1. /
  2. Security Response/
  3. Adware.BarACE

Adware.BarACE

Updated:
February 17, 2007 2:45:03 PM
Also Known As:
Adware.ACEbar [Symantec]
Type:
Adware
Infection Length:
488,912 bytes
Risk Impact:
Low
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
It sends keywords to a third-party URL. The address toolbar reportedly facilitates URL translation but keywords entered into the address toolbar are not translated and the search is redirected to [http://]search.startn.net.

When the program is executed, it creates the following files:
  • %ProgramFiles%\acetoolbar\acebar.dll
  • %ProgramFiles%\acetoolbar\acebarext.dll
  • %ProgramFiles%\acetoolbar\acebarupdate.exe
  • %ProgramFiles%\acetoolbar\uninstall.exe
  • %ProgramFiles%\acetoolbar\License.txt
  • %ProgramFiles%\Internet Explorer\atlapp.sys
  • %UserProfile%\Administrator\Start Menu\Programs\Windows ACE ToolBar\Uninstall.lnk
  • %UserProfile%\Administrator\Start Menu\Programs\Windows ACE ToolBar\[KOREAN CHARACTERS].lnk


Next, the program creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Acebarext.AceSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Acebarext.AceSearch.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ACEToolBar.ACEToolBarObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ACEToolBar.ACEToolBarObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A83C19E3-55A4-4a75-AC5B-5BA0CE86CDB2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E0AACEAB-625A-4DDE-865F-16763445E314}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{476EDC78-540F-42F0-B6BC-D3CA1BAE169D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CF93DF46-0AF7-4E54-A199-6401CD7E9C21}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F39E0BA6-5B04-4F44-9973-16F15EA1A7DD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F4CE3077-EFDD-4985-AAB8-3CF1A032440E}
HKEY_LOCAL_MACHINE\SOFTWARE\intmedia\toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Windows ACEbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E0AACEAB-625A-4DDE-865F-16763445E314}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\acetoolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Windows ACEbar\KEY
HKEY_LOCAL_MACHINE\SOFTWARE\Windows ACEbar\MSG

The program also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\acetoolbar\"DisplayName" = "Windows ACE ToolBar"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\acetoolbar\"UninstallString" = "%ProgramFiles\acetoolbar\uninstall.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Windows ACEbar\"acebarver" = "20061113"
HKEY_LOCAL_MACHINE\SOFTWARE\Windows ACEbar\"address" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Windows ACEbar\"setupdata" = ""
HKEY_USERS\[USER NUMBER]\Software\Microsoft\Windows\CurrentVersion\Run\"WindowsACEbar" = "%ProgramFiles%\acetoolbar\acebarupdate.exe"
HKEY_LOCAL_MACHINE\Software\intmedia\toolbar\"installfile" = "%ProgramFiles%\acetoolbar\uninstall.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{A83C19E3-55A4-4a75-AC5B-5BA0CE86CDB2}" = "00"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System Setting\"ImagePath" = "\??\%ProgramFiles%\Internet Explorer\atlapp.sys"
HKEY_LOCAL_MACHINE\SOFTWARE\Windows ACEbar\"today" = "[CURRENT DATE]"

It then modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System Setting\Enum\"0" = "Root\LEGACY_SYSTEM_SETTING\0000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System Setting\Enum\"Count" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System Setting\Enum\"NextInstance" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System Setting\"ErrorControl" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System Setting\Security\"Security" = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System Setting\"Start" = "3"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System Setting\"Type" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System Setting\"DisplayName" = "System Setting"

The program automatically updates itself by contacting the following URLs:
  • [http://]log.onmuz.com
  • [http://]app.wipia.com
  • [http://]updatechk.voneclick.com
Writeup By: Jeong Mun
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver