Limited Time!
Totally FREE Web Design!
Click here!

Parasite: Roimoi

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

Roimoi is a randomly-named adware .exe, and downloader ActiveX object, controlled by roings.com.

Roimoi is closely related to Roings’s SearchSprint toolbar, which is often bundled with it. Other parasites Roimoi has been seen to install include Wink/EasyDates, InternetOptimizer/Active, ISTbar/XXXToolbar, DownloadPlus/PowerScan, nCase, SaveNow/Search, AutoStartup, E2Give, ShopAtHomeSelect and Webhancer.

Variants

The ActiveX downloader part exists in several versions: Roimoi/p1, Roimoi/test, Roimoi/ddm, Roimoi/jimmy, Roimoi/cont and Roimoi/limmy vary in class ID and filename used; Roimoi/v17, Roimoi/v18, Roimoi/v19, Roimoi/v20 and Roimoi/v21 differ by filename.

Also known as

DynamicDesktopMedia, after one of the front companies distributing it. Some variants are identified as Roings (by Ad-Aware and Spybot). Adware-Roings by McAfee anti-virus.

Distribution

ActiveX drive-by-download in sites affiliated to media-motor.com (previously ringfield.com, rfwnad.com, dynamicdesktopmedia.com). The download always describes itself misleadingly; names seen include:

‘CLICK YES TO CONTINUE’ has also been used on its own.

Many installations come from the warez sites operated by Trinsic (phroogle.com etc.), which are thought to be run by the same people as are behind Roimoi. They previously installed lop and Whazit, and were suspected of being behind Whazit also.

An ‘aggressive’ installer script is usually used, which repeatedly opens JavaScript errors and reloads until the download is accepted.

Also loaded by exploitation of Internet Explorer security holes by SmartBot (default-homepage-network hijacker).

What it does

Advertising

Yes. Opens periodic untargeted pop-ups from www.popuppers.com, plus extra pop-up advertising ‘search results’ when using search engines.

Privacy violation

Yes. When search results are targetted, the search query made is sent with a trackable unique ID to the server tar.popuppers.com.

Security issues

Yes. The ActiveX downloader class can be used by any webpage to silently download and install arbitrary unsigned code from the Roimoi controlling server.

Stability problems

None known.

Removal

Some variants may include a ‘Media Motor’ entry in the Control Panel’s Add/Remove Programs list. Using this, then deleting the Downloaded Program Files entry (see below) should remove the software. (Though you should also check for SearchSprint and other adware that it might have installed.

Manual removal

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and find the key ‘HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run’. There should be an entry inside this key with a randomly-generated-nonsense name, pointing to a .exe file with a different randonly-generated-nonsense name in the Windows folder. Delete this key.

Restart the computer, open the Windows folder and delete the .exe file with the name seen in the registry. You can also delete usta32.inf or usta32a.inf in this folder if you have it, to clean up, along with the registry key HKEY_LOCAL_MACHINE\Software\roimoi.

Next, open the Downloaded Program Files folder and remove the entry with the name ‘Project1.UserControl1’ (p1 variant), ‘ddm_download.ddm_control’ (test and ddm variants), ‘jimmyloader.jimmyform’ (jimmy variant), ‘jimmyload.jimmycont’ (cont variant), ‘limmyloader.limmyform’ (limmy variant) or ‘IObjSafety.DemoCtl’ (v17-v20 variants).