1. /
  2. Security Response/
  3. Adware.AdultLinks

Adware.AdultLinks

Updated:
February 13, 2007 11:35:50 AM
Type:
Adware
Version:
2003, 4, 29, 1
Publisher:
N/A
Risk Impact:
High
File Names:
QaBar.dll QcBar.dll SetupAdultLinks.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the self-extracting .zip file for Adware.AdultLinks is executed, it will perform the following actions:
  1. Copies QaBar.dll to %windir%\system32\


    Note: %Windir% is a variable. The adware locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  2. Adds the value

    "ForceShow" = "rundll32.exe <path to file>,ForceShowBar"

    or

    "ForceShow" = "res://<path to file>/ForceShow.HTML"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce


    Note: This registry key will be removed once the computer has been rebooted.

  3. Adds the value

    "SearchAssistant" = "dev.ntcor.com/search.html"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search

    which changes the default search page in Internet Explorer.

  4. Adds the value

    "{965e6b07-6832-4738-bdbe-25f226ba2ab0}" = "Adult Links"

    or

    "{765E6B09-6832-4738-BDBE-25F226BA2AB0} " = "Adult Links"

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar

    which adds a toolbar called AdultLinks to Internet Explorer.

  5. Adds in the following keys (some keys may be added by specific versions of AdultLinks only):


    HKEY_CLASSES_ROOT\CLSID\{965e6b07-6832-4738-bdbe-25f226ba2ab0}
    HKEY_CLASSES_ROOT\CLSID\{dd1bca06-f674-424d-a08e-42da97c4d5dd}
    HKEY_CLASSES_ROOT\CLSID\{D6FC35D1-04AB-4D40-94CF-2E5AE4D0F8D2}
    HKEY_CLASSES_ROOT\CLSID\{5C015AA7-3392-4044-90CC-8E95019CFFF1}
    HKEY_CLASSES_ROOT\CLSID\{765E6B09-6832-4738-BDBE-25F226BA2AB0}
    HKEY_CLASSES_ROOT\Interface\{6D7D135E-F7C2-4A27-A87C-C0DFEB3A628F}
    HKEY_CLASSES_ROOT\Interface\{D1320CBB-403D-483D-AE9A-688960A96977}
    HKEY_CLASSES_ROOT\Interface\{ED7D1356-F7C2-4A27-A87C-C0DFEB3A628F}
    HKEY_CLASSES_ROOT\Interface\{242CA913-1637-4F74-9729-EA349AF3ECAC}
    HKEY_CLASSES_ROOT\Interface\{3FAA7D43-6889-4108-BD33-D66242C45BE0}
    HKEY_CLASSES_ROOT\TypeLib\{D02EE3A0-1881-419F-A5EF-737223463292}
    HKEY_CLASSES_ROOT\TypeLib\{C02EE3A0-1881-419F-A5ED-737223463292}
    HKEY_CLASSES_ROOT\TypeLib\{60381D4B-8129-449A-A5F2-5417AD0571CC}
    HKEY_CLASSES_ROOT\TypeLib\{0b1673d7-c165-4d41-bf65-1932324de17f}
    HKEY_CLASSES_ROOT\QcBar\
    HKEY_CLASSES_ROOT\QcBar.1\
    HKEY_CLASSES_ROOT\QABar
    HKEY_CLASSES_ROOT\QaBar.1\
    HKEY_CLASSES_ROOT\QABar.AdultSearch
    HKEY_CLASSES_ROOT\QABar.AdultSearch.1
    HKEY_CLASSES_ROOT\Allch.IEObj\
    HKEY_CLASSES_ROOT\Allch.IEObj.1\
    HKEY_CURRENT_USER\Software\QcBar\

    HKEY_CLASSES_ROOT\QaBar.AdultSearch.1\
    HKEY_CLASSES_ROOT\AdultBar.AdultBar
    HKEY_CLASSES_ROOT\AdultBar.AdultBar.1
    HKEY_CLASSES_ROOT\AdultSearch.AdultSearch
    HKEY_CLASSES_ROOT\AdultSearch.AdultSearch.1
    HKEY_CLASSES_ROOT\LinkZZ2.NullCtrl
    HKEY_CLASSES_ROOT\LinkZZ2.NullCtrl.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{765E6B09-6832-4738-BDBE-25F226BA2AB0} HKEY_LOCAL_MACHINE\Software\QcBar\
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D6FC35D1-04AB-4D40-94CF-2E5AE4D0F8D2}

    which allow the adware to monitor Internet Explorer activities.

  6. Attempts to download a Web page from www.mainentrypoint.com containing a list of links. The adware will add these links to the Favorites menu in Internet Explorer.


    Note: Security Response has observed 47 links in the list at the time of this writing.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report