PDA

View Full Version : Ace Zip Soft installs Rootkit + ContextPlus spyware, not detected/removed by Spybot



saintly
2005-11-02, 22:13
I installed the following software from 'Ace Zip Soft' wxxx.AceZip.net
hxxp://www.winsite.com/bin/Info?21000000038990

In addition to not deleting duplicate files like it promised, it installed a bunch of spyware, some of which was not detected and removed by either SpyBot, AdAware or Trend Micro's detection/removal tools.

It created the folder
c:\program files\Ituadcom [hidden by rootkit]

and the files:
c:\windows\system32\ieeccwiz.exe [NOT hidden]
c:\windows\system32\mqqkbdsp.exe [hidden by rootkit]
c:\windows\system32\drivers\slwohpen.sys [hidden by rootkit]

and the registry entries:
HKLM\SOFTWARE\CzPemAH8HWFD\* [hidden by rootkit]
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_PCIFIPS\* [hidden]
HKLM\SYSTEM\ControlSet001\Services\PCIFips\* [hidden]

Of those, only 'ieeccwiz.exe' is visible before the rootkit is disabled.

Disclosure:
In the EULA for the software, it says it will install adware from 'ysbweb.com'. This claims to be a 'helpful internet explorer toolbar' that can be removed using the add/remove programs control panel. The toolbar cannot be removed from there, but it is detected and destroyed by spybot.

The other malware that generates popups is the 'Ituadcom' tool. Searching for 'Ituadcom' returns no results from google. The spyware apparently comes from 'contextplus.net' (which is NOT mentioned in the EULA). Contextplus.net does not contain any removal instructions for their crappy spyware, going to their 'removal page' at

hxxp://www.contextplus.com/uninstall.html

you'll find their directions are 'email us and we'll send you back an uninstaller within 24 hours'.

Likewise, the web page for 'acezip.net' says they'll install yoursitebar.com (ysbweb), 'megasearch toolbar' and 'instafinder', but says nothing about Ituadcom, Context Plus or People On Page.


Removing the malware and stopping the pop-ups:

The \drivers\slwohpen.sys is apparently the rootkit. It's loaded as the 'PCIFips' driver by HKLM\SYSTEM\... and proceeds to hide itself, the Ituadcom folder, the registry entries from the contextplus.net asshats, and god knows what else. Fortunately, it doesn't load when you boot XP into 'safe mode with command prompt'. Delete all the files mentioned above in safe mode and your system should be infestation free.

I used sysinternals.com 's excellent freeware: 'RootKitRevealer' to uncover the rootkit.

http://www.sysinternals.com/Utilities/RootkitRevealer.html

Malware behaviour:
It apparently hijacks DNS and delivers context-related pop-ups with internet explorer. It gets ads from the servers 'adchannel.contextplus.net' and possibly 'au.contextplus.net'. 'au' is a CNAME for 'adchannel'. The IP addresses for these servers are: 64.127.103.40-43 . An ARIN search shows this netblock to be registered to 'People on Page', a well-known bunch of browser hijackers and malware creators. If you want to block their whole netblock, it's: 64.127.103.32/27 (64.127.103.32 netmask 255.255.255.224)

You can't see the 'Ituadcom' folder with Explorer or from the command line with 'Cmd.exe' when the rootkit is running. If you try to delete the folder from the command line 'c:\program files\> rmdir ituadcom' you'll get the message that the folder is in use. You also can't 'cd' to it with 'cmd.exe'. You CAN see the folder normally with 'command.com':
'cd c:\progra~1\ituadcom\' and 'dir' will show you what's in it, the same as what you see with RootKitRevealer.

PeopleOnPage and ContextPlus:
Their website at hxxp://www.peopleonpage.com/ suggests you download their spyware ("the most addictive thing on the Web since… well, the Web.") and it does mention they will install the software from ContextPlus. Although they seem to want to dissasociate themselves from ContextPlus, a quick 'whois' search reveals they're both the same guy:

Zone Contact:
Apropos
Business Owner
26 Avenue Kleber
Paris, 75116
FR
Phone: +44 7788 718 770
Email: bizdev @peopleonpage.com

Disabled Urls.email.

Rosenfeld
2005-11-03, 04:48
I suggest that you disable or break the links to the bad sites, in case people hit them accidentally:-)