InterMute > Threat Research

IEMonit is a search result hijacker implemented as an Internet Explorer Browser Helper object. It checks queries submitted to search engines for sex-related keywords. (Google, Yahoo, Lycos, AltaVista, Infospace and a variety of Polish search engines are targeted.)

Distribution

It is currently unknown where IEMonit comes from.

What it does

Advertising

Yes. May open advertisements when targeted keywords are entered.

Privacy violation

No.

Security issues

Yes. Includes an updater process which is believed to be able to download and execute arbitrary code from its controlling server. I currently have not obtained a copy of this to test, however.

Stability problems

No.

Removal

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands:

Next, open the registry (click 'Start', choose 'Run', enter 'regedit') and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entry 'Internet Explorer Library' on the right, pointing to 'ieupdates.exe', 'updaterie01.exe' or 'fixieupdate.exe'.

Restart the computer and you should be able to delete 'iemonit.dll' and 'ieupdates.exe'/'updaterie01.exe'/'fixieupdate.exe' from the System folder, which is inside the Windows folder (and is called 'System32' on Windows NT/2000/XP).