A nasty new browser hijacker/trojan has been
discovered and is spreading across the web at a
rapid pace. Dozens of threads have sprung up at
the support forums started by
people infected with the Surferbar hijacker.
There are two known variants of this hijacker
currently, which I'll call Surferbar.a and
Surferbar.AFlooder. Both variants hijack
Internet Explorer's start page to
www.surferbar.com.
Surferbar.a is a simple browser hijacker and
can be cleaned up easily using HijackThis (download). Look for the
following entries in HijackThis and have it
remove them:
O4 - HKCU\..\RunOnce: [win32] c:\program
files\winsrv32.exe
R0 -
HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://www.surferbar.com/
O3 - Toolbar:
SurferBar -
{FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} -
c:\PROGRA~1\win32.dll
When you have done that, find and delete
c:\program files\winsrv32.exe.
A few victims are convinced they received
Surferbar.a after downloading and installing
Kazaa Lite K++. I haven't had a chance to
clarify if they meant the software itself
installed the hijack, if a pop up ad on a mirror
site installed it, or if they both used the same
download mirror. Presently, this information is
very much unconfirmed. However, I recommend
staying away from Kazaa Lite even without this
problem, as it's an unauthorized cracked version
of the real Kazaa.
Surferbar.AFlooder is rather more
complicated. In addition to hijacking the start
page and adding an unwanted toolbar, this
variant appears also to be either a keylogger or
a remote access trojan (or both), and possibly
an SMTP proxy for spammers to use to relay
spam.
Surferbar.AFlooder uses an obscure method of
writing data to an NTFS-formatted hard drive to
embed itself directly into your system32 folder.
Not inside the folder, actually
embedded within the folder itself. It
sounds nuts, but the NT File System allows that
to happen using something called "Alternate Data Streaming"
(ADS).
ADS allows you to store information "under
the hood" of the file system, where normally you
cannot see or manipulate it. Think of ADS
information as metadata, similar to
track/artist/title information that can be
stored in an MP3. Unfortunately, Microsoft has
provided no way to view or manipulate this ADS
information without the use of third-party
tools.
Fortunately, this parasite includes a
not-so-secret uninstall command, which is
revealed in a string of text within the file. If
you or someone you are helping has been hijacked
to surferbar.com, but you do not have the
winsrv32.exe startup entry,
then you probably have the AFlooder variant.
Your HijackThis results will be similar to
this:
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://www.surferbar.com/
O3 - Toolbar:
SurferBar -
{FF7FD490-34E7-4FA1-927A-F5799E6AAD7B} -
c:\PROGRA~2\win32.dll
O4 - HKLM\..\Run:
[tywsmhd] rundll32
C:\WINDOWS\System32:tywsmhd.dll,Init 1
Removing these entries with HijackThis is of
no use. A program running in the background
immediately will reinstall any entries that are
removed. Even booting to safe mode won't help
with this.
Pay attention to the path of the dll file,
C:\WINDOWS\System32:tywsmhd.dll
in the example above. The exact name of the dll
will be different each time. Click the "Start"
menu, select "Run", and type: rundll32
C:\WINDOWS\System32:tywsmhd.dll,Uninstall.
Remember to change the name of dll file to match
that found on your computer. Click on "OK", and
that should uninstall the parasite
completely.
Those of you reading this online, please bear
in mind that is information was written on
September 2, 2003, and may be out of date by the
time you read this. If these instructions do not
help you remove this parasite, please ask for
assistance at our support forums.
~Spyware Weekly
Newsletter