SEO Toolbar

November 4, 2006 on 10:09 am | In Malware analysis | No Comments

originally posted Jan 8 2005, 08:18 PM

Found in a log on GeeksToGo :

O2 – BHO: (no name) – {4E7BD74F-2B8D-469E-85AC-FD60BB9AAE32} – C:\WINDOWS\DOWNLO~1\seotoolbar.dll

O3 – Toolbar: SEO TOOLBAR – {4E7BD74F-2B8D-469E-85AC-FD60BB9AAE32} – C:\WINDOWS\DOWNLO~1\seotoolbar.dll

O16 – DPF: {4E7BD74F-2B8D-469E-85AC-FD60BB9AAE32} (SEO TOOLBAR) –
http://www.onseo.com/toolbar/seotoolbar.cab

I downloaded the cab file and scanned it with Kaspersky’s online scanner.
These were the results:
Scanned file: seotoolbar.cab
seotoolbar.cab – archived by CAB
seotoolbar.cab/seotoolbar.dll – infected by Trojan-Clicker.Win32.Delf.bc

Registering the dll made the following changes:

Files:

C:\Program Files\SEOTOOLBAR Toolbar
(+)C:\Program Files\SEOTOOLBAR Toolbar\Cache
(+)seotoolbartb0300.cfg = 19:42 08-01-05 19244 bytes
(+)(C:\Program Files\SEOTOOLBAR Toolbar\Cache\NewCfg

Registry:

(+)(KEY) HKEY_CLASSES_ROOT\seotoolbar.SEOTOOLBAR
(+)(VALUE) (Default) = ‘SEOTOOLBAR’
(+)(KEY) HKEY_CLASSES_ROOT\seotoolbar.SEOTOOLBAR\Clsid
(+)(VALUE) (Default) = ‘{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE32}’
(+)(KEY) HKEY_CLASSES_ROOT\seotoolbar.SEOTOOLBARMenu Button
(+)(VALUE) (Default) = ‘SEOTOOLBARMenu Button’
(+)(KEY) HKEY_CLASSES_ROOT\seotoolbar.SEOTOOLBARMenu Button\Clsid
(+)(VALUE) (Default) = ‘{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE34}’
(+)(KEY) HKEY_CLASSES_ROOT\seotoolbar.SEOTOOLBARToggle Button
(+)(VALUE) (Default) = ‘SEOTOOLBARToggle Button’
(+)(KEY) HKEY_CLASSES_ROOT\seotoolbar.SEOTOOLBARToggle Button\Clsid
(+)(VALUE) (Default) = ‘{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE33}’
(+)(KEY) HKEY_CLASSES_ROOT\vtsd3
(+)(VALUE) vtsd3 = “-.C…@
(+)(KEY) HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE32}
(+)(VALUE) (Default) = ‘SEOTOOLBAR’
(+)(KEY) HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE32}\InprocServer32
(+)(VALUE) (Default) = ‘C:\WINDOWS\DOWNLO~1\seotoolbar.dll’
(+)(VALUE) ThreadingModel = ‘Apartment’
(+)(KEY) HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE32}\ProgID
(+)(VALUE) (Default) = ‘seotoolbar.SEOTOOLBAR’
(+)(KEY) HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE33}
(+)(VALUE) (Default) = ‘SEOTOOLBARToggle Button’
(+)(KEY) HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE33}\InprocServer32
(+)(VALUE) (Default) = ‘C:\WINDOWS\DOWNLO~1\seotoolbar.dll’
(+)(VALUE) ThreadingModel = ‘Apartment’
(+)(KEY) HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE33}\ProgID
(+)(VALUE) (Default) = ‘seotoolbar.SEOTOOLBARToggle Button’
(+)(KEY) HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE34}
(+)(VALUE) (Default) = ‘SEOTOOLBARMenu Button’
(+)(KEY) HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE34}\InprocServer32
(+)(VALUE) (Default) = ‘C:\WINDOWS\DOWNLO~1\seotoolbar.dll’
(+)(VALUE) ThreadingModel = ‘Apartment’
(+)(KEY) HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-85AC-FD60BB9AAE34}\ProgID
(+)(VALUE) (Default) = ‘seotoolbar.SEOTOOLBARMenu Button’
(+)(KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\SEOTOOLBAR TOOLBAR
(+)(VALUE) BarID = ‘200501081941581000151’
(+)(VALUE) BitmapVersion = 0
(+)(VALUE) LastLeft = 2
(+)(VALUE) SetupInit = 1
(+)(KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\SEOTOOLBAR TOOLBAR\Config
(+)(KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\SEOTOOLBAR TOOLBAR\Config\seotoolbartb0300
(+)(VALUE) LastDown = .^.D…@
(+)(VALUE) MaxAge = 0
(+)(KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\SEOTOOLBAR TOOLBAR\Options
(+)(VALUE) PopupBlockerEnabled = 0
(KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
(+)(VALUE) {4E7BD74F-2B8D-469E-85AC-FD60BB9AAE32} = O.{N.+.F…`…2
(+)(KEY) HKEY_CURRENT_USER\Software\SEOTOOLBAR TOOLBAR
(+)(VALUE) BarID = ‘200501081941581000151’
(+)(VALUE) BitmapVersion = 0
(+)(VALUE) LastLeft = 2
(+)(VALUE) SetupInit = 1
(+)(KEY) HKEY_CURRENT_USER\Software\SEOTOOLBAR TOOLBAR\Config
(+)(KEY) HKEY_CURRENT_USER\Software\SEOTOOLBAR TOOLBAR\Config\seotoolbartb0300
(+)(VALUE) LastDown = .^.D…@
(+)(VALUE) MaxAge = 0
(+)(KEY) HKEY_CURRENT_USER\Software\SEOTOOLBAR TOOLBAR\Options
(+)(VALUE) PopupBlockerEnabled = 0
(KEY) HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
(+)(VALUE) {4E7BD74F-2B8D-469E-85AC-FD60BB9AAE32} = O.{N.+.F…`…2

It starts … again

November 3, 2006 on 2:30 pm | In General | 2 Comments

This blog was started at GeeksToGo
to share my research into newly found malware.
I will start transferring my posts from there later on,
because the blog module at GeeksToGo will be discontinued.
Hoping you will still come and read,
Pieter Arntz aka Metallica

« Previous Page

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^

The cookies on this site are just the ones Wordpress needs to work properly. By continuing to use this site, you are accepting them. Close