1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP CramToolbar Activity

HTTP CramToolbar Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detect Adware.CramToolbar communicating and requesting information from its controlling server.

Additional Information

When Adware.CramToolbar is executed, it performs the following actions:

1. Creates the following files:

* %ProgramFiles%\Cram Toolbar\basis.xml
* %ProgramFiles%\Cram Toolbar\icons.bmp
* %ProgramFiles%\Cram Toolbar\untitled.crc
* %ProgramFiles%\Cram Toolbar\untitled.dll
* %ProgramFiles%\Cram Toolbar\version.txt

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the folder %ProgramFiles%\Cram Toolbar\Cache.

3. Creates the following registry entries:

HKEY_CLASSES_ROOT\CLSID\{01E69986-A054-4C52-ABE8-EF63DF1C5211}
HKEY_CLASSES_ROOT\CLSID\{1395A06F-EEA0-4445-BA0C-E8B56B48E244}
HKEY_CLASSES_ROOT\Interface\{9D5C62AE-57B0-43C3-BAE4-BA7908DF4386}
HKEY_CLASSES_ROOT\Interface\{F5BB1D9A-DA7B-4C5B-8272-1554B814E97F}
HKEY_CLASSES_ROOT\ToolBand.XBTB00429
HKEY_CLASSES_ROOT\ToolBand.XBTB00429.1
HKEY_CLASSES_ROOT\TypeLib\{256CE99C-D5E1-4ACC-A538-2ED1E2710FAE}
HKEY_CLASSES_ROOT\XBTB00429.IEToolbar
HKEY_CLASSES_ROOT\XBTB00429.IEToolbar.1
HKEY_CLASSES_ROOT\XBTB00429.XBTB00429
HKEY_CLASSES_ROOT\XBTB00429.XBTB00429.1
HKEY_CURRENT_USER\Software\Maxthon
HKEY_CURRENT_USER\software\XBTB00429
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
\{01E69986-A054-4C52-ABE8-EF63DF1C5211}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
\{0E5CBF21-D15F-11D0-8301-00AA005B4383}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
\{01E69986-A054-4C52-ABE8-EF63DF1C5211}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
\ITBarLayout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\{1395A06F-EEA0-4445-BA0C-E8B56B48E244}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
\{01E69986-A054-4C52-ABE8-EF63DF1C5211}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Uninstall\XBTB00429.XBTB00429Toolbar

4. Adds the following value:

"iexplore" = 0

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN

5. Modifies the value:

"Start Page" = "[http://]www.fuck-portal.com/[REMOVED]"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

to reset the search page in Internet Explorer.

6. Launches Internet Explorer and opens the following URL:

[http://]www.cracks.am/[REMOVED]

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Uninstall the security risk.
3. Run a full system scan.
4. Delete any values added to the registry.
5. Restore the default settings in Internet Explorer.
6. Reset the Internet Explorer home page.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube