||||
Symantec.com > Security Response > Threats and Risks > Adware.AlibabaTB
PRINT THIS PAGE

Adware.AlibabaTB

Printer Friendly Page

Updated: February 13, 2007 11:46:47 AM
Type: Adware
Publisher: china.alibaba.com
Risk Impact: Low
File Names: bar.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Adware.AlibabaTB is installed, it performs the following actions:
  1. Creates the following registry entries:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {09F59435-7814-48ED-A73A-96FF861A91EB}\VersionIndependentProgID\
    "Default" = "AlibabaIEToolBar.AlibabaSearchBar"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {09F59435-7814-48ED-A73A-96FF861A91EB}\TypeLib\
    "Default" = "{448F1BD5-C41A-4551-83CF-8CD2309ABC66}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {09F59435-7814-48ED-A73A-96FF861A91EB}\ProgID\
    "Default" = "AlibabaIEToolBar.AlibabaSearchBar.1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {09F59435-7814-48ED-A73A-96FF861A91EB}\
    InprocServer32\"Default" = "[ADWARE PATH]"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {09F59435-7814-48ED-A73A-96FF861A91EB}\InprocServer32\
    "ThreadingModel" = "Apartment"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {09F59435-7814-48ED-A73A-96FF861A91EB}\"Default" = "[RANDOM CHARACTERS]"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}\VersionIndependentProgID\
    "Default" = "AlibabaIEToolBar.AlibabaButton"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}\TypeLib\
    "Default" = "{448F1BD5-C41A-4551-83CF-8CD2309ABC66}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}\ProgID\
    "Default" = "AlibabaIEToolBar.AlibabaButton.1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}\InprocServer32\"Default" = "[ADWARE PATH]"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}\InprocServer32\"ThreadingModel" = "Apartment"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}\"Default" = "AlibabaButton Class"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {850B69E4-90DB-4F45-8621-891BF35A5B53}\VersionIndependentProgID\
    "Default" = "AlibabaIEToolBar.ShowBarObject"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {850B69E4-90DB-4F45-8621-891BF35A5B53}\TypeLib\
    "Default" = "{448F1BD5-C41A-4551-83CF-8CD2309ABC66}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {850B69E4-90DB-4F45-8621-891BF35A5B53}\ProgID\
    "Default" = "AlibabaIEToolBar.ShowBarObject.1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {850B69E4-90DB-4F45-8621-891BF35A5B53}\InprocServer32\"Default" = "[ADWARE PATH]"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {850B69E4-90DB-4F45-8621-891BF35A5B53}\InprocServer32\"ThreadingModel" = "Apartment"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {850B69E4-90DB-4F45-8621-891BF35A5B53}\"Default" = "ShowBarObject Class"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {42CB709C-A1D6-4C3A-9F9C-B077FF86A760}\TypeLib\
    "Default" = "{448F1BD5-C41A-4551-83CF-8CD2309ABC66}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {42CB709C-A1D6-4C3A-9F9C-B077FF86A760}\TypeLib\"Version" = "1.0"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {42CB709C-A1D6-4C3A-9F9C-B077FF86A760}\ProxyStubClsid32\
    "Default" = "{00020424-0000-0000-C000-000000000046}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {42CB709C-A1D6-4C3A-9F9C-B077FF86A760}\ProxyStubClsid\
    "Default" = "{00020424-0000-0000-C000-000000000046}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {42CB709C-A1D6-4C3A-9F9C-B077FF86A760}\"Default" = "IAlibabaButton"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {63C8AF31-AD6E-417C-BF8B-48B96E95DC25}\TypeLib\
    "Default" = "{448F1BD5-C41A-4551-83CF-8CD2309ABC66}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {63C8AF31-AD6E-417C-BF8B-48B96E95DC25}\TypeLib\"Version" = "1.0"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {63C8AF31-AD6E-417C-BF8B-48B96E95DC25}\ProxyStubClsid32\
    "Default" = "{00020424-0000-0000-C000-000000000046}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {63C8AF31-AD6E-417C-BF8B-48B96E95DC25}\ProxyStubClsid\
    "Default" = "{00020424-0000-0000-C000-000000000046}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {63C8AF31-AD6E-417C-BF8B-48B96E95DC25}\"Default" = "IShowBarObject"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {AB44756F-FCE0-454D-AF29-930B89BB44D2}\TypeLib\
    "Default" = "{448F1BD5-C41A-4551-83CF-8CD2309ABC66}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {AB44756F-FCE0-454D-AF29-930B89BB44D2}\TypeLib\"Version" = "1.0"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {AB44756F-FCE0-454D-AF29-930B89BB44D2}\ProxyStubClsid32\
    "Default" = "{00020424-0000-0000-C000-000000000046}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {AB44756F-FCE0-454D-AF29-930B89BB44D2}\ProxyStubClsid\
    "Default" = "{00020424-0000-0000-C000-000000000046}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {AB44756F-FCE0-454D-AF29-930B89BB44D2}\"Default" = "IAlibabaSearchBar"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {448F1BD5-C41A-4551-83CF-8CD2309ABC66}\1.0\0\win32\"Default" = "[ADWARE PATH]"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {448F1BD5-C41A-4551-83CF-8CD2309ABC66}\1.0\HELPDIR\
    "Default" = "[PATH TO ADWARE]\"Default"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {448F1BD5-C41A-4551-83CF-8CD2309ABC66}\1.0\FLAGS\"Default" = "0"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {448F1BD5-C41A-4551-83CF-8CD2309ABC66}\1.0\
    "Default" = "AlibabaIEToolBar 1.0 Type Library"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaButton\CurVer\
    "Default" = "AlibabaIEToolBar.AlibabaButton.1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaButton\CLSID\
    "Default" = "{0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaButton\
    "Default" = "AlibabaButton Class"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaButton.1\CLSID\
    "Default" = "{0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaButton.1\
    "Default" = "AlibabaButton Class"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaSearchBar\CurVer\
    "Default" = "AlibabaIEToolBar.AlibabaSearchBar.1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaSearchBar\CLSID\
    "Default" = "{09F59435-7814-48ED-A73A-96FF861A91EB}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaSearchBar\
    "Default" = "AlibabaSearchBar Class"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaSearchBar.1\CLSID\
    "Default" = "{09F59435-7814-48ED-A73A-96FF861A91EB}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaSearchBar.1\
    "Default" = "AlibabaSearchBar Class"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.ShowBarObject\CurVer\
    "Default" = "AlibabaIEToolBar.ShowBarObject.1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.ShowBarObject\CLSID\
    "Default" = "{850B69E4-90DB-4F45-8621-891BF35A5B53}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.ShowBarObject\
    "Default" = "ShowBarObject Class"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.ShowBarObject.1\CLSID\
    "Default" = "{850B69E4-90DB-4F45-8621-891BF35A5B53}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AlibabaIEToolBar.ShowBarObject.1\
    "Default" = "ShowBarObject Class"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
    {09F59435-7814-48ED-A73A-96FF861A91EB}\"ComponentID" = "alibabatoolbar"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
    {09F59435-7814-48ED-A73A-96FF861A91EB}\"IsInstalled" = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
    {09F59435-7814-48ED-A73A-96FF861A91EB}\"Version" = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
    {09F59435-7814-48ED-A73A-96FF861A91EB}\"BarSize" = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {13b0c05c-ef05-4bf6-b0ea-f6111af25544}\
    "CLSID" = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {13b0c05c-ef05-4bf6-b0ea-f6111af25544}\
    "ClsidExtension" = "{0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {13b0c05c-ef05-4bf6-b0ea-f6111af25544}\"Default Visible" = "Yes"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {13b0c05c-ef05-4bf6-b0ea-f6111af25544}\"ButtonText" = "[RANDOM CHARACTERS]"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {13b0c05c-ef05-4bf6-b0ea-f6111af25544}\"Icon" = "[PATH TO ADWARE]\default0.ico"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {13b0c05c-ef05-4bf6-b0ea-f6111af25544}\
    "HotIcon" = "[PATH TO ADWARE]\default0.ico"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\Alibaba Toolbar\"DisplayName" = "[RANDOM CHARACTERS]"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\Alibaba Toolbar\"HelpLink" = "[http://]china.alibaba.com/[REMOVED]"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\Alibaba Toolbar\"Publisher" = "[RANDOM CHARACTERS]"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\Alibaba Toolbar\"DisplayVersion" = "1.1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\Alibaba Toolbar\"UninstallString" = "regsvr32 /u /s "[ADWARE PATH]""
    HKEY_LOCAL_MACHINE\SOFTWARE\Ablibaba\Toolbar\"downloadtime" = "0"
    HKEY_LOCAL_MACHINE\SOFTWARE\Ablibaba\Toolbar\"history" = ""
    HKEY_LOCAL_MACHINE\SOFTWARE\Ablibaba\Toolbar\"path" = "[PATH TO ADWARE]\"Default""
    HKEY_LOCAL_MACHINE\SOFTWARE\Ablibaba\Toolbar\"toolbarini" = "toolbar0.ini"
    HKEY_LOCAL_MACHINE\SOFTWARE\Ablibaba\Toolbar\
    "cabURL" = "[http://]download.china.alibaba.com/[REMOVED]/search/alibaba/2/bar.cab"
    HKEY_LOCAL_MACHINE\SOFTWARE\Ablibaba\Toolbar\
    "md5URL" = "[http://]download.china.alibaba.com/[REMOVED]/search/alibaba/2/_md5"
    HKEY_LOCAL_MACHINE\SOFTWARE\Ablibaba\Toolbar\
    "cabarc" = "[http://]download.china.alibaba.com/[REMOVED]/search/alibaba/cabarc.exe"
    HKEY_LOCAL_MACHINE\SOFTWARE\Ablibaba\Toolbar\"updateSchedule" = "0x433D6DA6"
    HKEY_LOCAL_MACHINE\SOFTWARE\Ablibaba\Toolbar\"version" = "1"
    HKEY_LOCAL_MACHINE\SOFTWARE\Ablibaba\Toolbar\"onlinereg" = "0"

    Note: On non-Chinese language operating systems, the variable [RANDOM CHARACTERS] will appear as a garbled string of random characters. On Chinese language operating systems, Chinese characters will be displayed.

  2. When Internet Explorer is opened, the following files are downloaded:

    • [http://]download.china.alibaba.com/[REMOVED]/search/alibaba/2/bar.cab
    • [http://]download.china.alibaba.com/[REMOVED]/search/alibaba/2/_md5
    • [http://]download.china.alibaba.com/[REMOVED]/search/alibaba/cabarc.exe

  3. Monitors keyword searches on various Web sites, and sends the keywords to the china.alibaba.com domain.


Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS