Revisiting the mystery user agent string IEMB3

Originally mentioned here, we have been unable to identify what is generating the UAS "IEMB3".  If anybody knows, can you please reply to this entry?

To repeat the original question:

A User agent String (UAS) is made up of various segments that reveal various bits of information about your Web browser, operating system and a few other bits and pieces.  A typical UAS may be:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

In the above example:

"Mozilla" equates to an "application name"
"4.0" equates to "application version"
"compatible" is a "compatibility flag"
"MSIE 7.0" is a"version token"
"Windows NT 6.0" is the "platform token"

To complicate things, there are many Windows components that can add tokens to the UAS, such as:

".NET CLR" which indicates the presence of the .NET Framework common language runtime
"Tablet PC" which indicates that Tablet services are installed
"Win64; IA64" which indicates the system has an Intel x64 processor
"Win64: x64" which indicates the system has an AMD x64 processor
"WOW64" indicates a 32-bit version of Internet Explorer is running on a 64-bit processor

Programs can also add tokens on their own behalf, for example:

"Infopath"
"Media Centre PC"
"FunWebProducts"    {{{BOOOO!!!! says Sandi}}}
"ZangoToolbar"         {{{BOOOO!!!! says Sandi}}}


Ok, so, bearing in mind all of the above, we can identify pretty much everything in the following User Agent String except, in this case, the token on the end, "IEMB3":

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; IEMB3

Published Friday, September 07, 2007 9:23 AM by sandi
Filed under: , ,

Comments

# re: Revisiting the mystery user agent string IEMB3

I found this item:

msdn2.microsoft.com/.../ms537503.aspx

BLOCKED SCRIPTalert(navigator.userAgent)

If you can convince a large number of people to enter the above line in the address field of IE, perhaps you can identify a common element.

Saturday, September 08, 2007 11:24 PM by Just Bob

# re: Revisiting the mystery user agent string IEMB3

I am puzzling over the meaning of IEMB3 myself since I found this user agent in my server logs just a few minutes ago:

Mozilla/4.0 (383; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; IEMB3)

Originating from 212.98.150.6 at 2007-11-08 14:41:25 GMT.

As 383; preceeds MSIE 7.0 I suspect this is some kind of spider/crawler masquerading as a browser, or a custom-made automated process operating within a browser.

I've seen similar behaviour from Opera and Gecko based browsers (like the Nokia N95 default browser) and from Firefox extensions/plugins.

Thursday, November 08, 2007 9:06 AM by Leyton Jay

# re: Revisiting the mystery user agent string IEMB3

I've checked my apache logs and here are what i've learned.

1) IEMB3 is not something like a auto spider, since the timings and patterns/refferers/queries are too natural for a robot.

2) As far as I can go back, the first IEMB3 logs were recorded on Dec 2006. so this is not quite new behavior.

3) I can see duplicated IEMB3 token.  

here's the variety of agent names

www.takui.net/.../ua-list.txt

I guess some security program or IE plugin add IEMB3 token once it's installed.

two cents.

Tuesday, November 20, 2007 12:17 AM by sparky

# re: Revisiting the mystery user agent string IEMB3

Anyone think this might be related to the trojan Gorhax?  I've read that it sometimes installs an executable called MB3[1].exe:

spywarefiles.prevx.com/spywarefiles.asp

Any thoughts?

Friday, November 30, 2007 8:38 AM by Forrest

# re: Revisiting the mystery user agent string IEMB3

IEMB3 appears to be some form of email harvester.  An IP with this agent was engaged in this activity and the IP was automaticlly blocked after accessing our pages more than 20 times in 30 seconds.

Good bots have much less activity.

Friday, May 09, 2008 4:38 PM by Chris

# re: Revisiting the mystery user agent string IEMB3

Date : May 29/2008

IP = XXX.XXX.XXX.XXX (User)

Agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; IEMB3; IEMB3)

Language = en-us

Referer = <null>

21:46:00 ::: [80] ... <page access>

21:46:37 ::: [80] ... <file uploaded>

Client Details ...

OS: WinXP

Browser: IE7

Cookies: Supported

VB Script: Supported

BLOCKED SCRIPT Supported

ActiveX: Supported

This is the first time i have seen it and am looking for answers also. The above is a listing of a page hit right out of my personal logs. Note that appearance and behavior are not bot like at all ... I agree that it does seem to be like some sort of plugin. However, the question remains ... "What is it?"  

Thursday, May 29, 2008 10:48 PM by Anonymous

# re: Revisiting the mystery user agent string IEMB3

This UA was used by a customer giving intelligent feedback through a form.

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; IEMB3; IEMB3)

Tuesday, August 19, 2008 3:13 PM by Phatfingers