Threat Descriptions

EliteBar.A

Classification

Category :

Malware

Type :

-

Platform :

-

Aliases :

EliteBar.A, EliteBar.A, Trojan.Win32.EliteBar.A, AdClicker-BA trojan, Trojan.Elitebar, TROJ_ADCLICK.AE, Elitebar

Summary

EliteBar is an intrusive adware that utilizes rootkit features to hide its presence on an affected computer. Originally it was detected only with adware databases, but we decided to move its detection into anti-virus databases because of its intrusive rootkit-like behaviour.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

EliteBar is an intrusive adware that uses rootkit techniques. So far we have found no websites that drop it to users' computers, but we got several reports that EliteBar appeared on computers without users' consent.

The sample we got is named POKAPOKA63.EXE (interesting that 'poka' means 'bye' in Russian). It came together with the ETB.INI file that contains configuration settings and a few other XML and image files. When run, the main executable file extracts 2 DLLs to the same folder and activates them. These DLLs make Windows hide EliteBar's files and installation directory (in our case C:\WINDOWS\ETB). After EliteBar gets installed to a system there appears a new toolbar in Internet Explorer:

The toolbar provides customized search services through the pre-defined search engine. In the sample that we got the search engine was configured to access 'www.easysearch4you.com' website.

Rootkit Functionality

The 'pokapoka63.exe' file injects the 'nt_hide63.dll' into other processes unless their module name starts with any of the following strings 'protector', 'system', 'msnmgr', 'mdm', 'lsass', 'spoolsv', 'iexplore', 'idle', 'csrss', 'smss', 'svchost', 'pokapoka', 'temp', 'test' or 'vmware'.

This fact allows the user to see all hidden objects by simply renaming his/her chosen tool into any of the above and then executing it. For example, if cmd.exe is renamed into test.exe and executed, it will see the hidden installation directory.

The 'nt_hide63.dll' installs IAT (Import Address Table) hooks and maintains the launch point of the 'pokapoka63.exe'. The launch point resides in the [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] key with value name 'System service63'. IAT hooks for the following DLLs are installed if they exist in the process: 

kernel32.dll: 	LoadLibraryExA 	LoadLibraryExW 	LoadLibraryW 	GetProcAddress
 ntdll.dll: 	NtQuerySystemInformation 	NtEnumerateValueKey 	NtQueryKey 	NtEnumerateKey 	NtQueryDirectoryFile 	NtResumeThread 	NtVdmControl

These hooks are commonly used for hiding processes, directories and files, registry keys and values, and installing hooks into new modules.