Limited Time!
Totally FREE Web Design!
Click here!

Parasite: ILookup

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

ILookup is an IE toolbar and Browser Helper Object (BHO) stored in the System32 folder, providing a search box and link buttons. It also adds advertising links to web pages, opens pop-up ads, adds affiliate links as bookmarks to the Favorites menu, and hijacks the homepage, error page, address bar search and sidebar search settings.

Variants

ILookup exists in many versions, controlled by a tangle of interrelated companies, including IClicks Internet Inc (iclicks.net, accessprovider.com), Crazy Protocol (crazyprotocol.com), Ultra Web Host LLC (ultrawebhost.com), Actif Oiseau Alerte SA (aoasa.com), West Frontier Holdings S.A. (westfrontier.com), Protected Media (protectedmedia.com), Aztec Marketing S.A., Marche Sucre Blanc S.A., InternationalWebMarketing (intwebmarketing.com), Jones Media and Untitled Media Inc.

The backend controller software is written by Romanian company Abroad Software (abroadsoftware.com) who also operate the site used by the Abeb variant; whether they also wrote the actual DLL code is unknown. eAffiliate Inc deny being connected to I-Lookup, despite digitally signing the software and having been in the server’s whois info for the Gws and Sbus variants.

The Dec and Enc variants have the same class IDs, as do the Alot and Hot variants, and the B2S and AdPop variants. The Hsrb variant has no actual toolbar component, acting only as a BHO.

Full list of known ILookup variants, with their controlling servers and the site usually initially hijacked to (which can be updated later) and an approximate release time:

Distribution

Installed by ActiveX drive-by-download in pop-up advertising. At least the Dec, Alot and Dsktrf variants have been seen to install by exploitation of Internet Explorer security holes. The AdPop variant is believed to be bundled with other software instead of using a drive-by; the Hsrb variant is installed by the Hot variant.

The Hot variant is installed by misleading ActiveX downloads triggered from DRM-protected Windows Media files issued by Protected Media (protectedmedia.com), who appear to own at least some of the ILookup companies. These files also attempt to install Pugi/iSearch, which, like the ILookup/Hot and Hsrb variants, promotes isearch.com/idownload.com.

What it does

Advertising

Yes. Periodically connects to its controlling server, which may direct it to open pop-up advertising, often porn-related. Also adds oddly-coloured advertising links to the page content.

Privacy violation

No.

Security issues

Yes. Can silently download and execute arbitrary unsigned code as directed by its controlling server, as an update mechanism, to install different versions of ILookup, and to install other parasites.

ILookup/Waeb and Winenc have been seen to install a bundle of KeenValue/SearchUpgrader, TargetSaver/Tsa2, FavoriteMan/ATPartners, GogoTools/Launch, Hyperlinker, TVMedia/BHO and TopMoxie/RebateNation.

ILookup/Bmeb has been seen to install Transponder/BTGrab, ISTbar/SideFind, FavoriteMan/ATPartners, TVMedia/BHO, BargainBuddy/BullsEye, nCase/sais, WindUpdates/WinComm and PowerScan.

ILookup/Srm and Dsktrf have been seen to install Transponder/LocalNRD. ILookup/B2S has been seen to install Transponder/BTGrab.

ILookup/Hot has been seen to install VistaBar, DealHelper, TVMedia/BHO, Transponder/BTGrab and TopText.

Stability problems

At least the Ineb, Drbr and Dec variants (probably others too) can cause error messages of the type ‘Explorer has caused an error in ineb.dll...’, when using both Internet Explorer and the Windows Explorer.

Removal

Open the ‘Downloaded Program Files’ folder in the Windows folder. Right-click the object called ‘I-Lookup.com Bar’ (Ineb and Abeb variants), ‘GlobalWebSearch.com Bar’ (Gws and Chgrgs variants), ‘SearchBus.com Bar’ (Sbus variant), ‘GlobalToolbar.com Bar’ (Drbr variant), ‘Search Bar’ (Bmeb and BmebS variants), ‘{EEF29D20-9A47-4657-ADF7-283EC2504001}’ (Enc variant) or ‘iiittt Class’ (Dec, Srm, Sps, Hot, Gwss, DskTrf, B2S, AdPop, Siq variants). Click ‘Remove’.

Next, open a DOS command prompt window (Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u ineb.dll

Replace the filename ineb.dll with the corresponding filename in the table above for the variant you have.

Finally use Internet Options->Programs->Reset Web Settings to get the normal search sidebar back, reset your homepage, and delete the extra bookmarks added to the Favorites menu. If you like, you can also open the registry (Start->Run->regedit) and delete the key HKEY_CURRENT_USER\Software\ineb to clean up.