Robert sent us some nice analysis earlier today about some hostile ads he discovered at Google.  As best we can tell they are gone now, but here are his findings.

Searching for some free templates at google may bring you nasty things you wont have:

http://www.google.com/search?hl=en&q=kostenlose+vorlagen&btnG=Google+Search

Have a look at the first advertising link "Kostenlos-Vorlagen.info"

All files there (all the same) are detected as:

AntiVir 7.4.0.39 07.07.2007 TR/Spy.BZub.JD.1
F-Secure 6.70.13260.0 07.07.2007 W32/Malware
Ikarus T3.1.1.8 07.07.2007 Trojan-Spy.Win32.Goldun.lw
Kaspersky 4.0.2.24 07.07.2007 Trojan-Spy.Win32.BZub.jd
Microsoft 1.2704 07.07.2007 TrojanDropper:Win32/Small.OT
Norman 5.80.02 07.06.2007 W32/Malware
Sophos 4.19.0 07.06.2007 Mal/Binder-C
Webwasher-Gateway 6.0.1 07.07.2007 Trojan.Spy.BZub.JD.1

After executing, the malware drops a file named:

C:\WINDOWS\System32\ipv6monl.dll

It hooks as a BHO under CLSID:

HKEY_CLASSES_ROOT\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87} 
\InprocServer32

To do so it looks for activated Brwoser extensions:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main 
"Enable Browser Extensions" = yes

It also ensure that the IE could bypass Windows Firewall:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess 
\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
\List "C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program 
Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer

The Keylogger function checks for banking logins end if recognized it logs this information and send it to a server.

Thanks, Robert!  Great job of analysis.

Marcus H. Sachs
Director, SANS Internet Storm Center