notepad.exe Virus

04-20-04
Today I was hit with a virus that replaced notepad.exe with another file and screwed up Internet Explorer's default actions. Basically, there were 3 symptoms

Hey, come on - my system is broken and none of the virus sites list this crap as a problem.

The people who do this stuff should have free lifetime accommodations provided by our federal government.

Damage | Spam Search Site | setupapi.log | Registry
www.i--search.com Uninstall | Uninstall | tracert Results | Related Vandalism | References


Damage to My System

The infected system is running Windows XP. notepad.exe should be 65KB, after infection it was 20 kb. Since this exe is used by various applications, some parts of the system no longer worked. appears to be exactly the same file as the new (infected)


Spam Search Site

When I opened the virus "notepad.exe" in the real (Microsoft) notepad.exe, I found the following strings. (This data is reformatted to make it readable and some hex data is removed.) In my opinion, this indicates a positive connection between this file and the changes to Internet Explorer.

These are the special spam search links


C:\WINDOWS\setupapi.log

Microsoft appears to keep track of certain updates in These are the relevant entries at the bottom of the file I was not able to find on my system - instead, I found the following ActiveX control.


Relevant Registry Entries

These registry keys need to be "Fixed" to get rid of this crap. The Download Accelerator is just getting an image for the search frame.

SystemSearch is used to reinfect the system when you reboot.

This registry entry needs to be fixed to display *.mht files - single file, MIME encoded web pages - they contain html and images in a single file. This is the format used to email html pages.

In Internet Explorer, to create an *.mht file, select File / Save As... and set the File Type to Web Archive, single file (*.mht).

MIME encapsulation of aggregate HTML (MHTML)


www.i--search.com Uninstall

If you go to http://www.i--search.com/, you can download search_uninstall.reg ... this is what it contains. Notice that it does not repair the mhtml problem or repair the broken notepad.exe. It leaves in data so that their site is still used. It also has the wrong data.

This was on another system that was not infected.


Uninstall

These instructions are only a start, I don't think that they are complete

This fixes the files

The registry is more complex - Delete this key

Modify these keys Remove the ActiveX component (I haven't tested this part yet) In theory, that should automatically remove C:\WINDOWS\Temp\g1.exe.


tracert Results

I found 2 IP addresses related to this problem - these are the important parts of their traces. You can use easywhois to determine who owns these addresses. Apparently, www.i--search.com is owned by zeropopup.com - a known spam site - registered to


Related Vandalism

zeropopup.com (209.249.147.70) is also owned by Asher Nahmias - one of the people associated with the problem reported on this page. What ever you do, DON'T USE THIS PROGRAM. Just going to this site causes the following security warning I found this in the END-USER LICENSE AGREEMENT FOR ZeroPopUp Companion ToolBar. I think that this says it all - if you use this crap, you're screwed. And because they tell you that they're going to hijack your system, this crap does not qualify as a virus.

However, on my system, notepad.exe and mhtml were also clobbered - thus, I consider what happened to my system to be vandalism and trespass.

www.i--search.com and zeropopup.com are both registered to the same person, but I can not prove that the virus on my machine was written by that person, only that it points to those sites.

Also, www.i--search.com (last changed 04-23-2004) and 216.240.137.40 (last changed 01-30-2004) both point to a search page. They appear to be identical except that www.i--search.com has links to jennifer@zeropopup.com and www.searchxl.com (same IP address as www.i--search.com).

BTW, zeropopup.com is not on my system, and, as far as I know, has never been on that system.


References


Notes

I am still not able to determine how this crap got on my machine - Searches (using AgentRansack) indicate that this infection came via some web page ... not via email. But the offending URL is not obvious. (This conclusion is based on date/time stamps.)

Yes, I ran a virus check - nothing was found.

Ad-aware 6.0 found nothing.

When searching Google for info on 216.240.137.40 and/or g1.exe, I found a few traces with this type of data

http://www.i--search.com/ie/ contains encrypted JavaScript.


References

On 04-20-2004, I searched Google for On 04-30-2004, I searched Google for Note: This file was posted on 4-20-2004 and first listed on Google about 4-27-2004 (pretty good).

References


Author: Robert Clemenzi
URL: http:// mc-computing.com / Parasites / notepad_virus.html