EliteBar is an intrusive adware that uses rootkit techniques. So
far we have found no websites that drop it to users' computers,
but we got several reports that EliteBar appeared on computers
without users' consent.
The sample we got is named POKAPOKA63.EXE (interesting that
'poka' means 'bye' in Russian). It came together with the ETB.INI
file that contains configuration settings and a few other XML and
image files. When run, the main executable file extracts 2 DLLs
to the same folder and activates them. These DLLs make Windows
hide EliteBar's files and installation directory (in our case
C:\WINDOWS\ETB). After EliteBar gets installed to a system there
appears a new toolbar in Internet Explorer:
The toolbar provides customized search services through the
pre-defined search engine. In the sample that we got the search
engine was configured to access 'www.easysearch4you.com' website.
The 'pokapoka63.exe' file injects the 'nt_hide63.dll' into other
processes unless their module name starts with any of the
following strings 'protector', 'system', 'msnmgr', 'mdm',
'lsass', 'spoolsv', 'iexplore', 'idle', 'csrss', 'smss',
'svchost', 'pokapoka', 'temp', 'test' or 'vmware'.
This fact allows the user to see all hidden objects by simply
renaming his/her chosen tool into any of the above and then
executing it. For example, if cmd.exe is renamed into test.exe
and executed, it will see the hidden installation directory.
The 'nt_hide63.dll' installs IAT (Import Address Table) hooks and
maintains the launch point of the 'pokapoka63.exe'. The launch
point resides in the [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
key with value name 'System service63'. IAT hooks for the
following DLLs are installed if they exist in the process:
These hooks are commonly used for hiding processes, directories and
files, registry keys and values, and installing hooks into new modules.
F-Secure Anti-Virus detects this intrusive adware with the
Writeup and Technical Details:
Alexey Podrezov and Kimmo Kasslin, September 6th, 2005;
Alexey Podrezov, September 7th, 2005;