XBlock By Actiance - Home
Someone Spying on You? Fight Back!
Currently 25,860,543 Spy Software Busted!

Shop At Home Select- What's Happened.

by Chris Boyd, Wayne Porter

Date: October 18, 2005

Spyware Reseach

A recent install from a website pushing photographs of celebrities installs numerous programs onto the end-user's PC, including Shop at Home Select, Sidefind, Your Site Bar, Powerscan, Bullseye Networks and Internet Optimizer. This payload is enough to cause issues with CPU performance - however, there are number of additional items which appear on the desktop some time after the initial install is complete. These additional links lead to more installs, one of which attempts to cause deliberate confusion with a service name similar to a legitimate program.

The install in action

We have a film of the bundle in action - unfortunately due to the length of time it takes to install, the videofile is well over 350MB in size! From the video, we can tell you that in IE, the Active X installer is presented to the user upon visiting the target website (00:06) and clicking "no" (00:32) will result in repeated popups asking the user to click "yes" to continue to view the site - even though after cancelling out, the content is perfectly viewable without installing the software. Once the user attempts to navigate to any section containing images, the Active X installer will continue to appear on every page and at (1:03), clicking an "image" file actually opens up a prompt to install software. In this case, the .EXE is named after the celebrity. In effect, there are no images to view barring the thumbnails.

Switching to Firefox, we now find at (1:46) that the familiar ysbweb tactic of checking for either an IE browser or a Firefox one comes into play, and instead of an Active X prompt, we are greeted with a "fake" yellow information bar across the top of the screen, and a java applet - which gives no indication of what lies behind it. The yellow bar attempts to install a plugin, and the applet tries to lead you back to the bundle launched from IE.

At (2:08) the desktop executable is launched. At this point, the install begins and the software downloads onto the target PC. Shop at Home Select makes an appearance at (3:15), along with numerous other programs.

After the install

Upon opening IE, you can see a few of the programs that have been installed (SideFind and Your Site Bar, branded on this occasion with MTV logos):



But after switching the machine off and restarting, it becomes clear that the install does not complete in one session. After a while, numerous icons appear on the desktop - three IE links, and one MS-Dos file:



Of the three links, the "career boost" and "dream date" links used redirects to take you to pages apparently supplied by Azoogle. The third, "Casino games", brings up the following as yet) unknown executable:



This .EXE attempts to install Casino software, which prompts players to create login details (including name, address etc) as long as the player is legally allowed to gamble.

The final installer is the MS-Dos file misleadingly entitled "pictures". Running the .EXE does not appear to do anything - however, two lines of traffic are transmitted, apparently from ysbweb:



and a new service is added - the misleadingly titled aolserviceshosts.exe:



This is clearly intended to cause confusion with the genuine Aolservicehost.exe (note the "s" is missing from the end of the word "host" in the genuine version). Once this was installed, the CPU usage went crazy and the system became unstable, resulting in no other option but to turn the machine off.

This article is copyright 2005 by XBlock.com.
It may not be reprinted or copied without the express written consent of the author.

Read other articles (back to full list)

© Copyright 2003-2011, Actiance, Inc. All rights reserved.   Privacy Policy