1. Symantec/
  2. Security Response/
  3. Adware.Istbar

Adware.Istbar

Updated:
February 13, 2007 11:34:02 AM
Type:
Adware
Publisher:
Integrated Search Technologies
Risk Impact:
Medium
File Names:
IstBar_DH.dll istbar.dll istbarcm.dll istdownload.exe cmctl.dll istbarcm.dll ysbactivex.dll
Systems Affected:
Windows

Note: Detections dated March 3rd, 2005 or earlier may detect this adware as Adware.Istbar!Dl.

When Adware.Istbar is installed, it does the following:
  1. May create some of the following folders and files :

    • %ProgramFiles%\ISTbar\cmctl.dll
    • %ProgramFiles%\ISTbar\istbarcm.dll
    • %ProgramFiles%\ISTbar\imagemap_normal.bmp
    • %ProgramFiles%\ISTbar\imagemap_over.bmp
    • %ProgramFiles%\ISTbar\version.txt
    • %ProgramFiles%\ISTbar\xml_istbar.xml
    • %ProgramFiles%\IstSvc\istsvc.exe
    • %Windir%\[RANDOM FILE NAME].exe
    • %Windir%\Downloaded Program Files\ysbactivex.dll
    • %Windir%\Downloaded Program Files\istactivex.dll
    • %UserProfile%\Favorites\Fun & Games, drops numerous link files in this folder
    • %UserProfile%\Favorites\Going Places, drops numerous link files in this folder
    • %UserProfile%\Favorites\Living, drops numerous link files in this folder
    • %UserProfile%\Favorites\Shop, drops numerous link files in this folder
    • %UserProfile%\Favorites\Technology, drops numerous link files in this folder

      Notes:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP)or C:\Winnt (Windows NT/2000).
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).

  2. Adds the values:

    "IST Service" = "%ProgramFiles%\IstSvc\istsvc.exe"
    "[RANDOM NAME]" = "%Windir%\[RANDOM FILE NAME].exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs when Windows starts.

  3. Creates some of the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar
    HKEY_CURRENT_USER\Software\ISTbar
    HKEY_CURRENT_USER\Software\IST
    HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc
    HKEY_CLASSES_ROOT\ISTbar.BarObj
    HKEY_CLASSES_ROOT\Pugi.PugiObj.1
    HKEY_CLASSES_ROOT\Pugi.PugiObj
    HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag
    HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag.1
    HKEY_CLASSES_ROOT\CLSID\{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
    HKEY_CLASSES_ROOT\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}
    HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}
    HKEY_CLASSES_ROOT\CLSID\{5F1ABCDB-A875-46c1-8345-B72A4567E486}
    HKEY_CLASSES_ROOT\CLSID\{771A1334-6B08-4a6b-AEDC-CF994BA2CEBE}
    HKEY_CLASSES_ROOT\CLSID\{7C559105-9ECF-42b8-B3F7-832E75EDD959}
    HKEY_CLASSES_ROOT\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A}
    HKEY_CLASSES_ROOT\CLSID\{FAA356E4-D317-42A6-AB41-A3021C6E7D52}
    HKEY_CLASSES_ROOT\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F}
    HKEY_CLASSES_ROOT\Interface\{0E704BA4-C517-4BE7-A1CD-C3FFDA1E1FFE}
    HKEY_CLASSES_ROOT\Interface\{7B178417-3CDA-444F-94FF-312C0A3A78A8}
    HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
    HKEY_CLASSES_ROOT\Interface\{90CE74CC-788A-4A00-B38D-CBCA08CC9E8F}
    HKEY_CLASSES_ROOT\Interface\{9388907F-82F5-434D-A941-BB802C6DD7C1}
    HKEY_CLASSES_ROOT\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F}
    HKEY_CLASSES_ROOT\Interface\{BF06DA8E-2BEB-4816-9BBD-F7625246E245}
    HKEY_CLASSES_ROOT\Interface\{DC065FA6-08F9-4C50-99DC-275D16CFC5BD}
    HKEY_CLASSES_ROOT\Interface\{EAF2CCEE-21A1-4203-9F36-4929FD104D43}
    HKEY_CLASSES_ROOT\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}
    HKEY_CLASSES_ROOT\Typelib\{68BF4626-D66B-4383-A6AF-62E57E9B6CD4}
    HKEY_CLASSES_ROOT\Typelib\{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}
    HKEY_CLASSES_ROOT\TypeLib\{89A10D64-83BF-41A4-86A3-7AAF1F8F3D1B}
    HKEY_CLASSES_ROOT\TypeLib\{8C752C5E-3C10-4076-AF0A-FFC69FA20D1B}
    HKEY_CLASSES_ROOT\TypeLib\{CC257918-F435-4A33-8231-2B8195990CCA}
    HKEY_CLASSES_ROOT\TypeLib\{DB447818-96B4-40DF-8A55-720DA496F514}
    HKEY_CLASSES_ROOT\TypeLib\{E9A5B71C-093B-4F34-AF07-34FCA89BA0DF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
    \Distribution Units\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
    \Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959}
    HKEY_CLASSES_ROOT\Component Categories
    \{00021494-0000-0000-C000-000000000046}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\ISTbar
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\ISTbarISTbar
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\ISTsvc
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Explorer
    \Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Internet Settings\ZoneMap\Domains\contentmatch.net
    HKEY_CLASSES_ROOT\ISTx.Installer
    HKEY_CLASSES_ROOT\ISTx.Installer.2
    HKEY_CLASSES_ROOT\ISTactivex.Installer
    HKEY_CLASSES_ROOT\ISTactivex.Installer.1
    HKEY_CLASSES_ROOT\ISTactivex.Installer.2
    HKEY_CLASSES_ROOT\YSBactivex.Installer.1
    HKEY_CLASSES_ROOT\YSBactivex.Installer

  4. Adds the values:

    "Bandrest" = "Never"
    "Search Bar" = "[WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
    "Search Page" = [WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
    "Search Page_bak" = [WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
    "Start Page" = [WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
    "Start Page_bak" = "file:/ //C:/WINNT/Web/Start.htm"
    "Use Search Assistant" = "no"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    to redirect the start page and search pages.

  5. Adds the value:

    "Bandrest" = "Never"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main


  6. The file %Windir%\[RANDOM FILE NAME].exe, opens itself for shared access in such a way that it prevents other programs from accessing the file.

  7. Adds the values:

    "{FAA356E4-D317-42A6-AB41-A3021C6E7D52}" = ""
    "{5F1ABCDB-A875-46C1-8345-B72A4567E486}" = ""


    to the registry subkeys:

    HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

  8. Adds the following toolbar to all Internet Explorer windows:




  9. Displays links in the toolbar area relating to words typed anywhere in an Internet Explorer window.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube