||||
Symantec.com > Security Response > Threats and Risks > Adware.SearchBarCash
PRINT THIS PAGE

Adware.SearchBarCash

Printer Friendly Page

Updated: February 13, 2007 11:42:14 AM
Type: Adware
Risk Impact: High
File Names: seqsb.dll,msqsb.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Adware.SearchBarCash is executed, it performs the following actions:

  1. Creates the following files and folders:

    • %Windir%\system32\msqsb.dll
    • %Windir%\system32\seqsb.dll
    • %Windir%\Temp\SearchBar\BarData1
    • %Windir%\Temp\SearchBar\BarData2
    • %Windir%\Temp\SearchBar\BarData3
    • %Windir%\Temp\SearchBar\BarData4
    • %Windir%\Temp\SearchBar\BarData5
    • %Windir%\Temp\SearchBar\BarsCount.txt
    • %Windir%\Temp\SearchBar\DefUrl.txt
    • %Windir%\Temp\SearchBar\Path.txt
    • %Windir%\Temp\SearchBar\PICTURES\hottoolbar.bmp
    • %Windir%\Temp\SearchBar\PICTURES\pictures_adult-comics.bmp
    • %Windir%\Temp\SearchBar\PICTURES\pictures_amateur.bmp
    • %Windir%\Temp\SearchBar\Run.exe
    • %SystemDrive%\inst_debug.log

      Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

  2. Creates the registry subkey:

    HKEY_CLASSES_ROOT\CLSID\[RANDOMLY CREATED CLSID]

  3. Adds the value:

    "[RANDOMLY CREATED CLSID]" = "DDE Control Module"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

  4. Adds the value:

    "[RANDOMLY CREATED CLSID]" = "seqsb"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

    so that the adware is added to the approved Microsoft Explorer shell extensions.

  5. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{722E8B26-1C44-460F-88BB-50C82B20E30E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A81F6DE-0D0B-46FD-94EC-D50EDD38B641}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{579B1D89-134B-4616-AC6F-A47CE3438800}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchBar.SearchBand
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SearchBar.SearchBand.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{722E8B26-1C44-460F-88BB-50C82B20E30E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMQsb
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MsQsb
  6. Adds the following value:

    "{722E8B26-1C44-460F-88BB-50C82B20E30E}" = "Ïîèñêîâèê"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS