Updated July 5, 2003
Since June 10, someone has been distributing a browser hijack that spawns an offscreen pop up window which opens a page at datanotary.com.
The hijack is accomplished by inserting javascript into a Cascading Style Sheet (CSS) file, then hijacking Internet Explorer's accessibility options to force it to use that style sheet. When activated, the javascript makes use of an obscure and proprietary Microsoft CSS extension to create the pop up window.
The pop up windows are hidden, since the javascript opens them at a position 5,000 pixels from the top and 5,000 pixels from the left of the screen (most monitors display only 768 pixels from top to bottom). It is unclear whether the window was intentionally placed offscreen, or if the malware author simply made a typo.
The extension is called and the pop up windows created when the victim begins to type into a form on a web page. This causes the computer to slow down quite visibly as the window is being created offscreen. This is, in fact, how the hijack was discovered. Hundreds of people were posting questions on message boards around the world asking for help with a mysterious slow down while typing.
A user at the SWI support forums noticed that his browser was set to use a custom stylesheet. After resetting that option to not use the style sheet, his slow typing problem disappeared.
Examination of the file found a javascript expression where CSS should have been. Converting the expression into Human-readable text revealed a script that opens a hidden pop up window to datanotary.com
Removal Instructions
- Click Tools
- Click Internet Options
- Click Accessibility
- Uncheck "Format documents using my style sheet"
See if this is checked, make sure before you uncheck to look at the path of the *.css file. It was my.css in one case, system.css in another.
- Click Ok twice
- Now go to the c:\Windows directory where the file is located and delete that *.css.
- Reboot
Update: July 5, 2003
The persons responsible for this stylesheet hijack are also providing it to coolwwwsearch.com, coolwebsearch.com, youfindall.net, ok-search.com, and white-pages.ws.
These latest variants will drop an executable file (bootconf.exe) and create a startup entry to load it when Windows is started. This executable file and its startup entry will need to be removed.
This is how it appears in a HijackThis log:
O4 - HKLM\..\Run: [sysPnP] C:\WINDOWS\System32\bootconf.exe
This article is located at http://www.spywareinfo.com/articles/datanotary/
Credits:
http://www.doxdesk.com/ Doxdesk
http://www.spywareinfo.com/forums/ Mosaic1, SWI forums expert member
