1. /
  2. Security Response/
  3. Adware.Kidda

Adware.Kidda

Updated:
February 13, 2007 11:47:43 AM
Type:
Adware
Risk Impact:
Low
File Names:
kidda.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Kidda is installed, it performs the following actions:
  1. Creates the following files:

    • %ProgramFiles%\Kidda Toolbar\basis.xml
    • %ProgramFiles%\Kidda Toolbar\kidda.dll
    • %ProgramFiles%\Kidda Toolbar\nav.bmp
    • %ProgramFiles%\Kidda Toolbar\kidda.inf
    • %ProgramFiles%\Kidda Toolbar\version.txt
    • %ProgramFiles%\Kidda Toolbar\favicon.ico
    • %ProgramFiles%\Kidda Toolbar\Cache\*.xml

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5124376D-C964-4817-B40E-CBD36195116E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0D5CC8AE-0BB0-49C3-BA33-BA4508EA43CC}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EABBB49A-4D7B-415B-8250-15C3B854E9FF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0D42A57A-EC98-45DE-B0C7-E36976360377}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ToolBand.XBTB06353
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ToolBand.XBTB06353.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XBTB06353.IEToolbar
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XBTB06353.IEToolbar.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XBTB06353.XBTB06353
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XBTB06353.XBTB06353.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
    {5124376D-C964-4817-B40E-CBD36195116E}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
    Browser Helper Objects\{BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB06353.XBTB06353Toolbar
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Ext\Stats\{5124376D-C964-4817-B40E-CBD36195116E}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Ext\Stats\{BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}
    HKEY_CURRENT_USER\Software\XBTB06353


    Note: The CLSID {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} may be used by legitimate toolbars created with the Internet Explorer toolbar package.

  3. Modifies the value:

    "iexplore.exe" = "0"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN

    so that elements such as ActiveX controls and JavaScript can run locally on the compromised computer.

  4. Adds the value:

    {5124376D-C964-4817-B40E-CBD36195116E}

    to the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrow
    ser

  5. Modifies the value:

    "Start Page" = "[http://]kidda.de[REMOVED]"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    in order to change the Internet Explorer start page.

  6. Displays a toolbar in the Internet Explorer window.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report