optimizer. This payload is enough to cause issues with CPU performance - however, there are number of additional items which appear on the desktop some time after the initial install is complete. These additional links lead to more installs, one of which attempts to cause deliberate confusion with a service name similar to a legitimate program.

The install in action

We have a film of the bundle in action - unfortunately due to the length of time it takes to install, the videofile is well over 350MB in size! From the video, we can tell you that in IE, the Active X installer is presented to the user upon visiting the target website (00:06) and clicking "no" (00:32) will result in repeated popups asking the user to click "yes" to continue to view the site - even though after cancelling out, the content is perfectly viewable without installing the software. Once the user attempts to navigate to any section containing images, the Active X installer will continue to appear on every page and at (1:03), clicking an "image" file actually opens up a prompt to install software. In this case, the .EXE is named after the celebrity. In effect, there are no images to view barring the thumbnails.

Switching to Firefox, we now find at (1:46) that the familiar ysbweb tactic of checking for either an IE browser or a Firefox one comes into play, and instead of an Active X prompt, we are greeted with a "fake" yellow information bar across the top of the screen, and a java applet - which gives no indication of what lies behind it. The yellow bar attempts to install a plugin, and the applet tries to lead you back to the bundle launched from IE.

At (2:08) the desktop executable is launched. At this point, the install begins and the software downloads onto the target PC. Shop at Home Select makes an appearance at (3:15), along with numerous other programs.

After the install

Upon opening IE, you can see a few of the programs that have been installed (SideFind and Your Site Bar, branded on this occasion with MTV logos):

But after switching the machine off and restarting, it becomes clear that the install does not complete in one session. After a while, numerous icons appear on the desktop - three IE links, and one MS-Dos file:

Of the three links, the "career boost" and "dream date" links used redirects to take you to pages apparently supplied by Azoogle. The third, "Casino games", brings up the following as yet) unknown executable:

This .EXE attempts to install Casino software, which prompts players to create login details (including name, address etc) as long as the player is legally allowed to gamble.

The final installer is the MS-Dos file misleadingly entitled "pictures". Running the .EXE does not appear to do anything - however, two lines of traffic are transmitted, apparently from ysbweb:

and a new service is added - the misleadingly titled aolserviceshosts.exe:

This is clearly intended to cause confusion with the genuine Aolservicehost.exe (note the "s" is missing from the end of the word "host" in the genuine version). Once this was

pqnelhleyy 23acd9ae 61752649
installed, the CPU usage went crazy and the system became unstable, resulting in no other option but to turn the machine off.

Unless otherwise noted this article is Copyright © 2021 by FaceTime Communications, Inc. This article may not be resold, reprinted, or redistributed for compensation of any kind without prior written permission from FaceTime Communications, Inc. For reprint or media inquires please contact us with the phrase "Spyware Guide Articles" in the subject line and we will by happy to assist you. Links to this article from other websites are appreciated and encouraged. Users are also encouraged to utilize our RSS system to provide unique content and extracts for their site.

Read other articles (back to full list)

Help with the BUST!
Click here and give us what details you have and let our international research team take it from there. If you desire your report will remain anonymous.
Recent Blog Posts
Notice: Undefined index: version in /data/www/spywareguide/magpierss/rss_parse.inc on line 228
  • A Year In Security
  • Youtube Comment Bot Spams In Waves
  • VGA Awards Trailers Used As Bait For Spam Offers
  • Fake Visa Electronic Report Serves Up Zbot Data Stealer
  • Banned Console Owners Beat The System - With Stickers
  • Spot The Hack
  • The Futility Of EULAs
  • Auto Whaler Spears Phishers
  • Fake Porn Grabbers Snag Nothing But Malware
  • Console DDoS Botnets - A Thriving Industry
  • Recent Modifications
    2021-8-24  Adult Networks/Services
    2017-2-10  Adult Hosts
    2016-3-30  CoolWebSearch
    2015-9-29  Malicious URLS
    2015-5-19  Dialers
    2015-1-5  Email Threats
    2013-7-20  Date Manager
    2013-4-10  BeeBus
    2012-12-18  JT.Moonwalk
    2012-12-18  Sadbiz

    Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide Japan Japanese

    © Copyright 2007, FaceTime Communications, Inc. All rights reserved.