Panda Software Reports the Appearance of Searchmeup, The First Adware Using the Exploit/LoadImage Vulnerability

Panda Software Reports the Appearance of Searchmeup, The First Adware Using the Exploit/LoadImage Vulnerability • Searchmeup is downloaded from web pages that also insert Tofger.AT onto computers, a Trojan that steals confidential information and online banking passwords • Microsoft has released a patch to correct this vulnerability, Panda Software recommends users install it www.microsoft.com/technet/security/bulletin/ms05-002.mspx Glendale, CA - March 2, 2005 – Panda Software’s PandaLabs have detected the appearance of Searchmeup, the first adware to use the Exploit/LoadImage vulnerability to download onto computers without users’ permission. The pages from which Searchmeup are downloaded also contain a series of exploits to download other malware on the computer, such as the Tofger.AT Trojan –which steals banking passwords-, Dialer.BB and Dialer.NO, and another adware called Adware/TopConvert. Searchmeup is downloaded onto the computer when the user visits certain web pages. Once it is installed on a computer it changes the home page to that of a search engine that displays pop-ups every time it loads with the aim of installing spyware and dialers on the computer. The web pages from which Searchmeup is downloaded also drop Tofger.AT onto computers, a Trojan which runs every time Internet Explorer is opened. Tofger.AT keeps track of what the user of the computer is doing on the Internet, logging the passwords used in secure ‘https’ connections, often used for secure connections with online banks. In addition, whenever it detects certain names in the url, it tries to capture the passwords used for the following banks: cajamadrid, bpinet, millenniumbcp, hsbc, barclays, lloydstsb, halifax, autorize, bankofamerica; bancodevalencia, cajamar, portal.ccm, bancaja, caixagalicia, caixapenedes, ebankinter, caixasabadell, bes, banif, millenniumbcp, totta, bancomais, montepiogeral, bpinet, patagon, lacaixa, citibank, bbvanet, banesto, e-trade and unicaja. Once it has collected this information, Tofger.AT sends it to a server. Searchmeup can also generate an error in the ‘services.exe’ file, and then informs that the computer will be restarted in one minute. After the restart, the computer operates perfectly. On some occasions, Searchmeup can also display blue screen errors. Tofger.AT can actually update itself to a new version. “The Exploit/Loadimage vulnerability can be used on web pages or HTML e-mail by crafting a special icon or image file that causes a buffer overflow that in turn can be used to take control of the users computer. This can be very serious as the user doesn’t have to do anything unusual like opening a suspicious attachment. This is what is sometimes referred to as a “drive by” attack.” Said Patrick Hinojosa, CTO Panda Software US. "The appearance of Searchmeup is a sign of the continuous evolution of malware, and of adware and spyware in particular. The first stage was that adware reached computers as a component of a freeware application, then web pages appeared that installed adware on users’ computers using ActiveX. Now they have gone a step further, as Searchmeup exploits a vulnerability that even virus creators had not used until now,” explains Luis Corrons, director of PandaLabs. Exploit/LoadImage www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=57476 vulnerability is exploited by Searchmeup and affects computers running Windows 2003 / XP / 2000 / NT / Me / 98, and allows arbitrary code to be run on the computer. It could be exploited by an attacker hosting a specially-crafted cursor or icon on a malicious web page or HTML email. Microsoft has released a patch to correct this problem, and it is advisable to install it. For more information: http://www.microsoft.com/technet/security/bulletin/ms05-002.mspx Given the danger posed by Searchmeup and Tofger.AT, Panda Software advises users to take precautions and keep their antivirus software updated. Panda Software clients already have the updates available to detect and disinfect the new malicious code. Panda Software’s clients can already access the updates for installing the new TruPreventTM Technologies along with their antivirus protection, providing a preventive layer of protection against new malicious code. For users with a different antivirus program installed, Panda TruPreventTM Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection. More information about TruPreventTM Technologies at http://www.pandasoftware.com/truprevent. Users can also scan and disinfect their computers using Panda ActiveScan, the free, online scanner available from: www.pandasoftware.com. More information about Searchmeup and Tofger.AT is available from: http://www.pandasoftware.com/virus_info/encyclopedia/ About PandaLabs On receiving a possibly infected file, Panda Software's technical staff gets right to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users. For more information: http://www.pandasoftware.com/virus_info/ For more information: Alan Wallace [email protected] Tel. (818) 543-6909