The “DesktopSmiley, Not A Spyware” ToolBar

The “Not A Phishing Worm” really got me interested as it sent special Christmas messages so I decided to dig in just a bit. So as discovered, after the user supplies his MSN credentials, his friends get a link to the “Not A Phishing” website and a lot of tricky links leading to DesktopSmiley.com to download their toolbar. Which they say is “Not Spyware”.

So we got a non-phishing worm downloading a non-spyware program, let’s see its non-evil actions :)
The first thing I did was downloading the installer, which asks no questions and shows no EULA. It is also digitally signed by “DoubleD Advertising Limited”, well that’s really funny, we have got to give them that :)

So I ran it in a VM:

That is quite original! “A non-virtualized hardware system is required”, of course anybody technical gets how lame this lie is :)
why would an IE toolbar “require” a “non-virtualized hardware”, why would it even bother to check if it’s running under a virtualized environment unless it has some illegal actions to hide?!

Well i am defiantly not going to execute it on my machine :)
Maby i will test is some other day on a real machine with Restore-IT/Ghost

In the meantime, let’s take look at some of the things that it does:
It copies some IE settings from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ except for (AutoDetect and UNCAsIntranet which exist there and get modified):
ProxyBypass:1 (default 1)
IntranetName:1 (default 1)
MigrateProxy:1 (default 1)
AutoDetect:1 (default 0)
UNCAsIntranet:1 (default 0)
ProxyEnable:0 (default 0)

It sure looks like someone is going to assign a proxy for us :)

The setup process command-line:
“C:\Documents and Settings\Insider\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\stbup.exe” /new /src=user

the “/src=user” really sounds like there are cases which the user did not initiated the installation :) it could be used for self-update though.

Lets examine some of the the strings in the memory of this “DoubleD” software:
Software\SimonTatham\PuTTY\Sessions
Software\SimonTatham\PuTTY\SshHostKeys
Software\SimonTatham\PuTTY
\PUTTY.RND
Well, i don’t want to point a blaming finger but it seems this “legitimate smiley IE toolbar” is very interested in getting some access to our saved PuTTY SSH hosts…quite innocent

There are a lot of weird stuff this spyware does, like starting a local proxy which explains how they steal data from IE and makes this self-updating software a cool way to make a non-botnet botnet :)
It also implements an SSH client and almost every famous encryption algorithm (rinjdeal, AES, des, 3des, blowfish) looks like it does local MITM attacks to SSH login software.

So get root and Smile away with it :)

Share
  • Matt

    Nice article, I get what you’re saying, but i’m afraid I’m not sure how I can use that to remove it!? It’s taken over my Mum & Dad’s PC and i’d really like to get rid of it. Any hints?

    I’m happy Reg Editing (I’ve killed other spyware that way ages ago) but I’m afraid I wouldn’t know where to start with this…. if that’s even how I can fix it!

  • mawar

    dekstopsmiley is a junk. it launch new windows browser with ad. even after u uninstall it. now i’m searching a way to clean it from my system :(

  • jimi

    seems not many know how to get rid off this !

  • kal

    desktopsmiley keeps on annoying me, I have tried many way but still not get it away, please advise how to fix it.

  • jimi

    this is an annoying prog that embeds itself in your pc even after removal in the normal way.
    I’m not a techy and have been surfing trying to find a way to get rid of desktopsmiley, to no avail.
    The nearest ive got is techs advising using anti spywear etc but they all overlook this prog, Exterminate it, finds the smiley deep in your pc, but you have to pay to delete it, fair enough, but still looking for a free removal, let me know if anything out there guys and gals.

  • jimi

    “exterminate it” gets this worm from your pc but you have to pay, i have not found anything thats free as yet,
    not much help out there on this one, except techy’s showing off about the details of it, and thats not much use to the braindead like me, good luck!

  • chris

    Try avg free (the pro is about the same) but it might help you can go to cnet download.com search avg and get it through there don’t bother doing sponsor offers for the pro version unless you really want it. Small note avg and Windows Live One Care are incompatible so it ‘ll cause freezing issues if you have them both.l

  • http://porn-network.blogspot.com jamal

    i have such problem too, anyone could offer any hints?

  • http://no lin lin

    plz help

  • yedidya

    it killing me any1 know what to do?

  • joe

    backup your important files, format and reinstall your OS. that’s the best thing to do.

    then never install freebie stuff you randomly find on the internet, or if you really need to, do as the guy did: use a virtual machine. microsoft provides free a free virtual pc (the program that acts as a pc) and hard drive (operational system to be run), and it will not interfere with your real computer.

    www microsoft com /downloads/ details.aspx?FamilyId=04D26402-3199-48A3-AFA2-2DC0B40A73B6&displaylang=en

    www microsoft com /DOWNLOADS/ details.aspx?FamilyID=21eabb90-958f-4b64-b5f1-73d0a413c8ef&displaylang=en

  • joe momma

    Just disable the DoubleD Advertising Limited addon from your IE to stop seeing the redirects to advertising. and stop dling stupid shit.

  • David

    where in IE would I go to eliminate DoubleD Advertising Limited???? Looked at addons and it is not listed. Where can I find it????

  • Tracey

    Hi All, I found a brilliant forum, that suggested the following

    1) Close Browser
    2) Go to start
    3) Control Panel
    4) Programs
    5) Most important part – Uninstall Desktopsmiley, then System Search Dispatcher and Media Access Startup
    The latter two would have been downloaded automatically and while their still there you keep getting re-directed and all the pop-ups.

    Not a techie, but it worked for me, so I hope it works for all of you.

    Good Luck Tx

  • i go to start, control panel install/ uninstall programs but i dont see desktopsmiley tool bar, unless is hidding?

    i dont see the desktopsmiley nin the programs to uninstall

  • devon

    try looking for something called ‘system search dispatcher’ uninstall that, see if it helps ,