Jump to content


Welcome to Tech-101 Free Computer Support

Welcome to Tech-101 Free Computer Support, join us now to get access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, and so, so much more. It's also quick and totally free, so what are you waiting for?

>Register Now or >Sign In.
Guest Message by DevFuse
Photo
- - - - -

Empirical Study on Effectiveness of LUA/UAC

LUA UAC study

  • Please log in to reply
1 reply to this topic

#1 jobeard

jobeard

    Site Admin

  • Administrators
  • 2,009 posts

Posted 16 November 2011 - 11:49 AM

Empirical Study on Effectiveness of LUA/UAC

I've always run my system (Win/XP/Pro) day to day from a Limited User account and only move to an Admin
account to perform installs or updates. Running a scan on the system, I just discovered an infection known as
W3i.IQ5.fraud was lurking on the system.

This post reports the (1) components of this infection, but more importantly, (2) demonstrates that running from an
LUA/UAC Limited account is a very effective, pro-active means to control infections. How can I say that when
I just confessed that there was an infection? In the list of components known for this infection,
only those below marked in red were found on the system! All the real directories/files were absent :)
Those found were only registry entries and so benign that there was no exposure whatsoever.

W3i.IQ5.fraud components

autorun entries.

* Entries named "InstallIQUpdater" and pointing to "?<$PROGRAMFILES>\W3i\InstallIQUpdater\InstallIQUpdater.exe? /silent /autorun".

Products that have a key or property named
"{8E1CB0F1-67BF-4052-AA23-FA22E94804C1}"

locate and delete these files.

* The file at "<$COMMONAPPDATA>\W3i\InstallIQUpdater\data.xml".
* The file at "<$COMMONAPPDATA>\W3i\InstallIQUpdater\iqu.ini".
* The file at "<$COMMONAPPDATA>\W3i\InstallIQUpdater\IQUMessageDlg.xsl".
* The file at "<$COMMONAPPDATA>\W3i\InstallIQUpdater\updater.log".
* The file at "<$COMMONPROGRAMS>\InstallIQ Updater\InstallIQ Updater.lnk".
* The file at "<$COMMONPROGRAMS>\InstallIQ Updater\Privacy Policy.url".
* The file at "<$COMMONPROGRAMS>\InstallIQ Updater\Terms & Conditions.url".
* The file at "<$COMMONPROGRAMS>\InstallIQ Updater\Uninstall InstallIQ Updater.lnk".
* The file at "<$DESKTOP>\Free Dolphin Screensaver.lnk".
* The file at "<$DESKTOP>\Free Whales ScreenSaver.lnk".
* The file at "<$DESKTOP>\VIRUSfighter FREE Trial.lnk".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\16700.url".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\16714.url".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\17418.url".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\control.txt".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\dolphinico.ico".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\vfpro.ico".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\whalesico.ico".
* The file at "<$PROGRAMFILES>\W3i\InstallIQUpdater\InstallIQUpdater.exe".
* The file at "<$PROGRAMFILES>\W3i\InstallIQUpdater\iqu.xsl".
* The file at "<$SYSDIR>\killexplorer.bat".

delete these folders.

* The directory at "<$COMMONAPPDATA>\W3i\InstallIQUpdater\import".
* The directory at "<$COMMONAPPDATA>\W3i\InstallIQUpdater".
* The directory at "<$COMMONAPPDATA>\W3i".
* The directory at "<$COMMONPROGRAMS>\InstallIQ Updater".
* The directory at "<$PROGRAMFILES>\Free Offers from Freeze.com".
* The directory at "<$PROGRAMFILES>\W3i\InstallIQUpdater".
* The directory at "<$PROGRAMFILES>\W3i".
* The directory at "<$SYSDIR>\AI_RecycleBin\{5B0F14D3-0DD1-4336-9AFA-BE4A68909E5A}".
* The directory at "<$SYSDIR>\AI_RecycleBin\{60C3E49E-B2D2-4CCD-A348-AD69E428F8AE}".
* The directory at "<$SYSDIR>\AI_RecycleBin\{9FD0752F-AB97-4FCC-8E8D-49D44887E581}".
* The directory at "<$SYSDIR>\AI_RecycleBin\{E01946F0-576E-4EA6-BBAD-4A8A89C9F7D1}".
* The directory at "<$SYSDIR>\AI_RecycleBin\{F81F186C-CCDD-470B-A445-1E660C431A57}".
* The directory at "<$SYSDIR>\AI_RecycleBin".
* The directory at "<$WINDIR>\Installer\{8E1CB0F1-67BF-4052-AA23-FA22E94804C1}".

delete these registry entries.

* Delete the registry key "1F0BC1E8FB762504AA32AF229E84401C" at "HKEY_CLASSES_ROOT\Installer\Features\".
* Delete the registry key "1F0BC1E8FB762504AA32AF229E84401C" at "HKEY_CLASSES_ROOT\Installer\Products\".
* Delete the registry key "7zipap_1320" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
* Delete the registry key "Freeze.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
* Delete the registry key "instacodecs_1290" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
* Delete the registry key "W3i" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

All of the directories and files were inhibited from being installed due to the NTFS permissions
which deny write to the LUA/UAC limited user - - as shown by their absence.

Q.E.D.:: LUA/UAC is an effective means to protect your system.

J. O. Beard; you + tech-101.com => synergism. Secure your system now


#2 Blind Dragon

Blind Dragon

    Site Admin

  • Administrators
  • 1,733 posts

Posted 19 November 2011 - 11:33 AM

Very nice considering they only released definitions on this adware the day you posted it.