1. /
  2. Security Response/
  3. Adware.TrustInBar

Adware.TrustInBar

Updated:
April 28, 2006 2:24:08 PM
Type:
Adware
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Adware.TrustInBar is an Internet Explorer Toolbar that displays pop-up ads.

Once executed, the security risk creates the following files:
%ProgramFiles%\TrustIn Bar\bar.xml
%ProgramFiles%\TrustIn Bar\trust.bmp
%ProgramFiles%\TrustIn Bar\trustin.dll
%ProgramFiles%\TrustIn Contextual\uninstall.exe
%ProgramFiles%\TrustIn Popups\popups.exe
%ProgramFiles%\TrustIn Popups\uninstall.exe
%ProgramFiles%\TrustIn Search\uninstall.exe
%System%\lcch.dat
%System%\lut.dat
%System%\tconini.dat
%System%\ticads.exe
%System%\ticont.dll
%System%\tipp.dat
%System%\tippcls.dat
%System%\tips.exe
%System%\tisa.cnf
%System%\tisa.dll
%windir%\local.html
%windir%\onlineshopping.ico
%windir%\removeadware.ico
%windir%\sexpersonals.ico
%windir%\videoslots.ico
%UserProfile%\Desktop\Online Shopping.url
%UserProfile%\Desktop\Remove Adware.url
%UserProfile%\Desktop\Sex Personals.url
%UserProfile%\Desktop\Video Slots.url

The risk then creates and populates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2520BA45-3D97-4864-82FF-F47F951727BA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B053E00-78D3-47AE-B763-60FF36FF2886}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a19ef336-01d4-48e6-926a-fe7e1c747aed}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3F38FF1D-E8D7-41F5-8EFC-E20D38526CD5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{636FF82A-830A-42EA-938B-6DC78B2AC30C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{76EB2786-FBC3-45BA-8F5E-5DBB822D499A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A55C3BA7-DB1E-4652-867E-055CEAFE8018}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{03959D01-B260-4552-9C05-1C0072E0DD3E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{42FC3840-020C-4E93-A34C-4DF1A6330FBB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{999887F8-C452-41E5-ACA1-A2ACD64C5EFE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ticont.MyBHO
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\tisa.MyBHO
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TrustIn.activator
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TrustIn.activator.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TrustIn.StockBar
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TrustIn.StockBar.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2520BA45-3D97-4864-82FF-F47F951727BA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B053E00-78D3-47AE-B763-60FF36FF2886}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TICONT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TIPU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TISA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TrustIn Bar
HKEY_LOCAL_MACHINE\SOFTWARE\TrustIn Bar

It may also create the following registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2520BA45-3D97-4864-82FF-F47F951727BA}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9B053E00-78D3-47AE-B763-60FF36FF2886}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A19EF336-01D4-48E6-926A-FE7E1C747AED}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DA7FF3F8-08BE-4CAC-BC00-94D91C6AE7F4}

The risk also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{a19ef336-01d4-48e6-926a-fe7e1c747aed}" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\"TISA"

Then the risk replaces the Internet Explorer Home Page to point to:
%windir%\local.html

The risk displays pop-up ads.
Writeup By: Rodney Andres
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver