notepad.exe Virus

04-20-04
Today I was hit with a virus that replaced notepad.exe with another file and screwed up Internet Explorer's default actions. Basically, there were 3 symptoms

Anytime Internet Explorer opens a new window, a Search panel opens pointing a spam oriented search engine - www.i--search.com
When you double click an *.txt file, notepad.exe is supposed to run - I suspected a problem when nothing happened.
I normally edit html files by viewing them in Internet Explorer, right clicking, and selecting View Source - Nothing happened.

Hey, come on - my system is broken and none of the virus sites list this crap as a problem.

The people who do this stuff should have free lifetime accommodations provided by our federal government.

Damage to My System

The infected system is running Windows XP.

New infected system files
Replaced system file
The Internet Explorer settings were changed

notepad.exe should be 65KB, after infection it was 20 kb. Since this exe is used by various applications, some parts of the system no longer worked.

C:\WINDOWS\Temp\g1.exe

appears to be exactly the same file as the new (infected)

C:\WINDOWS\system32\notepad.exe

Spam Search Site

When I opened the virus "notepad.exe" in the real (Microsoft) notepad.exe, I found the following strings. (This data is reformatted to make it readable and some hex data is removed.)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
   "SystemSearch"="REGEDIT.EXE -s  ےےےے	   /sys.reg"

[HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mhtml]
   @=" "
   "CLSID"=" " 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
   "SearchURL"="http://www.i--search.com/ie/"
  
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
  "Use Search Asst"="no"
  "Use Custom Search URL"=dword:00000001
  "Default_Search_URL"="http://www.i--search.com/ie/"
  "Search Page"="http://www.i--search.com/ie/"
  "Search Bar"="http://www.i--search.com/ie/"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
   "SearchAssistant"="http://www.i--search.com/ie/"
   "CustomizeSearch"="about:blank"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
   "ITBarLayout"=hex:[ I deleted a bunch of codes here ]

REGEDIT.EXE   -s  OPEN    http://216.240.137.40/yess/count.php?x=X    IEXPLORE.EXE

In my opinion, this indicates a positive connection between this file and the changes to Internet Explorer.

These are the special spam search links

Pharmacy   Car Insurance   Ionamin   Online Gambling   Hair loss   Sportsbook

Insurance   Gambling   Health Insurance   Casino   Web Hosting   Mortgage Rates

Home Loans   Weight Loss   Used Cars   Stop smoking   Life Insurance   Xenical

Poker   Viagra   Domain Names   Phentermine   Weight loss pills   Meridia

Mortgage calculator

C:\WINDOWS\setupapi.log

Microsoft appears to keep track of certain updates in

C:\WINDOWS\setupapi.log

These are the relevant entries at the bottom of the file

[2004/04/19 16:13:34 2896.1]
#-198 Command line processed: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" 
#-024 Copying file "c:\windows\temp\g1.exe" to "C:\WINDOWS\Downloaded Program Files\g1.exe".
#E361 An unsigned or incorrectly signed file "c:\windows\temp\g1.exe" will be installed 
        (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.
[2004/04/19 16:13:46 2896.2]
#-198 Command line processed: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" 
#-024 Copying file "c:\windows\temp\g1.exe" to "C:\WINDOWS\Downloaded Program Files\g1.exe".
#E361 An unsigned or incorrectly signed file "c:\windows\temp\g1.exe" will be installed 
        (Policy=Ignore). Error 0x800b0100: No signature was present in the subject.

I was not able to find

C:\WINDOWS\Downloaded Program Files\g1.exe

on my system - instead, I found the following ActiveX control.

C:\WINDOWS\Downloaded Program Files\{11111111-1111-1111-1111-111111111133}

Relevant Registry Entries

These registry keys need to be "Fixed" to get rid of this crap.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 SystemSearch = REGEDIT.EXE -s C:/WINDOWS/sys.reg


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\
    Distribution Units\{11111111-1111-1111-1111-111111111133}\DownloadInformation
 CODEBASE=file://c:\windows\temp\g1.exe

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
 SearchURL           = http://www.i--search.com/ie/

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
 Default_Search_URL  = http://www.i--search.com/ie/
 Search Bar          = http://www.i--search.com/ie/
 Search Page         = http://www.i--search.com/ie/
 SearchURL           = http://www.i--search.com/ie/

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
 SearchAssistant     = http://www.i--search.com/ie/

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
 Default_Search_URL  = http://www.i--search.com/ie/
 Search Page         = http://www.i--search.com/ie/

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
 SearchAssistant     = http://www.i--search.com/ie/


HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\FileList\butterfly.gif
 Item_MainURL        = http://www.i--search.com/butterfly.gif
 L_LastGoodKnownURL1 = http://www.i--search.com/butterfly.gif
 L_LocationURL1      = http://www.i--search.com/butterfly.gif
 L_ServerName1       = www.i--search.com

The Download Accelerator is just getting an image for the search frame.

SystemSearch is used to reinfect the system when you reboot.

This registry entry needs to be fixed to display *.mht files - single file, MIME encoded web pages - they contain html and images in a single file. This is the format used to email html pages.

HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mhtml
 CLSID = {05300401-BCBC-11d0-85E3-00C04FD85AB4}

In Internet Explorer, to create an *.mht file, select File / Save As... and set the File Type to Web Archive, single file (*.mht).

MIME encapsulation of aggregate HTML (MHTML)

www.i--search.com Uninstall

If you go to http://www.i--search.com/, you can download search_uninstall.reg ... this is what it contains.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SystemSearch"=""
"sp"=""
"spp"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://home.microsoft.com/access/allinone.asp"
"Search Bar"="http://search.msn.com/spbasic.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"

"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"

[HKEY_CLASSES_ROOT\CLSID\{69550BE2-9A78-11d2-BA91-00600827878D}\Instance\InitPropertyBag]
"Url"=""

Notice that it does not repair the mhtml problem or repair the broken notepad.exe. It leaves in data so that their site is still used. It also has the wrong data.

This was on another system that was not infected.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
 Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

 Default_Search_URL, Search Bar, and SearchURL do not exist

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
  This key does not exist, their "fix" does not remove it

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL
 has no data at all

HKEY_CLASSES_ROOT\CLSID\{69550BE2-9A78-11d2-BA91-00600827878D}\Instance\InitPropertyBag
  This key does not exist on either system ... what gives?

Uninstall

These instructions are only a start, I don't think that they are complete

This fixes the files

Delete 3 files-
- C:\WINDOWS\Temp\g1.exe
- C:\WINDOWS\sys.reg
- C:\WINDOWS\system32\notepad.exe
copy C:\WINDOWS\notepad.exe to C:\WINDOWS\system32\notepad.exe

The registry is more complex - Delete this key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 SystemSearch = REGEDIT.EXE -s C:/WINDOWS/sys.reg

Modify these keys

Search and replace all keys that contain www.i--search.com
I don't know what the "correct" values should be, so its up to you. Various suggestions are located elsewhere on this page - just don't leave that string in your registry. Keys with MRU (Most Recently Used) in their names do not need to be modified.
for HKEY_CLASSES_ROOT\PROTOCOLS\Handler\mhtml, change the CLSID from a blank value to {05300401-BCBC-11d0-85E3-00C04FD85AB4}

Remove the ActiveX component (I haven't tested this part yet)

In Windows Explorer (Windows Key-E), locate C:\WINDOWS\Downloaded Program Files
Right click on {11111111-1111-1111-1111-111111111133} and select Remove

In theory, that should automatically remove C:\WINDOWS\Temp\g1.exe.

tracert Results

I found 2 IP addresses related to this problem - these are the important parts of their traces.

tracert 216.240.137.40

 ......

 12    99 ms    71 ms    71 ms  anhmca1wcx2-pos9-0.wcg.net [64.200.141.61]
 13    71 ms    73 ms    71 ms  lsanca3lcx1-pos6-0.wcg.net [64.200.140.70]
 14    70 ms    70 ms    69 ms  lsanca3lce1-yipes-gige.wcg.net [64.200.239.58]
 15    73 ms    70 ms    71 ms  209.120.141.18
 16    72 ms    71 ms    71 ms  216.240.137.40

Trace complete.


tracert www.i--search.com

 ......

 15    90 ms    89 ms    92 ms  so-0-0-0.er10a.sjc2.us.above.net [64.125.30.94]

 16    90 ms    91 ms    90 ms  reserved.above.net [209.133.64.124]
 17    90 ms    90 ms    90 ms  66-154-102-52.assertivenetworks.net [66.154.102.52]
 18    89 ms   114 ms    90 ms  66.79.175.2
 19    90 ms    89 ms    91 ms  66.79.191.231

Trace complete.

You can use easywhois to determine who owns these addresses. Apparently, www.i--search.com is owned by zeropopup.com - a known spam site - registered to

ASHER NAHMIAS (webmaster@zeropopup.com)
   +972.52202736
   Fax: none
   TA-DOAR:2273
   ASHDOD, IL 77122
   IL

jethomepage is registered to
Asher Nahmias  importx@hotmail.com
   P.O.B :  2273
   Ashdod, israel 77122
   972-52-202736

Related Vandalism

zeropopup.com (209.249.147.70) is also owned by Asher Nahmias - one of the people associated with the problem reported on this page. What ever you do, DON'T USE THIS PROGRAM. Just going to this site causes the following security warning

I found this in the END-USER LICENSE AGREEMENT FOR ZeroPopUp Companion ToolBar.

Each time you run the SOFTWARE PRODUCT you agree to have your IE search page and/or HomePage set to our search engine, for the purpose of performing a web search. I think that this says it all - if you use this crap, you're screwed. And because they tell you that they're going to hijack your system, this crap does not qualify as a virus.

However, on my system, notepad.exe and mhtml were also clobbered - thus, I consider what happened to my system to be vandalism and trespass.

www.i--search.com and zeropopup.com are both registered to the same person, but I can not prove that the virus on my machine was written by that person, only that it points to those sites.

Also, www.i--search.com (last changed 04-23-2004) and 216.240.137.40 (last changed 01-30-2004) both point to a search page. They appear to be identical except that www.i--search.com has links to jennifer@zeropopup.com and www.searchxl.com (same IP address as www.i--search.com).

BTW, zeropopup.com is not on my system, and, as far as I know, has never been on that system.

References

In addition to trashing IE, ZeroPopup accesses your Address Book and sends an unsolicited message to all your contacts. Supposedly, that was actually in the license agreement. (Yikes) As of 05-18-04, it is not in the license agreement.
This McAfee page considers ZeroPopup to be a "potentially unwanted program/joke" or a "potentially dangerous program", not a virus or trojan. The "official McAfee page" calls it a trojan.

Notes

I am still not able to determine how this crap got on my machine - Searches (using AgentRansack) indicate that this infection came via some web page ... not via email. But the offending URL is not obvious. (This conclusion is based on date/time stamps.)

Yes, I ran a virus check - nothing was found.

Ad-aware 6.0 found nothing.

When searching Google for info on 216.240.137.40 and/or g1.exe, I found a few traces with this type of data

O16 - DPF: {11111111-1111-1111-1111-555300000000} - mhtml:C:\\NO_SUCH_MHT.MHT
http://216.240.137.40/g1.exe

http://www.i--search.com/ie/ contains encrypted JavaScript.

References

On 04-20-2004, I searched Google for

216.240.137.40           no hits
"216.240.137.40"         7 hits - always part of a trace, no data
www.i--search.com        no hits
c:\windows\temp\g1.exe   no hits
notepad virus            lots of hits - but most are not related to this
notepad 216.240.137.40   2 hits, but not of any value
{11111111-1111-1111-1111-111111111133}  only one match - in an example
"http://216.240.137.40/g1.exe"          5 relevant hits, but no information

On 04-30-2004, I searched Google for

216.240.137.40           no hits
"216.240.137.40"         49 hits - This page is #1
www.i--search.com        no hits
"+www.i--search.+com"    94 hits - This page is #4
c:\windows\temp\g1.exe    2 hits - This page is #1
notepad virus            lots of hits - but most are not related to this
                                This page is #2
notepad 216.240.137.40   3 hits, but not of any value, This page is #1
{11111111-1111-1111-1111-111111111133}  3 hits - one is a programming example
"http://216.240.137.40/g1.exe"          6 relevant hits, but no information

Note: This file was posted on 4-20-2004 and first listed on Google about 4-27-2004 (pretty good).

References

I can't find any useable references yet.
IE Vulnerability Flagged - this explains how MSHTML can be used to install viruses on a computer. It may be partially related to the problem because the pages I found with
also contain
jethomepage is another search engine scam/parasite associated with Asher Nahmias - one of the people associated with the Notepad virus. These are not the only two associated with him. Too bad US law can't get him in Israel. At a minimum, he should be charged with vandalism.

Author: Robert Clemenzi