||||
Symantec.com > Security Response > Threats and Risks > Adware.AdBars
PRINT THIS PAGE

Adware.AdBars

Printer Friendly Page

Updated: February 13, 2007 11:42:57 AM
Type: Adware
Publisher: Ruboskizo.com
Risk Impact: Medium
File Names: AdBar.dll DownloadHtml.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Adware.AdBars is installed, the following actions are performed:

  1. Creates the following files:

    • %System%\AdBar.dll
    • %Windir%\Downloaded Program Files\DownloadHtml.dll


      Notes:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Creates the following registry keys:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51641EF3-8A7A-4D84-8659-B0911E947CC8}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4CA6559-2CF1-48B6-96B2-8340A06FD129}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EC4ACEBD-8918-4924-869E-FC3C060D2EE9}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F12DFA04-77C4-47E8-B101-6A2B1E631410}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{BDEAA8B4-BE40-4B94-B989-065AFCF8A06F}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AdBar.AlisysRubBandTest
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DownloadHtml.SetupHtml
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DownloadHtml.SetupHtml.1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51641EF3-8A7A-4D84-8659-B0911E947CC8}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4CA6559-2CF1-48B6-96B2-8340A06FD129}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{51641EF3-8A7A-4D84-8659-B0911E947CC8}
    • HKEY_CURRENT_USER\Software\Ruboskizo

  3. Modifies the value:

    "{C4CA6559-2CF1-48B6-96B2-8340A06FD129}" = "Toolbar Ruboskizo"

    in the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

  4. Modifies the value:

    "goicfboogidikkejccmclpieicihhlpo ijbaca" = "Ruboskizo S.L."

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0
  5. Modifies the value:

    "7DFDF6841B48C0155A0217E4A9FBFFA653671031" = <encoded value>

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates
  6. Changes Internet Explorer homepage to "http:// www.turbonXX.com"
  7. Displays advertisements in Internet Explorer.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS