Junk + Porn = Surfbar
Sep 4 2003
Several email users have found their browsers hijacked after receiving a piece of spamware that dropped hundreds of porn site shortcuts to their desktop and installed a "toolbar" pointing to dozens more. The email, though not viral, is malicious, exploiting a vulnerability in Internet Explorer that allows executable files to be downloaded as easily (and silently) as if they were a background graphic on a web page. Surfrbar a.k.a. Junkbar also changes the Internet Explorer start page to http://www.surferbar.com.
Microsoft first released a patch for the vulnerability on August 20, 2003, after being alerted to the vulnerability by eEye Digital Security. Surfrbar subsequently exploited the vulnerability on September 3, 2003. Microsoft Security Bulletin MS03-032 discusses the vulnerability and provides a patch to protect against exploit. The eEye Digital Security Advisory contains a far better description of the abilities of such an exploit.
The Surfrbar email is html formatted and includes a hidden link that silently starts the exploit process. Once systems are infected with the spam Trojan, manual identification and removal of the components can be difficult. Files dropped to the system by the Surfrbar Trojan include DRG.EXE (dropped to the root of C, WIN32.DLL and WINSRV32.EXE (both in the Crogram Files directory). Additionally, registry edits are made to launch the Trojan and modify settings in Internet Explorer. Antivirus vendor F-Secure provides a complete description of the technical impact of Surfrbar.
Antivirus software updated on or after September 4, 2003 should accurately detect and remove this Trojan.