allentech.net

Home > Browser Parasites > Parasite Database > StripPlayer

About Us

Online Stores

TQ Support

Web Services

Database Help

Tech Links

Projects

Online Manual

Browser Parasites

Privacy Policy

Contact us

Send Page

Limited Time!
Totally FREE Web Design!
Click here!

Blue Host

Parasite: StripPlayer

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

A downloader for a premium-rate phone dialler providing access to the porn site strip-player.com.

Distribution

Installed by ActiveX drive-by-download on porn-related pages from strip-player.com (which might be opened by pop-up advertising).

Installation can happen totally automatically on versions of Internet Explorer older than IE6 Service Pack 1, as a security hole is exploited to add the manufacturers, ‘Electronic Group’, to the list of publishers you trust, allowing them to install any software they like.

Electronic Group are known to install at least two other types of dialler software this way, IEAccess and DialerOffline. The dialler itself may also be installed by a simpler EXE file for non-IE browsers, but this is not detected by the script at this site and does not present the same risk.

What it does

Advertising

No.

Privacy violation

No.

Security issues

Yes, critical. The ‘StripSetup’ ActiveX control can be used on any web page, by any author, to download and run any executable file. There are no security checks whatsoever.

Stability problems

None known.

Removal

Open the registry (Start->Run->regedit) and delete the following keys:

HKEY_CLASSES_ROOT\ActiveStripSetup.EGStripDownload
HKEY_CLASSES_ROOT\ActiveStripSetup.EGStripDownload.1
HKEY_CLASSES_ROOT\CLSID\{E3F7205F-2AE0-4BF0-816B-2D24A5F20EC7}
HKEY_CLASSES_ROOT\TypeLib\{357AA41A-B7A8-4632-A27D-5B980B25CF43}
HKEY_CLASSES_ROOT\Interface\{BC23F736-C5BE-47FB-B459-1757933E5DF3}

Then open the System folder (in the Windows folder, ‘System32’ under Windows XP/2000/NT, or ‘System’ under Windows Me/98/95), and delete the ActiveStripSetup.dll file.

To remove the dialler itself, delete the folder ‘C:\Program Files\strip-player’ and any links to it on the desktop and/or Start menu.

Finally, if you fell victim to the exploit used to load StripPlayer automatically, you will need to remove Electronic Group from your trusted publishers, or they will still be able to install their software in the future. Check the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 for an entry with the value ‘Electronic Group’. Delete it if it exists, if so, patching/updating IE is probably a very good idea.

You can also go to HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates and delete Electronic Group’s key. It should begin ‘08F573...’.

* Parasite information and detection script by Andrew Clover - www.doxdesk.com, used with permission.

For more information about Scumware, Spyware and Parasites, their sources and their cure, visit our About Parasites page and related Tech Links.

Visit our new services portal at Allen One for a completely new parasite database format, comming November 2005!

webmaster@allentech.net
Tech Bench
Web Analytics by My-OLAP!

Top