TechSpot - PC Technology News and Analysis

Removes toolbar and hijacks from Adware.SideFind and Trojan.ISTsvc.

Behavior
Adware.Istbar is an adware component, which does one or more of the following:

* Installs an Internet Explorer toolbar
* Acts as a Home page and search hijacker

This risk is often distributed with Adware.SideFind and Trojan.ISTsvc.

Symptoms
Your Symantec program detects Adware.Istbar

Transmission
This security risk can be downloaded from a Web page using an ActiveX installer.

technical details
File names:
IstBar_DH.dll
istbar.dll
istbarcm.dll
istdownload.exe
cmctl.dll
istbarcm.dll
ysbactivex.dll

Note: Detections dated March 3rd, 2005 or earlier may detect this adware as Adware.Istbar!Dl.

When Adware.Istbar is installed, it does the following:

1. May create some of the following folders and files :

* %ProgramFiles%\ISTbar\cmctl.dll
* %ProgramFiles%\ISTbar\istbarcm.dll
* %ProgramFiles%\ISTbar\imagemap_normal.bmp
* %ProgramFiles%\ISTbar\imagemap_over.bmp
* %ProgramFiles%\ISTbar\version.txt
* %ProgramFiles%\ISTbar\xml_istbar.xml
* %UserProfile%\Favorites\Fun & Games, drops numerous link files in this folder
* %UserProfile%\Favorites\Going Places, drops numerous link files in this folder
* %UserProfile%\Favorites\Living, drops numerous link files in this folder
* %UserProfile%\Favorites\Shop, drops numerous link files in this folder
* %UserProfile%\Favorites\Technology, drops numerous link files in this folder

Notes:
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).

2. Creates some of the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\ISTbar
HKEY_CURRENT_USER\Software\ISTbar
HKEY_CLASSES_ROOT\ISTbar.BarObj
HKEY_CLASSES_ROOT\Pugi.PugiObj.1
HKEY_CLASSES_ROOT\Pugi.PugiObj
HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag
HKEY_CLASSES_ROOT\TestContentMatchControl1.ContentMatchTag.1
HKEY_CLASSES_ROOT\CLSID\{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
HKEY_CLASSES_ROOT\CLSID\{386A771C-E96A-421f-8BA7-32F1B706892F}
HKEY_CLASSES_ROOT\CLSID\{5F1ABCDB-A875-46c1-8345-B72A4567E486}
HKEY_CLASSES_ROOT\CLSID\{771A1334-6B08-4a6b-AEDC-CF994BA2CEBE}
HKEY_CLASSES_ROOT\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A}
HKEY_CLASSES_ROOT\CLSID\{FAA356E4-D317-42A6-AB41-A3021C6E7D52}
HKEY_CLASSES_ROOT\Interface\{0E704BA4-C517-4BE7-A1CD-C3FFDA1E1FFE}
HKEY_CLASSES_ROOT\Interface\{7B178417-3CDA-444F-94FF-312C0A3A78A8}
HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
HKEY_CLASSES_ROOT\Interface\{90CE74CC-788A-4A00-B38D-CBCA08CC9E8F}
HKEY_CLASSES_ROOT\Interface\{9388907F-82F5-434D-A941-BB802C6DD7C1}
HKEY_CLASSES_ROOT\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F}
HKEY_CLASSES_ROOT\Interface\{BF06DA8E-2BEB-4816-9BBD-F7625246E245}
HKEY_CLASSES_ROOT\Interface\{DC065FA6-08F9-4C50-99DC-275D16CFC5BD}
HKEY_CLASSES_ROOT\Typelib\{68BF4626-D66B-4383-A6AF-62E57E9B6CD4}
HKEY_CLASSES_ROOT\Typelib\{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}
HKEY_CLASSES_ROOT\TypeLib\{89A10D64-83BF-41A4-86A3-7AAF1F8F3D1B}
HKEY_CLASSES_ROOT\TypeLib\{8C752C5E-3C10-4076-AF0A-FFC69FA20D1B}
HKEY_CLASSES_ROOT\TypeLib\{CC257918-F435-4A33-8231-2B8195990CCA}
HKEY_CLASSES_ROOT\TypeLib\{DB447818-96B4-40DF-8A55-720DA496F514}
HKEY_CLASSES_ROOT\TypeLib\{E9A5B71C-093B-4F34-AF07-34FCA89BA0DF}
HKEY_CLASSES_ROOT\Component Categories
\{00021494-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\ISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\ISTbarISTbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Explorer
\Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\Domains\contentmatch.net
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{42F2C9BA-614F-47c0-B3E3-ECFD34EED658}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
\{0985C112-2562-46F2-8DA6-92648BA4630F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
\{67907B3C-A6EF-4A01-99AD-3FCD5F526429}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YSBactivex.Installer

3. Adds the values:

"Bandrest" = "Never"
"Search Bar" = "[WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
"Search Page" = [WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
"Search Page_bak" = [WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
"Start Page" = [WEB SITE ON THE COULDNOTFIND.COM DOMAIN]"
"Start Page_bak" = "file:/ //C:/WINNT/Web/Start.htm"
"Use Search Assistant" = "no"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

to redirect the start page and search pages.

4. Adds the value:

"Bandrest" = "Never"

to the registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

5. Adds the values:

"{FAA356E4-D317-42A6-AB41-A3021C6E7D52}" = ""
"{5F1ABCDB-A875-46C1-8345-B72A4567E486}" = ""

to the registry subkeys:

HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
6. Adds the following toolbar to all Internet Explorer windows:
7. Displays links in the toolbar area relating to words typed anywhere in an Internet Explorer window.