First Adware To Exploit LoadImage Flaw

by CXOtoday Staff    Mar 04, 2005

PandaLabs has detected the appearance of Searchmeup, the first adware to use the Exploit/LoadImage vulnerability to download onto computers without users’ permission.

The pages from which Searchmeup are downloaded also contain a series of exploits to download other malware on the computer, such as the Tofger.AT Trojan -which steals banking passwords-, Dialer.BB and Dialer.NO, and another adware called Adware/TopConvert.

Searchmeup is downloaded onto the computer when the user visits certain Web pages. Once it is installed on a computer, it changes the home page to that of a search engine that displays pop-ups every time it loads with the aim of installing spyware and dialers on the computer.

The web pages from which Searchmeup is downloaded also drop Tofger.AT onto computers, a Trojan, which runs every time Internet Explorer is opened. Tofger.ATkeeps track of what the user of the computer is doing on the Internet, logging the passwords used in secure ‘https’ connections, often used for secure connections with online banks.

Searchmeup can also generate an error in the ’services.exe’ file, and then informs that the computer will be restarted in one minute. After the restart, the computer operates perfectly. On some occasions, Searchmeup can also display blue screen errors. Tofger.AT can actually update itself to a new version.

“Adware reached computers as a component of a freeware application, then Web pages appeared that installed adware on users’ computers using ActiveX. Now they have gone a step further, as Searchmeup exploits a vulnerability that even virus creators had not used until now,” explains Luis Corrons, director of PandaLabs.

The Exploit/LoadImage vulnerability exploited by Searchmeup affects computers with Windows 2003/XP/2000/NT/Me/98, and allows arbitrary code to be run on the computer.

It could be exploited by an attacker hosting a specially-crafted cursor or icon on a malicious web page or HTML email. Microsoft has released a patch to correct this problem, and it is advisable to install it.

Tags: Adware