Tech Off Thread

5 posts

IE8 picked up spyware (too quickly)

Back to Forum: Tech Off
  • User profile image
    akopacsi

    I installed IE8 on a Windows XP SP3 computer (new and clean install, fully patched system, running Windows Defender, NOD32 antivirus and windows malicious software removal tool). I used it for about 2 days (with a limited account) and then I ran a SpywareDoctor* scan.

    It found a spyware called Spyware.BaiDu!
    No warez, porn, file-sharing site was visited and I haven't installed any toolbars or adds-ons.

    Any ideas how to avoid such infections?

    It'd be interesting to see a test in which somebody visits specifically dangerous sites with IE8 and see how many malware is picked up.
    ( I won't do it for you... Smiley

    I copy here the log file of SpywareDoctor.
    Notice that it seems that the spyware modified registry. Again: it was used under a limited account. :-/

    ( *SpywareDoctor is a software which is included in Google Pack - a collection of essential softwares distributed by Google. )

    2009.03.22. 21:34:30:390
    Infection was detected on this computer
    Threat Name - Spyware.BaiDu
    Type - Registry Value
    Risk Level - Medium
    Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, BlockType

    2009.03.22. 21:34:30:390
    Infection was detected on this computer
    Threat Name - Spyware.BaiDu
    Type - Registry Value
    Risk Level - Medium
    Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, CompatibilityFlags

    2009.03.22. 21:34:30:390
    Infection was detected on this computer
    Threat Name - Spyware.BaiDu
    Type - Registry Value
    Risk Level - Medium
    Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, DllName

    2009.03.22. 21:34:30:390
    Infection was detected on this computer
    Threat Name - Spyware.BaiDu
    Type - Registry Value
    Risk Level - Medium
    Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, MasterCLSID

    2009.03.22. 21:34:30:390
    Infection was detected on this computer
    Threat Name - Spyware.BaiDu
    Type - Registry Value
    Risk Level - Medium
    Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}, Version

    2009.03.22. 21:34:30:390
    Infection was detected on this computer
    Threat Name - Spyware.BaiDu
    Type - Registry Key
    Risk Level - Medium
    Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{77FEF28E-EB96-44FF-B511-3185DEA48697}

    2009.03.22. 21:34:30:421
    Infection was detected on this computer
    Threat Name - Spyware.BaiDu
    Type - Registry Value
    Risk Level - Medium
    Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, BlockType

    2009.03.22. 21:34:30:421
    Infection was detected on this computer
    Threat Name - Spyware.BaiDu
    Type - Registry Value
    Risk Level - Medium
    Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, CompatibilityFlags

    2009.03.22. 21:34:30:421
    Infection was detected on this computer
    Threat Name - Spyware.BaiDu
    Type - Registry Value
    Risk Level - Medium
    Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, DllName

    2009.03.22. 21:34:30:421
    Infection was detected on this computer
    Threat Name - Spyware.BaiDu
    Type - Registry Value
    Risk Level - Medium
    Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}, Version

    2009.03.22. 21:34:30:421
    Infection was detected on this computer
    Threat Name - Spyware.BaiDu
    Type - Registry Key
    Risk Level - Medium
    Infection - HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}

  • User profile image
    Cannot​Resolve​Symbol

    From the little Google searching I just did (I don't use Spyware Doctor myself), I'm inclined to think that this may be a false positive.  The program that PCTools calls Spyware.BaiDu is a BHO, and therefore should be registered in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects, not in \Extension Compatibility\...  I think Spyware Doctor may be picking up on Internet Explorer's BHO blacklist or list of compatibility shims.

  • User profile image
    joechung

    Hmm, a spyware detector included in Google Pack claims that a Baidu BHO is spyware.

    Baidu is a popular search engine in China, more popular than Google China.

    There seems to be a conflict of interest here...

  • User profile image
    Dexter

    joechung said:

    Hmm, a spyware detector included in Google Pack claims that a Baidu BHO is spyware.

    Baidu is a popular search engine in China, more popular than Google China.

    There seems to be a conflict of interest here...

    What's even more surprising is that it appears that the said spyware detector does a blind scan ignoring the usage of registry keys. Even if that "Extension Compatibility" key is not documented it should be pretty obvious what it does. Besides, if the computer was really infected then shouldn't the dll file be somewhere around?

  • User profile image
    Cannot​Resolve​Symbol

    joechung said:

    Hmm, a spyware detector included in Google Pack claims that a Baidu BHO is spyware.

    Baidu is a popular search engine in China, more popular than Google China.

    There seems to be a conflict of interest here...

    Actually, McAfee detects it too...  it's classic adware, installing a useless toolbar and creating unwanted connections to other internet servers (possibly transmitting personal data to those servers).

    If you don't see the toolbar, you don't have it installed.  Chalk this one up to a poorly-programmed spyware scanner.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.