Threat Description

EliteBar.A

Details

Aliases:EliteBar.A, EliteBar.A, Trojan.Win32.EliteBar.A, AdClicker-BA trojan, Trojan.Elitebar, TROJ_ADCLICK.AE, Elitebar
Category: Malware
Type:
Platform: W32

Summary



EliteBar is an intrusive adware that utilizes rootkit features to hide its presence on an affected computer. Originally it was detected only with adware databases, but we decided to move its detection into anti-virus databases because of its intrusive rootkit-like behaviour.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



EliteBar is an intrusive adware that uses rootkit techniques. So far we have found no websites that drop it to users' computers, but we got several reports that EliteBar appeared on computers without users' consent.

The sample we got is named POKAPOKA63.EXE (interesting that 'poka' means 'bye' in Russian). It came together with the ETB.INI file that contains configuration settings and a few other XML and image files. When run, the main executable file extracts 2 DLLs to the same folder and activates them. These DLLs make Windows hide EliteBar's files and installation directory (in our case C:\WINDOWS\ETB). After EliteBar gets installed to a system there appears a new toolbar in Internet Explorer:

The toolbar provides customized search services through the pre-defined search engine. In the sample that we got the search engine was configured to access 'www.easysearch4you.com' website.

Rootkit Functionality

The 'pokapoka63.exe' file injects the 'nt_hide63.dll' into other processes unless their module name starts with any of the following strings 'protector', 'system', 'msnmgr', 'mdm', 'lsass', 'spoolsv', 'iexplore', 'idle', 'csrss', 'smss', 'svchost', 'pokapoka', 'temp', 'test' or 'vmware'.

This fact allows the user to see all hidden objects by simply renaming his/her chosen tool into any of the above and then executing it. For example, if cmd.exe is renamed into test.exe and executed, it will see the hidden installation directory.

The 'nt_hide63.dll' installs IAT (Import Address Table) hooks and maintains the launch point of the 'pokapoka63.exe'. The launch point resides in the [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] key with value name 'System service63'. IAT hooks for the following DLLs are installed if they exist in the process:

kernel32.dll:
	LoadLibraryExA
	LoadLibraryExW
	LoadLibraryW
	GetProcAddress

 ntdll.dll:
	NtQuerySystemInformation
	NtEnumerateValueKey
	NtQueryKey
	NtEnumerateKey
	NtQueryDirectoryFile
	NtResumeThread
	NtVdmControl
	

These hooks are commonly used for hiding processes, directories and files, registry keys and values, and installing hooks into new modules.



Detection


F-Secure Anti-Virus detects this intrusive adware with the following updates:
Detection Type: PC
Database: 2005-09-05_02



Technical Details: Alexey Podrezov and Kimmo Kasslin, September 6th, 2005
Description Last Modified: Alexey Podrezov, September 7th, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More