Windows users who haven't already done so might want to download a patch Microsoft issued in January to fix critical cursor and icon format handling flaws. PandaLabs said it has detected the first adware to target the security holes.
The Glendale, Calif.-based antivirus firm said Searchmeup uses the vulnerabilities to download onto computers without users' permission. Pages from which Searchmeup are downloaded also contain numerous exploits that can download other malware onto affected computers. This includes the Tofger-AT Trojan horse, which steals banking passwords; Dialer-BB, Dialer-NO; and another adware program called Adware/TopConvert.
"The appearance of Searchmeup is a sign of the continuous evolution of malware, and of adware and spyware in particular," PandaLabs director Luis Corrons said in a statement. "The first stage was that adware reached computers as a component of a freeware application, then Web pages appeared that installed adware on users' computers using ActiveX. Now they have gone a step further, as Searchmeup exploits a vulnerability that even virus creators had not used until now."
The targeted flaws
Specifically, the fix Microsoft issued in January addressed two critical flaws in how cursor, animated cursor and icon formats are handled. The first is a remote code execution vulnerability; the second a denial-of-service flaw.
Of the first issue, Microsoft said: "An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
The second problem would be exploited in the same manner, but "could potentially cause the operating system to become unresponsive. The operating system would have to be restarted to restore functionality," Microsoft said.
These affect Windows 98, ME, NT, 2000, XP and Server 2003.
Searchmeup's malicious methods
PandaLabs said Searchmeup is downloaded onto the computer when the user visits certain Web pages. Once entrenched in the computer, it changes the home page to that of a search engine displaying pop-ups every time it loads. Its ultimate goal is to install spyware and dialers on the machine.
The lab added that Web pages from which Searchmeup are downloaded also drop Tofger-AT onto computers. The Trojan runs every time Internet Explorer is launched. It keeps track of what the user is doing online, logging passwords used in secure HTTPS connections that are often used for secure connections with online banks.
When it detects certain names in the URL, PandaLabs said the Trojan tries to capture the user passwords. Bank URLs it seeks out are: cajamadrid, bpinet, millenniumbcp, hsbc, barclays, lloydstsb, halifax, autorize, bankofamerica; bancodevalencia, cajamar, portal.ccm, bancaja, caixagalicia, caixapenedes, ebankinter, caixasabadell, bes, banif, millenniumbcp, totta, bancomais, montepiogeral, bpinet, patagon, lacaixa, citibank, bbvanet, banesto, e-trade and unicaja. Once it has collected this information, Tofger-AT sends it to a server.
The lab said Searchmeup can also generate an error in the "services.exe" file, then making it known that the computer will be restarted in one minute. After the restart, the computer operates normally. On some occasions, Searchmeup can also display blue screen errors, and Tofger-AT can update itself to a new version.