Updated: February 13, 2007 11:34:58 AM
Type: Spyware
Publisher: www.dotcomtoolbar.com
Risk Impact: High
File Names:
Redirect2.exe
Redirect7.exe
Redirect9a.exe
toolbar_nieuw14.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Spyware.Dotcomtoolbar runs, it does following:
- Adds the value:
"redirect" = "[path to adware file]"
on the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Opens a browser window displaying the Web page www.dotcomtoolbar.com/install.asp
- Adds some of the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{29DD1EA6-1FDA-44A4-B083-C9900547BC48}
HKEY_CLASSES_ROOT\CLSID\{5F1ABCDB-A875-46c1-8345-B72A4567E486}
HKEY_CLASSES_ROOT\CLSID\{FC2493D6-A673-49FE-A2EE-EFE03E95C27C}
HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
HKEY_CLASSES_ROOT\Interface\{7C479D09-1280-41D2-945F-2377736B8CF7}
HKEY_CLASSES_ROOT\Interface\{EAF2CCEE-21A1-4203-9F36-4929FD104D43}
HKEY_CLASSES_ROOT\TypeLib\{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}
HKEY_CLASSES_ROOT\GoRSDN.ContextItem
HKEY_CLASSES_ROOT\GoRSDN.ContextItem.1
HKEY_CLASSES_ROOT\Pugi.PugiObj
HKEY_CLASSES_ROOT\Pugi.PugiObj.1
HKEY_CLASSES_ROOT\ToolBand.hits
HKEY_CLASSES_ROOT\ToolBand.hits.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
\Distribution Units\{5F1ABCDB-A875-46C1-8345-B72A4567E483}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\DotComToolbar
HKEY_ALL_USERS\Software\DotComToolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\ModuleUsage\C:/WINDOWS/Downloaded Program Files/toolbar_nieuw14.dll
HKEY_ALL_USERS\Software\Microsoft\Internet Explorer\MenuExt\&RSDN Search
- Adds the value:
"SearchAssistant" = "Explorer"
to the registry subkey:
HKEY_ALL_USERS\Software\Microsoft\Internet Explorer\Search
- Adds the values:
"Search Bar" = "[Web site on the searchbar.findthewebsiteyouneed.com domain]"
"Default_Search_URL" = "[Web site on the searchbar.findthewebsiteyouneed.com domain]"
to the registry subkey:
HKEY_ALL_USERS\Software\Microsoft\Internet Explorer\Main
- Adds the values:
"Start Page" = "[Web site on the findthewebsiteyouneed.com domain]"
"Search Page" = "[Web site on the searchbar.findthewebsiteyouneed.com domain]"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
- Adds the value:
"SearchAssistant" = "[Web site on the searchbar.findthewebsiteyouneed.com domain]"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
- Creates the following registry subkeys:
HKEY_ALL_USERS\Software\Microsoft\Internet Explorer\Toolbar
\WebBrowser\{5F1ABCDB-A875-46C1-8345-B72A4567E486}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
\Toolbar\{5F1ABCDB-A875-46C1-8345-B72A4567E486}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
- Adds the value:
"SharedDlls" = "C:\WINDOWS\Downloaded Program Files
\toolbar_nieuw14.dll"
to the registrysubkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
- Logs the IP address and URLs visited on the compromised computer.
It does this by hooking any URL visited and changing it to the following:
www.dotcomtoolbar.com/redirect/url.asp?url=[URL the user would like to visit]
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
