EliteSideBar installer

November 11, 2006 on 3:45 pm | In Malware analysis | No Comments

Originally posted Feb 28 2005, 01:53 PM

Found by OrphanAnnie

Version 8 of this one: http://securityresponse.symantec.com/avcenter/venc/data/adware.elitebar.b.html

Below I listed the (significant) changes made to the filesystem and registry made by the installer (filename sb.exe)

Filesystem
  ===============
 (+)(FOLDER) C:\WINDOWS\EliteSideBar
      (+)(FILE) EliteSideBar 08.dll = 22:03 27-02-05 46592 bytes
    (FOLDER) C:\WINDOWS\Prefetch
      (+)(FILE) SB.EXE-01BF0FF5.pf = 22:03 27-02-05 15048 bytes

Register
  ===============
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0A1D22C3-37BE-470C-9C29-E3074EE0574B}
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0A1D22C3-37BE-470C-9C29-E3074EE0574B}\InprocServer32
      (+)((REGISTRY VALUE)) (Standaard) = ‘C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}
      (+)((REGISTRY VALUE)) (Standaard) = ‘Elite SideBar’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Control
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Implemented Categories
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\InprocServer32
      (+)((REGISTRY VALUE)) (Standaard) = ‘C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll’
      (+)((REGISTRY VALUE)) ThreadingModel = ‘Apartment’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Insertable
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\MiscStatus
      (+)((REGISTRY VALUE)) (Standaard) = ‘0’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\MiscStatus\1
      (+)((REGISTRY VALUE)) (Standaard) = ‘131473’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\ProgID
      (+)((REGISTRY VALUE)) (Standaard) = ‘CGBand.CGBandObj.1’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Programmable
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\TypeLib
      (+)((REGISTRY VALUE)) (Standaard) = ‘{8AA59E15-6E81-415C-B299-1ADFB50C8E1A}’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Version
      (+)((REGISTRY VALUE)) (Standaard) = ‘1.0’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\VersionIndependentProgID
      (+)((REGISTRY VALUE)) (Standaard) = ‘CGBand.CGBandObj’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}
      (+)((REGISTRY VALUE)) (Standaard) = ‘&EliteSideBar’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\InprocServer32
      (+)((REGISTRY VALUE)) (Standaard) = ‘C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll’
      (+)((REGISTRY VALUE)) ThreadingModel = ‘Apartment’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Insertable
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Instance
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Instance\InitPropertyBag
      (+)((REGISTRY VALUE)) (Standaard) = ‘0’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\MiscStatus
      (+)((REGISTRY VALUE)) (Standaard) = ‘0’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\MiscStatus\1
      (+)((REGISTRY VALUE)) (Standaard) = ‘131473’
    (+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Programmable
    (+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Elitum
    (+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteSideBar
      (+)((REGISTRY VALUE)) excluded = ‘google.com,yahoo.com,searchmiracle.com’
      (+)((REGISTRY VALUE)) FirstTimeStarted = 1
      (+)((REGISTRY VALUE)) maxshow = ‘6’
      (+)((REGISTRY VALUE)) path = ‘C:\WINDOWS\EliteSideBar\’
      (+)((REGISTRY VALUE)) UpdateAttempt = ‘27020522’
      (+)((REGISTRY VALUE)) UpdateDate = ‘27020501’
      (+)((REGISTRY VALUE)) url = ‘http://yupsearch.com/sb.php?qq=’
      (+)((REGISTRY VALUE)) version = ’08’
    (+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}
    (+)(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}
    (+)(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\iexplore
      (+)((REGISTRY VALUE)) Count = 3
      (+)((REGISTRY VALUE)) Time = …………,…
      (+)((REGISTRY VALUE)) Type = 3
    (+)(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}
    (+)(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\iexplore
      (+)((REGISTRY VALUE)) Count = 3
      (+)((REGISTRY VALUE)) Time = …………,…
      (+)((REGISTRY VALUE)) Type = 3

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^