ide21201.vxd

I ran an adware/spyware check with Spybot of a Windows XP Professional system on September 4, 2005 where the user had been getting daily warnings from Symantec that it was quarantining a Dynamic Link Library (DLL) file associated with Downloader.Trojan, which is a generic classification Symantec uses for a lot of different types of malware.

Spybot identified two adware/spyware infections on the system. One of those was AdTools. It reported ide21201.vxd as being associated with this adware/spyware in c:\windows\system32. It did not find any other files nor any registry entries associated with this adware/spyware. I believe Symantec's warnings were due to other adware/spyware on the system, i.e. ShopAtHome adware/spyware, rather than being caused by the presence of ide21201.vxd.

C:\WINDOWS\SYSTEM32\ide21201.vxd

I checked the file with Symantec Corporate Edition 8.0 (version 8.1.0.825 with virus definitions dated 8/31/2005), but it did not report the file was associated with any virus or other malware, but its Spyware.Relevancy webpage states that the file ide21201.vxd may be part of the Spyware.Relevancy BHO. However, that webpage indicates that Spyware.Relevancy creates the following files:

%ProgramFiles%\SearchRelevancy\SearchRelevancy.dll
%ProgramFiles%\SearchRelevancy\SearchRelevancy.xml
%ProgramFiles%\SearchRelevancy\uninstall.exe
%System%\ide21201.vxd

I did not see any SearchRelevancy folder beneath c:\program files. Symantec's webpage also states that the following registry keys are created by Search.Relevancy:

HKEY_CLASSES_ROOT\SearchRelevancy
HKEY_CLASSES_ROOT\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}
HKEY_LOCAL_MACHINE\SOFTWARE\SearchRelevancy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchRelevancy

But, when I queried the registry using reg, I didn't see the listed registry keys.

C:\Documents and Settings\Administrator>reg query HKEY_CLASSES_ROOT\SearchRelevancy

Error: The system was unable to find the specified registry key or value

C:\Documents and Settings\Administrator>reg query HKEY_CLASSES_ROOT\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}

Error: The system was unable to find the specified registry key or value

C:\WINDOWS>reg query hklm\software\searchrelevancy

Error: The system was unable to find the specified registry key or value

C:\Documents and Settings\Administrator>reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchRelevancy

Error: The system was unable to find the specified registry key or value

Another antivirus vendor, Trend Micro states on a page with information on TROJ_AGENT.BF that the file may be associated with that Trojan.

The information Trend Micro provides on this Trojan is as follows:

Upon execution, this Trojan drops the file IDE21201.VXD in the Windows system folder. The dropped file is a non-malicious device driver used on Windows 95, Windows 98, and Windows ME, which is used to communicate directly with the hard disk. This Trojan uses the device driver to gain information about the user's hard disk.

It monitors the browsing habits of the user and occasionally opens popup Web browser windows that display online ads based on the gathered data. It is also capable of downloading updated versions of itself.

It creates the following registry entry to ensure its automatic execution whenever Windows starts up:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion>Run
WindUpdates = "<malware_path_and_filename>"

This Trojan also adds an uninstall information in the registry so that an an entry is added in the Control Panel’s Add/Remove Programs application. TROJ_AGENT.BF may be uninstalled using the Add/Remove Programs option in the Control Panel.

However, since this Trojan opens Web browser windows that display online ads, it is possible that some components may not be completely removed depending on the uninstall options that the user selects.

This Trojan adds the uninstall information into the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\
Uninstall\Wind Updates

Other Details

This Trojan is compressed using UPX.

I submitted the file to Jotti's Online Malware Scan for analysis. The results of its scan of the file using 14 different antivirus programs was that two of the fourteen programs reported the file as malware while the other twelve reported "nothing found" for the file. Fortinet reported the file as W32/MITGLIEDR.B-tr while UNA reported it as Adware.WindUpdates.

I had Spybt remove this adware/spyware from the system, P, on September 4, 2005. I had previously removed this adware/spyware from this system on August 18, 2005.

File:ide21201.vxd
Size: 4.60 KB (4,720 bytes)
Timestamp: Wednesday, August 17, 2005, 1:02:55 PM
CRC-32:F799D2E4
MD5:EEBCE32039CDD922F541F346B9018ED6

References:

  1. Spyware.Relevancy
  2. TROJ_AGENT.BF