• Announcements

    • Welcome   01/26/2015

      Welcome to Tech-101 Free Computer Support, Sign up to get access to all our features.
Sign in to follow this  
Followers 0

Empirical Study on Effectiveness of LUA/UAC


2 posts in this topic

Posted

Empirical Study on Effectiveness of LUA/UAC

I've always run my system (Win/XP/Pro) day to day from a Limited User account and only move to an Admin
account to perform installs or updates. Running a scan on the system, I just discovered an infection known as
W3i.IQ5.fraud was lurking on the system.

This post reports the (1) components of this infection, but more importantly, (2) demonstrates that running from an
LUA/UAC Limited account is a very effective, pro-active means to control infections. How can I say that when
I just confessed that there was an infection? In the list of components known for this infection,
only those below marked in red were found on the system! All the real directories/files were absent :)
Those found were only registry entries and so benign that there was no exposure whatsoever.

W3i.IQ5.fraud components

autorun entries.

* Entries named "InstallIQUpdater" and pointing to "?<$PROGRAMFILES>\W3i\InstallIQUpdater\InstallIQUpdater.exe? /silent /autorun".

Products that have a key or property named
"{8E1CB0F1-67BF-4052-AA23-FA22E94804C1}"

locate and delete these files.

* The file at "<$COMMONAPPDATA>\W3i\InstallIQUpdater\data.xml".
* The file at "<$COMMONAPPDATA>\W3i\InstallIQUpdater\iqu.ini".
* The file at "<$COMMONAPPDATA>\W3i\InstallIQUpdater\IQUMessageDlg.xsl".
* The file at "<$COMMONAPPDATA>\W3i\InstallIQUpdater\updater.log".
* The file at "<$COMMONPROGRAMS>\InstallIQ Updater\InstallIQ Updater.lnk".
* The file at "<$COMMONPROGRAMS>\InstallIQ Updater\Privacy Policy.url".
* The file at "<$COMMONPROGRAMS>\InstallIQ Updater\Terms & Conditions.url".
* The file at "<$COMMONPROGRAMS>\InstallIQ Updater\Uninstall InstallIQ Updater.lnk".
* The file at "<$DESKTOP>\Free Dolphin Screensaver.lnk".
* The file at "<$DESKTOP>\Free Whales ScreenSaver.lnk".
* The file at "<$DESKTOP>\VIRUSfighter FREE Trial.lnk".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\16700.url".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\16714.url".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\17418.url".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\control.txt".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\dolphinico.ico".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\vfpro.ico".
* The file at "<$PROGRAMFILES>\Free Offers from Freeze.com\whalesico.ico".
* The file at "<$PROGRAMFILES>\W3i\InstallIQUpdater\InstallIQUpdater.exe".
* The file at "<$PROGRAMFILES>\W3i\InstallIQUpdater\iqu.xsl".
* The file at "<$SYSDIR>\killexplorer.bat".

delete these folders.

* The directory at "<$COMMONAPPDATA>\W3i\InstallIQUpdater\import".
* The directory at "<$COMMONAPPDATA>\W3i\InstallIQUpdater".
* The directory at "<$COMMONAPPDATA>\W3i".
* The directory at "<$COMMONPROGRAMS>\InstallIQ Updater".
* The directory at "<$PROGRAMFILES>\Free Offers from Freeze.com".
* The directory at "<$PROGRAMFILES>\W3i\InstallIQUpdater".
* The directory at "<$PROGRAMFILES>\W3i".
* The directory at "<$SYSDIR>\AI_RecycleBin\{5B0F14D3-0DD1-4336-9AFA-BE4A68909E5A}".
* The directory at "<$SYSDIR>\AI_RecycleBin\{60C3E49E-B2D2-4CCD-A348-AD69E428F8AE}".
* The directory at "<$SYSDIR>\AI_RecycleBin\{9FD0752F-AB97-4FCC-8E8D-49D44887E581}".
* The directory at "<$SYSDIR>\AI_RecycleBin\{E01946F0-576E-4EA6-BBAD-4A8A89C9F7D1}".
* The directory at "<$SYSDIR>\AI_RecycleBin\{F81F186C-CCDD-470B-A445-1E660C431A57}".
* The directory at "<$SYSDIR>\AI_RecycleBin".
* The directory at "<$WINDIR>\Installer\{8E1CB0F1-67BF-4052-AA23-FA22E94804C1}".

delete these registry entries.

* Delete the registry key "1F0BC1E8FB762504AA32AF229E84401C" at "HKEY_CLASSES_ROOT\Installer\Features\".
* Delete the registry key "1F0BC1E8FB762504AA32AF229E84401C" at "HKEY_CLASSES_ROOT\Installer\Products\".
* Delete the registry key "7zipap_1320" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
* Delete the registry key "Freeze.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
* Delete the registry key "instacodecs_1290" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\".
* Delete the registry key "W3i" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

All of the directories and files were inhibited from being installed due to the NTFS permissions
which deny write to the LUA/UAC limited user - - as shown by their absence.

Q.E.D.:: LUA/UAC is an effective means to protect your system.

Share this post


Link to post
Share on other sites

Posted

Very nice considering they only released definitions on this adware the day you posted it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Who's Online   0 Members, 0 Anonymous, 11 Guests (See full list)

    There are no registered users currently online

  • Member Statistics

    26,584
    Total Members
    2,849
    Most Online
    Newest Member
    leroyks3
    Joined