F-Secure
Tools
Adware:W32/SecToolBar
Summary
This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.
Details
Network Connections
Attempts to connect to:
• retssam.com
Additional Details
Adware:W32/SecToolBar is an adware program that is installed as Browser Helper Object (BHO) on the Microsoft Internet Explorer (IE) web browser.
Installation
Upon execution, SecToolBar drops a malicious DLL component in:
Which will then copy itself to:
It may also create an encrypted data file used by the following DLL component:
After %windir%\system32\[random name].dll is loaded successfully, the SecToolBar is installed in the browser:
Activity
SecToolbar is able to track the user's web activities, such as their browsing preferences. The adware is also able to monitor the browser's cookies.
The adware may also perform the following actions when executed:
Registry
During installation, the program creates the following registry keys:
Installation
Upon execution, SecToolBar drops a malicious DLL component in:
- C:\Program Files\Hammer.dll
Which will then copy itself to:
- %windir%\system32\[Random name].dll
It may also create an encrypted data file used by the following DLL component:
- %windir%\system32\[Random name].dllbox
After %windir%\system32\[random name].dll is loaded successfully, the SecToolBar is installed in the browser:
Activity
SecToolbar is able to track the user's web activities, such as their browsing preferences. The adware is also able to monitor the browser's cookies.
The adware may also perform the following actions when executed:
- Display abusive third-party advertisement materials
- Give misleading or false warnings
Registry
During installation, the program creates the following registry keys:
- [HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
- [HKEY_CLASSES_ROOT\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
- [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
- [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
- [HKEY_LOCAL_MACHINE\Sotfware\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= - [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[random DLL name]]
"Dllname"=[random DLL name]
"Shutdown"="NotifyShutdown"
"Startup"="NotifyStartup"
"Logon"="NotifyLogon"
"Asynchronous"=dword:00000001
"Impersonate"=dword:0000001