Threat Descriptions

Adware:W32/SecToolBar

Classification

Category :

Spyware

Type :

Adware

Platform :

W32

Aliases :

-

Summary

This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.

Removal

Based on the settings of your F-Secure security product, it may block the file from running, move it to the quarantine where it cannot spread or cause harm, or ask you to select an action.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Adware:W32/SecToolBar is an adware program that is installed as Browser Helper Object (BHO) on the Microsoft Internet Explorer (IE) web browser.

Installation

Upon execution, SecToolBar drops a malicious DLL component in:

  • C:\Program Files\Hammer.dll

Which will then copy itself to:

  • %windir%\system32\[Random name].dll

It may also create an encrypted data file used by the following DLL component:

  • %windir%\system32\[Random name].dllbox

After %windir%\system32\[random name].dllis loaded successfully, the SecToolBar is installed in the browser:

Activity

SecToolbar is able to track the user's web activities, such as their browsing preferences. The adware is also able to monitor the browser's cookies.

The adware may also perform the following actions when executed:

  • Display abusive third-party advertisement materials
  • Give misleading or false warnings

Registry

During installation, the program creates the following registry keys:

  • [HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
  • [HKEY_CLASSES_ROOT\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
  • [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
  • [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
  • [HKEY_LOCAL_MACHINE\Sotfware\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar] "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=
  • [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[random DLL name]] "Dllname"=[random DLL name] "Shutdown"="NotifyShutdown" "Startup"="NotifyStartup" "Logon"="NotifyLogon" "Asynchronous"=dword:00000001 "Impersonate"=dword:0000001

Network Connections

Attempts to connect to:

  • retssam.com