Updated: February 13, 2007 11:35:50 AM
Type: Adware
Version: 2003, 4, 29, 1
Publisher: N/A
Risk Impact: High
File Names:
QaBar.dll
QcBar.dll
SetupAdultLinks.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When the self-extracting .zip file for Adware.AdultLinks is executed, it will perform the following actions:
- Copies QaBar.dll to %windir%\system32\
Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
- Adds the value
"ForceShow" = "rundll32.exe <path to file>,ForceShowBar"
or
"ForceShow" = "res://<path to file>/ForceShow.HTML"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Note: This registry key will be removed once the computer has been rebooted.
- Adds the value
"SearchAssistant" = "dev.ntcor.com/search.html"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search
which changes the default search page in Internet Explorer.
- Adds the value
"{965e6b07-6832-4738-bdbe-25f226ba2ab0}" = "Adult Links"
or
"{765E6B09-6832-4738-BDBE-25F226BA2AB0} " = "Adult Links"
to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
which adds a toolbar called AdultLinks to Internet Explorer.
- Adds in the following keys (some keys may be added by specific versions of AdultLinks only):
HKEY_CLASSES_ROOT\CLSID\{965e6b07-6832-4738-bdbe-25f226ba2ab0}
HKEY_CLASSES_ROOT\CLSID\{dd1bca06-f674-424d-a08e-42da97c4d5dd}
HKEY_CLASSES_ROOT\CLSID\{D6FC35D1-04AB-4D40-94CF-2E5AE4D0F8D2}
HKEY_CLASSES_ROOT\CLSID\{5C015AA7-3392-4044-90CC-8E95019CFFF1}
HKEY_CLASSES_ROOT\CLSID\{765E6B09-6832-4738-BDBE-25F226BA2AB0}
HKEY_CLASSES_ROOT\Interface\{6D7D135E-F7C2-4A27-A87C-C0DFEB3A628F}
HKEY_CLASSES_ROOT\Interface\{D1320CBB-403D-483D-AE9A-688960A96977}
HKEY_CLASSES_ROOT\Interface\{ED7D1356-F7C2-4A27-A87C-C0DFEB3A628F}
HKEY_CLASSES_ROOT\Interface\{242CA913-1637-4F74-9729-EA349AF3ECAC}
HKEY_CLASSES_ROOT\Interface\{3FAA7D43-6889-4108-BD33-D66242C45BE0}
HKEY_CLASSES_ROOT\TypeLib\{D02EE3A0-1881-419F-A5EF-737223463292}
HKEY_CLASSES_ROOT\TypeLib\{C02EE3A0-1881-419F-A5ED-737223463292}
HKEY_CLASSES_ROOT\TypeLib\{60381D4B-8129-449A-A5F2-5417AD0571CC}
HKEY_CLASSES_ROOT\TypeLib\{0b1673d7-c165-4d41-bf65-1932324de17f}
HKEY_CLASSES_ROOT\QcBar\
HKEY_CLASSES_ROOT\QcBar.1\
HKEY_CLASSES_ROOT\QABar
HKEY_CLASSES_ROOT\QaBar.1\
HKEY_CLASSES_ROOT\QABar.AdultSearch
HKEY_CLASSES_ROOT\QABar.AdultSearch.1
HKEY_CLASSES_ROOT\Allch.IEObj\
HKEY_CLASSES_ROOT\Allch.IEObj.1\
HKEY_CURRENT_USER\Software\QcBar\
HKEY_CLASSES_ROOT\QaBar.AdultSearch.1\
HKEY_CLASSES_ROOT\AdultBar.AdultBar
HKEY_CLASSES_ROOT\AdultBar.AdultBar.1
HKEY_CLASSES_ROOT\AdultSearch.AdultSearch
HKEY_CLASSES_ROOT\AdultSearch.AdultSearch.1
HKEY_CLASSES_ROOT\LinkZZ2.NullCtrl
HKEY_CLASSES_ROOT\LinkZZ2.NullCtrl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{765E6B09-6832-4738-BDBE-25F226BA2AB0} HKEY_LOCAL_MACHINE\Software\QcBar\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D6FC35D1-04AB-4D40-94CF-2E5AE4D0F8D2}
which allow the adware to monitor Internet Explorer activities.
- Attempts to download a Web page from www.mainentrypoint.com containing a list of links. The adware will add these links to the Favorites menu in Internet Explorer.
Note: Security Response has observed 47 links in the list at the time of this writing.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
