Wednesday, November 16, 2005

PokaPoka.exe + Nothing = YupSearch.

Some few of readers may recall the article YupSearch Addendum posted in VGS's pages this past March 18th. Of course, seven months ago is ancient history on the Internet (and especially ancient in matters of adware and malware). I had since noticed, in passing, that there seemed to have been some changes in how that search engine front-page was being employed. I promised myself to set aside some time, eventually, in order to check out the new version and have discovered a few items to pass along.


To recap, very briefly, a key point from the Addendum:



YupSearch... detects when "404" pages ("page not found") load up into the browser and redirects the browser to the base search engine in their place.


The original YupSearch was a redirect target only. It had no toolbar of its own.


That ended with the EliteSideBar version of the EliteBar infection (a.k.a. adw_elitebar.b). The EliteSideBar opens on left side of screen with numerous entries from the YupSearch front-page rather than from Searchmiracle. Or at least at first, for the EliteSideBar is programmed to download the full-bore Elite ToolBar after the SideBar is installed. If the download is successful, an Elite***32.exe or Kalv***32.exe file is installed and the file InprocServer32 and the YupSearch hijack target are deleted. Thus:



EliteSideBar 08dll + InprocServer32 = the adw_elitebar.b version of YupSearch


or perhaps better put:



EliteSideBar 08dll + Nothing = YupSearch (EliteBar.b version).


Correspondingly:



EliteSideBar 08dll + elite***32.exe (or kalv***32.exe) = EliteSideBar with a YupSearch redirect


and the user (or technician) will find a HijackThis (or other) entry for the SearchMiracle front-page as hijacker target.


The EliteSideBar, however, with its EliteSideBar 08dll and InprocServer32, seems not to have been a very effective variant of EliteBar. It has been all but abandoned for another trojan downloader the name of which has since become infamous: PokaPoka**.exe. The scheme is the same:



PokaPoka + Nothing = YupSearch


Correspondingly:



PokaPoka.exe + Elite***32.exe = EliteBar with a YupSearch redirect..


Once Elite***.exe is downloaded, the YupSearch hijacker target is deleted and the SearchMiracle hijacker installed. The YupSearch front-page target now only appears, if it appears at all, on special redirects, the most common being redirects away from 404 ("page not found") pages.


The reason I refer to SearchMiracle and YupSearch "front-pages" rather than "search engines" is explained in YupSearch Addendum.




Also See:


[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

No comments: