BHO scanning tool and New Scam Targets Bank Customers

Handler's Diary June 29th 2004
Updated June 29th 2004 18:17 UTC
BHO scanning tool and New Scam Targets Bank Customers
------------------------------------------
Browser Helper Objects (BHO) scanning tool
------------------------------------------

BHODemon is a free tool that will list all Browser Helper Objects that are installed on a Windows system by scanning the registry and give you the ability to disable them. This will also list "good" BHOs as well, but nevertheless is a useful tool in detecting and disabling malicious software.

It is available at: http://www.definitivesolutions.com/bhodemon.htm

-------------------------------
New scam targets bank customers
-------------------------------

On June 24th, a visitor to the SANS Internet Storm Center reported that his company was "...in the middle of a very disturbing ... issue regarding the adware/spyware/IE exploit genre..." He requested help analyzing an "encrypted or compressed" file that had been downloaded to a machine at their site. Tom Liston, one of our volunteer handlers, spent the weekend analyzing this issue. His findings are summarized here.

The victim of the attack found that a file called "img1big.gif" had been loaded onto their machine. Because of the account restrictions on the person running the machine, it had failed to install properly, which was why it had come to their attention. It is this file that they forwarded to the SANS Internet Storm Center for analysis.

The file is not a graphic file at all. It is actually a 27648 byte Win32 executable that has been compressed using the Open Source executable compressor UPX. This file decompresses to an 81920 byte file which contains two Win32 executables bound together. The first portion of the file (and what actually runs if the file extension is changed and the program is launched) is a "file dropper" Trojan, designed to install any executable concatenated to its body. The second half of the file consists of a Win32 DLL that is installed by the file dropper under WindowsXP as a randomly named .dll file under C:\WINDOWS\System32\. This DLL is installed as a "Browser Helper Object" (BHO) under Internet Explorer

http://isc.incidents.org/diary.php?date=2004-06-29

I recommend using Opera, Mozilla, or Firefox browsers for online transactions as this exploit affects IE.

Firefox; is it possible that it loads faster or is it just me?

Thanks for the scanning tool...had a horrendous episode with unwanted BHOs recently, glad now to have the tool.

It checks for both malicious and non-malicious spyware, and gives you the option to delete if you wish (including cookies).

Been using it at work for years - keeps a lot of pesky IE add-ins away.

Although Opera, Mozilla, or Firefox are usually better browser choices, they won't let us use anything other than IE at the office.

Lavasoft Sweden website for Ad-aware