A current sysaudio.sys infection is being delivered via javascript
injected into legitimate web sites in order to exploit vulnerabilities
in Microsoft Data Access Components (MDAC), Adobe PDF reader, Flash
and possibly others including Firefox.

There is a fairly new security threat for the months of November - December 2008 that everyone needs to be aware of that use, views or HOSTS any HTML pages, or php based forums, blogs, chat rooms, forms etc. This thing is (in one coders words) “It is the most complex virus and code I have ever seen”

A couple important things to be aware of:
If your a web site operator and you use anything php or cms based:
Somehow your web site (php or cms pages and mysql database) is either;
Getting infected with a back end virus on your hosts systems that injects javascript code in to your pages, or your mysql database tables, or both

Click here for image

OR

It might be getting in taking advantage of improper file/folder permissions through FTP to inject the javascript code in to your pages, or the least likely possibility in my opinion, your FTP passwords are compromised.

A few direct words from me -Bob, about my personal experience with this:

As a web site operator who uses phpbb3, X7 Chat, and other php based submission forms, this code was injected in to all of my php based pages. I discovered this after a friend called me and told me that he suspected he had a virus. After trouble shooting and finding a solution for his virus I started investigating how he got the virus in the first place. What I found out was a shock.

Many and I say, MANY site operators who had this code injected in to there web sites were with IX Webhosting as I was. But it got worse. After finding that the code had been injected in to all of my php based pages, I tried to restore them from backup just to find out that the code was injected yet again. I also had a forum that I was getting ready to install in a directory which no one knew about, and had no links to, which also had the code injected in to it, before it was attached to any database! Here is something else I discovered:

After restoring from backups didn’t work, I tried a fresh install of phpbb3 using temporary database prefix extensions. After the install was complete, there was NO malicious java script found anywhere in my forum code. But AFTER I edited the config.php to point back to the original prefix extensions (phpbb_) then the code was back in ALL of my forum pages. This indicated that before, or after my site had this code injected in to its code, the mysql database was also infected somehow. So even if you did start out with clean code, as soon as you plugged back in to the old prefix extensions, you were infected again. I suppose if you knew a lot about mysql prefix extensions, you might be able to go through each one of the hundreds or thousands, and find out where the malicious code is, however as one site operator said in a forum post:

“Ive replaced my phpbb2 files from backup, no help.

I've exported my phpmyadmin structure and data entire sql, then used vlm to "find" "yahoo" and no hits.

I dont know what to do to fix this...”

Iv also read some talk of this modifying or adding .htaccess files which will redirect your site visitors to another website that if their dumb enough, will download a virus called Anti-Virus 2009 however I have not seen this on amy of my web sites.

So, what iv done as of last night is deleted every file in my phpbb3 directory, deleted the entire mysql database, and started over with fresh everything. So far, right now all my pages are still clean. Ill be watching very close.

Anyway, once this javascrip code is injected in to your pages, your visitors have a file installed on their computer (coming from 78.157.142.58) which after its in place, search engine results are loaded within a script. For example, when you research something in google or another search enigine, you get this when you view the source:

script scr= //78. 157. 142. 58/ and then the search engine results.
or
script scr= //209 .85 .171 .9/ and then the search engine results.
(more may be present as well)

So, whenever a popular search engine is being used, a script is loaded to insert its results. For example, a search for: "How to remove rootkits with icesword", you get irrelevant results. Screen shot here:

Click here for image

sysaudio.sys causes Search engine Hijack

If your computer is infected with this:
The responsible file for the searchengine hijack is sysaudio.sys, (which is actually a DLL) dropped in the %sysdir% folder (system32 folder).
Note - do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!

The loading point for the fake sysaudio.sys is under the

HKLM\software\microsoft\windows nt\currentversion\drivers32 key

with value and valuedata:

"aux"="sysaudio.sys" or

"aux2"="sysaudio.sys"

Legitimate valuedata for "aux" should be wdmaud.drv or mmdrv.dll or ctwdm32.dll (those are the most common legitimate ones I've seen so far, there could be more)

Other files the fake sysaudio.sys may use are divx.nls or ntnet.drv which is also present in the %sysdir% folder.

(could be more already - newer variants)

Anyway, this is another method being used to "hide" its presence because it causes confusion with legitimate files/keys. So be cautious if you think you're dealing with this one and do not delete the legitimate sysaudio.sys file present in the system32\drivers folder or "aux" value in the registry. Ask for help if you're not sure.

How to get rid of it from your computer:

One way iv removed it successfully is by using Malwarebytes' Anti-Malware
One way to prevent it is by installing a Firefox addon called Noscript.
As of right now, there is a very long list of anti virus software that DO NOT recognize this as harmful to your system.
More links to forum and blog postings from site operators who are fighting this right now.
Sunday, December 21, 2008

-Bob

http://www.phpbb.com/community/viewtopic.php?f=46&t=1322765&p=7916135&hilit=yahoo+counter#wrap

http://forum.cmsmadesimple.org/index.php?topic=27818.msg138409

http://www.linkedin.com/answers/technology/web-development/TCH_WDD/363337-34607963?BrowseCategory=

http://miekiemoes.blogspot.com/2008/10/fake-sysaudiosys-causes-searchengine.html

Thanks to miekiemoe`s blog for much of this information.
Thanks also to the ringleader for some added info
If you need to contact me with questions or have more to ad to this, please leave a comment.

**UPDATE**

Iv received an email from “the ringleader” who added that he has also seen this infect HTML files in addition to PHP and CMS. He also said that his account through IX re-infected itself after he cleaned things up. He went on to talk about how his file permissions changed:

“Mine went from 775 down to 444 so you can not

overwrite them, you have to delete them first then ftp the repaired

file. Either that or have IX change ownership and permissions for you.”

Thank you very much for that info!