sobota 25. února 2012

Adware:Win32/Hotbar


Encyclopedia entry
Updated: Jul 28, 2011  |  Published: Jun 21, 2006

Aliases
Not available

Alert Level (?)
Moderate

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.359.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008


 

Summary

Adware:Win32/Hotbar displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. Adware:Win32/Hotbarinstalls a browser toolbar that works in Internet Explorer 6, 7, 8 and Firefox 3.6 and 4.0. The tool is a multi-component adware program designed to monitor user’s online browsing behavior to deliver targeted advertising. It also installs other adware components related to Win32/ClickPotato andWin32/ShopperReportsHotbar also installs graphical skins for Internet ExplorerOutlook, and Outlook Express. It may collect user-related information and may silently download and run updates or other code from its servers.


 

Symptoms

System Changes
The following system changes may indicate the presence of Adware:Win32/Hotbar:
  • The presence of the following files:

    HBLiteSA.exe
    HBLiteSAAX.dll
    HBLiteSAHook.dll
    HBLiteUninstaller.exe
    npclntax_HBLiteSA.dll
  • The presence of the following registry subkeys:

    HKCU\Software\HbToolsHKLM\SOFTWARE\HbToolsHKCR\AppID\{0507FDDE-F3B7-49F5-9E8F-C557E991F39B}HKCR\CLSID\{0AB71193-EC19-4D70-85C2-E46E2FF02755}HKCR\CLSID\{1E0004EC-5DF0-48C7-A8F0-FBB0488A3D94}HKCR\CLSID\{31A59636-0FA3-4A56-954D-DB7AD02840D8}HKCR\CLSID\{3FA917B9-DF69-477F-9E4F-B60D929DE79F}HKCR\CLSID\{40D8240A-E3A0-4D59-AC55-0443120188D1}HKCR\CLSID\{420C35C9-E4F2-49F9-BF67-2BE1ECF86989}HKCR\CLSID\{66B90ADB-0BE3-40AE-8680-84A6F0577CA0}HKCR\CLSID\{74CC49F7-EB32-4A08-B204-948962A6E3DB}HKCR\CLSID\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}HKCR\CLSID\{8C875948-9C60-4381-9248-0DF180542D53}HKCR\CLSID\{A14C0D8D-E753-4E73-9E2B-4070791D8940}HKCR\CLSID\{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881}HKCR\CLSID\{ED8525EA-2BFC-4440-BD8A-20EFB9D5E541}HKCR\CLSID\{FA16BCE1-5E36-472A-8466-E0CDD5CE00E6}


 

Technical Information (Analysis)

Adware:Win32/Hotbar displays a dynamic toolbar and targeted pop-up ads based on its monitoring of web-browsing activity. Adware:Win32/Hotbarinstalls a browser toolbar that works in Internet Explorer 6, 7, 8 and Firefox 3.6 and 4.0. The tool is a multi-component adware program designed to monitor user’s online browsing behavior to deliver targeted advertising. It also installs other adware components related to Win32/ClickPotato andWin32/ShopperReportsHotbar also installs graphical skins for Internet ExplorerOutlook, and Outlook Express. It may collect user-related information and may silently download and run updates or other code from its servers.
Adware:Win32/Hotbar drops numerous files during an installation, and may install itself to paths that include the following:
  • C:\Documents and Settings\<user name>\Application Data\hbtools
  • C:\Documents and Settings\<user name>\Application Data\hotbar
  • C:\Program Files\hbtools
  • C:\Program Files\hotbar
Adware:Win32/Hotbar may be present as the following:
  • HBLiteSA.exe
  • HBLiteSAAX.dll
  • HBLiteSAHook.dll
  • HBLiteUninstaller.exe
  • npclntax_HBLiteSA.dll
Adware:Win32/Hotbar installation adds numerous keys to the registry, including the following:
  • HKCU\Software\HbTools
  • HKLM\SOFTWARE\HbTools
  • HKCR\AppID\{0507FDDE-F3B7-49F5-9E8F-C557E991F39B}
  • HKCR\CLSID\{0AB71193-EC19-4D70-85C2-E46E2FF02755}
  • HKCR\CLSID\{1E0004EC-5DF0-48C7-A8F0-FBB0488A3D94}
  • HKCR\CLSID\{31A59636-0FA3-4A56-954D-DB7AD02840D8}
  • HKCR\CLSID\{3FA917B9-DF69-477F-9E4F-B60D929DE79F}
  • HKCR\CLSID\{40D8240A-E3A0-4D59-AC55-0443120188D1}
  • HKCR\CLSID\{420C35C9-E4F2-49F9-BF67-2BE1ECF86989}
  • HKCR\CLSID\{66B90ADB-0BE3-40AE-8680-84A6F0577CA0}
  • HKCR\CLSID\{74CC49F7-EB32-4A08-B204-948962A6E3DB}
  • HKCR\CLSID\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}
  • HKCR\CLSID\{8C875948-9C60-4381-9248-0DF180542D53}
  • HKCR\CLSID\{A14C0D8D-E753-4E73-9E2B-4070791D8940}
  • HKCR\CLSID\{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881}
  • HKCR\CLSID\{ED8525EA-2BFC-4440-BD8A-20EFB9D5E541}
  • HKCR\CLSID\{FA16BCE1-5E36-472A-8466-E0CDD5CE00E6}
Adware:Win32/Hotbar may attempt to connect to any of the following affiliate websites:
  • clickpotato.com
  • clickpotato.tv
  • appbundler.net
  • hotbar.com
  • freelandmedia.com
  • seekmo.com
  • secure-softwaremanager.com
  • freefilesoft.net
  • pinballpublishernetwork.com
  • shopperreports.com
  • pinballcorp.com
  • licenseacquisition.org
  • zangocash.com
  • zango.com
  • partner.zangocash.com
  • zangocash.com
  • zroitracker.com
  • smartshopper.com
  • resultsmaster.com
  • fastutilities.com
  • zangogames.com
  • 180solutions.com
  • securewebsiteaccess.com
  • metricsdirect.com
  • 180searchassistant.com
  • sharefreeware.net
  • zangocash.biz
  • platrium.biz
  • platrium.com
Users may be lured to a cybersquatting website, such as those seen below, where software bundled with Adware:Win32/Hotbar may be available for download:
PinBall Audacity website
Legitimate Audacity website
  
PinBall ARES website
Legitimate ARES website
We have observed Adware:Win32/Hotbar being bundled with the following software:
  • Audacity
  • 7zip
  • Frets on Fire
  • ARES 2010 Version
  • OpenOffice
  • eMule
  • Easy Video
  • Lime Wire
For each website that a user visits, Hotbar may collect information such as originating and current URLs (web-usage paths), user-entered search terms and demographic data, Hotbar button clicks, link clicks, and client-computer IP address, and Hotbar cookie ID. Hotbar may also collect personally identifiable information, such as data obtained during user registration processes at third-party websites.
Analysis by Methusela Cebrian Ferrer & Durga Kumar

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.