Parasite: SuperSpider

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

SuperSpider is a family of browser hijacker trojans aimed at sites affiliated to super-spider.com, itself affiliated to CoolWebSearch.

SuperSpider consists of an Internet Explorer Browser Helper Object (BHO), loaded with Internet Explorer and the normal Windows explorer.exe shell, and a process (EXE) set to run at Windows startup which protects the software from removal.

Variants

SuperSpider/Pre: may include only the randomly-named BHO, no additional process. Not widely distributed; may be a prototype.

SuperSpider/Jopa: hijacks to solongas.com or 69.31.79.180. Process filename is always sysstartup.exe; the BHO (if present) is randomly-named and has a new class ID.

SuperSpider/Romahere: hijacks to super-spider.com. Process filename is matrixhere.exe; the BHO has a new class ID.

SuperSpider/Romahere2: hijacks to windowws.cc. Process and BHO filenames are now both random.

SuperSpider/Romahere3: hijacks to win-eto.com (which then redirects to another site such as kitasearch.com or t.swapx.cc). Two different processes are run at startup, both with random filenames. There is also a .tmp file held open in the Temp folder with a six-digit random name containing a backup . Only installed on Windows 95/98/Me; if the installer is run on NT-based Windows versions, SuperSpider/App will be installed instead.

SuperSpider/App: hijacks to win-eto.com (which then redirects to another site such as kitasearch.com or t.swapx.cc). As well as the startup process, installs an AppInit_DLL which run with every Windows application, making removal trickier. Two .bak files are added to contain backup copies of the software, as well as the six-digit .tmp file in the Temp folder. Only installed on Windows NT/2000/XP/2003; if the installer is run on Win9X, SuperSpider/Romahere3 will be installed instead.

Also known as

Melkosoft Cassandra, after the company and product name given by the files. Greg-Search after a distributing domain. DNSErrObj, after the BHO class name.

Detected by some anti-parasite tools generically as a CoolWebSearch variant. Detected by some anti-virus software generically as a trojan, for example Troj.Krepper or Troj.Small.

Distribution

Installed by a range of Internet Explorer security exploits typical of the CoolWebSearch family of parasites, served from greg-search.com, greg-tut.com and t34rulit.com, from around May 2004.

What it does

Advertising

Yes. The BHO monitors URLs for targeted sites, mostly porn-related or other junk-portals, and opens pop-ups from 66.250.130.200.

It can also open untargeted pop-ups as directed by its controlling servers t34rulit.com, cc20foreva.com and mig29here.com, as well as adding bookmarks and changing the home, search and error page hijacks and adding Hosts file hijacks.

Privacy violation

No.

Security issues

Yes. The controlling servers can also direct the software to downloade and execute arbitrary unsigned code. The controlling servers and thestas.com have been used to serve the downloaded software. Additionally the software can delete registry keys and file, which seems to be used to sabotage rival parasites. The file-deletion function actually creates dummy files with the targeted filenames, leaving the filesystem rather cluttered with hidden zero-byte files.

As the software updates itself, the System32 and Temp folders will fill up with more and more backup copies of the software, including, in the App variant a small temporary DLL whose name (due to a bug?) gains more and more copies of the file extension ‘.dll’.

One of the programs run by the downloader adds greg-search.com to Internet Explorer’s Trusted Sites zone, allowing the site to install arbitrary code. It then opens a pop-up that uses this to install ISTbar/XXXToolbar and /SideFind (which in turn installs many further parasites).

Stability problems

None known.

Removal

All variants

Open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. There should be an entry on the right called ‘jopa’ pointing to sysstartup.exe (Jopa variant), ‘romahere’ pointing to matrixhere.exe (Romahere variant) or ‘Control handler’ pointing to a randomly-named process (Romahere3, App variants). If so, Open the Task Manager (press ctrl-alt-delete), find the process of this name in Processes list and End it. Then delete the entry in the Run key.

Select the key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. There should be an entry on the right called ‘jopa’ pointing to sysstartup.exe (Jopa variant), ‘romahere’ pointing to matrixhere.exe (Romahere variant) or ‘romahere2’ or ‘romahere3’ pointing to a randomly-named process (Romahere2, Romahere3 variants). If so, Open the Task Manager (press ctrl-alt-delete), find the process of this name in Processes list and End it. Then delete the entry in the Run key.

Next, open the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer, and delete the entire ‘Cassandra’ subkey inside that. Then open the subkey ‘Browser Helper Objects’ and delete the subkey ‘{0388EC16-BA98-416f-9D9B-B9A031E427AF}’ (Pre variant), ‘{A9A674BF-771F-42E5-A440-D20DDA85A862}’ (Jopa variant) or ‘{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}’ (other variants).

App variant

Now select the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows. On the right, you should see an ‘AppInit_DLLs’ entry holding another random filename. Open the System32 folder (inside the Windows folder) and find this file, then rename it (for example, add ‘.delete’ to the end of the filename).

All variants

Restart the computer and you should be able to delete the files from the System. Apart from the few fixed filenames mentioned, SuperSpider normally uses random names 10-20 characters long. The easiest way to find them is to open the System folder (inside the Windows folder; called ‘System’ on Windows 95/98/Me and ‘System32’ on Windows NT/2000/XP/2003), and use the option ‘View->Arrange Icons By->Modified’ so that you can group the newest files together.

Usually the long random names are quite obvious, but if you’re unsure, right-click the suspect file and choose ‘Properties’. There should be a ‘Version’ tab, on which choosing ‘Company’ will give the name ‘Melkosoft Corporation’, for files belonging to SuperSpider.

You can also delete the six-number .TMP files from the Temp folder to clean up (in general, it is a good idea to keep the Temp folder empty in any case). You can find the Temp folder inside ‘Local Settings’ in the folder named after your username, inside ‘Documents and Settings’, or, under Windows NT, in the Profiles folder inside Windows. The Local Settings folder is hidden, so make sure Windows is showing hidden files, from Tools->Folder Options->View->Show hidden files and folders.

For the App variant, you should also delete the AppInit_DLLs registry entry detailed above. You can also delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Melcosoft to clean up, and, for the Romahere2, Romahere3 and App variants the following BHO keys:

HKEY_CLASSES_ROOT\CLSID\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}
HKEY_CLASSES_ROOT\TypeLib\{444A5674-FF85-45D4-9AE2-4199D8D70C85}
HKEY_CLASSES_ROOT\Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}
HKEY_CLASSES_ROOT\Plugin6.DNSErrObj
HKEY_CLASSES_ROOT\Plugin6.DNSErrObj.1

Finally, open Internet Options and use the ‘Reset Web Settings’ button on the ‘Programs’ tab to remove the hijacked homepage and search settings. Go to the Security tab, select ‘Trusted Sites’ and click ‘Zones...’. If greg-search.com is listed here, remove it. (Some CoolWebSearch exploits may put other questionable domains here too; feel free to remove these too if you find them.) If you normally turn the Advanced option ‘Enable third-party browser extensions’ off, you’ll have to set it back again, as SuperSpider turns it back on so its BHO is unimpeded.