LizardBar
Category: Cookie
Risk:
Low Risk
* Low risk threats pose a very low risk or no immediate danger to your computer or your privacy, however these types of applications may profile user online habits, but only according to specific privacy policies stated in the applications End-User License. These types of threats generally borderline on being a threat to being a standard application that has a complex license agreement that you knowingly installed.
Description: Adult content related toolbar for Internet Explorer. LizardBar is an Internet Explorer browser helper object (BHO) that attempts to advertise porn sites by inserting URLs into web forms where a homepage entry is requested, such as a guestbook or web forum. The insertion is done in such a way that the user does not realize it has happened until they see their profile with a link to a porn site that they did not put there. If you enter the url in the web browser, the server's response will be a link to pornographic material at www.indateens.com. Submithook uses OLE methods to control the content of the form being submitted. When a page with an HTML form is loaded, Submithook replaces the internal "onsubmit" handler with its own subroutine. When the form is submitted, the Submithook subroutine enumerates all the form fields, looking for any with the name "url", "homepage", "page", "www", ".cl1" or "site". If it finds any of these fields AND the field is left blank, it will retrieve a single URL from a remote server and insert the URL into the form field. Additionally it will perform the same function if a form field with ANY name contains only the text "http://". The remote server where the porn site URL is obtained is contacted via http. The text [URL] is replaced with the URL of the form being submitted. The text [NID] is replaced with a unique GUID assigned to the infected computer at the time Submithook is installed, using the CoCreateGuid API call. When this URL is accessed, it sends back only a single URL as output, which is then added to the form field. In order to conceal the newly added text while the submission is in progress, the subroutine sets the text color in the form field to match the background color, rendering the text invisible. The added text can be seen if it is highlighted with the mouse during the submit phase. If the user hits the "back" button on the browser after the submission, the text of the added URL will be the normal color and fully visible. Submithook is usually bundled with the trojan family known as IEFeat/WinShow. It is dropped by the file submit2.exe, which is downloaded and executed during subsequent stages of an IEFeat infection. The installer is deleted on the next system boot by a command added to the "Runonce" registry key.
Alias: None
Signatures: None Listed
Copyright @2006 THR Computer Solutions: LizardBar