1. /
  2. Security Response/
  3. Adware.SearchNugget

Adware.SearchNugget

Updated:
February 13, 2007 11:44:30 AM
Type:
Adware
Publisher:
Acez Software
Risk Impact:
Medium
File Names:
%Windir%\Downloaded Program Files\sbar.dll (This file is invisible in Windows Explorer.) %Progra
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.SearchNugget executed, it performs the following actions:
  1. Modifies the value:

    "Start Page" = "[http://]www.searchnugget[REMOVED].com/"

    in the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main

    so that the start page of Internet Explorer is changed to a Web site on the searchnugget.com domain.

  2. Adds the follwing registry entries:

    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B80-469E-C0FF-FD7FF4D5FA7F}\"(Default)" = "SBARMenu Button"
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B80-469E-C0FF-FD7FF4D5FA7F}\InProcServer32\"(Default)" = "%Windir%\DOWNLO~1\sbar.dll"
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B80-469E-C0FF-FD7FF4D5FA7F}\InProcServer32\"ThreadingModel" = "Apartment"
    HKEY_CLASSES_ROOT\sbar.SBARMenu Button\"(Default)" = "SBARMenu Button"
    HKEY_CLASSES_ROOT\sbar.SBARMenu Button\Clsid\"(Default)" = "{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7F}"
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7F}\ProgID\"(Default)" = "sbar.SBARMenu Button"
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7E}\"(Default)" = "SBARToggle Button"
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7E}\InprocServer32\"(Default)" = "C:\WINDOWS\DOWNLO~1\sbar.dll"
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7E}\InprocServer32\"ThreadingModel" = "Apartment"
    HKEY_CLASSES_ROOT\sbar.SBARToggle Button\"(Default)" = "SBARToggle Button"
    HKEY_CLASSES_ROOT\sbar.SBARToggle Button\Clsid\"(Default)" = "{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7E}"
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7E}\ProgID\"(Default)" = "sbar.SBARToggle Button"
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7D}\"(Default)" = "SearchNugget Toolbar"
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7D}\InprocServer32\"(Default)" = "C:\WINDOWS\DOWNLO~1\sbar.dll"
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7D}\InprocServer32\"ThreadingModel" = "Apartment"
    HKEY_CLASSES_ROOT\sbar.SBAR\"(Default)" = "SBAR"
    HKEY_CLASSES_ROOT\sbar.SBAR\Clsid\"(Default)" = "{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7D}"
    HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7D}\ProgID\"(Default)" = "sbar.SBAR"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7D}" = "02"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-C0FF-FD7FF4D5FA7D}

    so that the toolbar is installed in Internet Explorer.

  3. Adds the values:

    "CfgID" = "0"
    "clientID" = "main"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Sbar Toolbar

    for its internal use.

  4. Adds the values:

    "DisplayName" = "SearchNugget Toolbar"
    "UninstallString" = "%Program Files%\Sbar Toolbar\Uninstall.exe"


    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBAR

    so that SearchNugget Toolbar appears in Add or Removal Programs window.

  5. Creates the following files:

    • %Windir%\sbar.dll
    • %ProgramFiles%\Sbar Toolbar\Uninstall.exe

      Note:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  6. Creates files in %Program Files%\Sbar Toolbar\Cache folder.

  7. Displays a search toolbar on Internet Explorer window.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver