1. /
  2. Security Response/
  3. Adware.CramToolbar

Adware.CramToolbar

Updated:
February 13, 2007 11:46:37 AM
Type:
Adware
Version:
1.0
Publisher:
www.cracks.am
Risk Impact:
Medium
File Names:
untitled.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.CramToolbar is executed, it performs the following actions:
  1. Creates the following files:

    • %ProgramFiles%\Cram Toolbar\basis.xml
    • %ProgramFiles%\Cram Toolbar\icons.bmp
    • %ProgramFiles%\Cram Toolbar\untitled.crc
    • %ProgramFiles%\Cram Toolbar\untitled.dll
    • %ProgramFiles%\Cram Toolbar\version.txt

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the folder %ProgramFiles%\Cram Toolbar\Cache.

  3. Creates the following registry entries:

    HKEY_CLASSES_ROOT\CLSID\{01E69986-A054-4C52-ABE8-EF63DF1C5211}
    HKEY_CLASSES_ROOT\CLSID\{1395A06F-EEA0-4445-BA0C-E8B56B48E244}
    HKEY_CLASSES_ROOT\Interface\{9D5C62AE-57B0-43C3-BAE4-BA7908DF4386}
    HKEY_CLASSES_ROOT\Interface\{F5BB1D9A-DA7B-4C5B-8272-1554B814E97F}
    HKEY_CLASSES_ROOT\ToolBand.XBTB00429
    HKEY_CLASSES_ROOT\ToolBand.XBTB00429.1
    HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}
    HKEY_CLASSES_ROOT\XBTB00429.IEToolbar
    HKEY_CLASSES_ROOT\XBTB00429.IEToolbar.1
    HKEY_CLASSES_ROOT\XBTB00429.XBTB00429
    HKEY_CLASSES_ROOT\XBTB00429.XBTB00429.1
    HKEY_CURRENT_USER\Software\Maxthon
    HKEY_CURRENT_USER\software\XBTB00429
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
    \{01E69986-A054-4C52-ABE8-EF63DF1C5211}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    \{0E5CBF21-D15F-11D0-8301-00AA005B4383}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    \{01E69986-A054-4C52-ABE8-EF63DF1C5211}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    \{01E04581-4EEE-11D0-BFE9-00AA005B4383}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    \ITBarLayout
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{1395A06F-EEA0-4445-BA0C-E8B56B48E244}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
    \{01E69986-A054-4C52-ABE8-EF63DF1C5211}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    \Uninstall\XBTB00429.XBTB00429Toolbar


  4. Adds the following value:

    "iexplore" = 0

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    \FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN

  5. Modifies the value:

    "Start Page" = "[http://]www.fuck-portal.com/[REMOVED]"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

    to reset the search page in Internet Explorer.

  6. Launches Internet Explorer and opens the following URL:

    [http://]www.cracks.am/[REMOVED]

  7. Displays the following toolbar when Internet Explorer is launched:



Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver