The name " ISTbar "Trojan family has received for any appropriate software name specified in the digital signatures of their component files. The first versions of the Trojan appeared somewhere in the middle of 2003, after which their numbers began to grow rapidly and now has (the official) about 150 (!) Representatives (my collection of malware has slightly more than 20 representatives the family).
All members of the family " ISTbar "applications are either Windows (PE EXE-programs, if the file has the extension" EXE "), or modular components of Windows-programs (PE DLL-library, if the file has the extension" DLL "). All versions of the Trojan written in a high-level Microsoft Visual C. Compressed compression utility PE-files "UPX" version 1.24. Some versions contain Trojan part of its code in an encrypted form.
Ways to enter data into the user's computer Trojans can be different. The main sources are the Internet resources and a pornographic nature krekosoftovogo as where the probability of catching "venereal disease" to your computer under the guise of a useful program or through vulnerabilities in the script-protect a web browser (see the description of the Trojan family of Trojan-Downloader.Dyfuca ) is much higher than any official resources. Also, many versions of the Trojan may be installed in the system by malicious programs, etc., who fell some time ago in computer neosmtritelnogo user. This description is so far-that contains the Bole-less detailed information about the 16 -T most common modifications of Trojan -Trojan Downloader.ISTbar . I hasten to say that the description of each modification is made on the basis of the studied my code, the need to conduct additional experiments to test the car, in my opinion, no. "default" in the text of the description, the following things: - the name of the system directory - WINDOWS ; - software - software, - under the term "Web browser" refers to the Internet search engine Internet Explorer; in performance of any version of the Trojan by other web browsers, the last specified in the description of this modification " ISTbar "; - most of the modifications of Trojan functioning in under a variety of Windows, including Windows 2K/2K Server / XP; if any modification of the Trojan only works on certain versions of Windows, then the latter will also be listed in the description of this modification " ISTbar "; - the symbol "%" in the text identified fragments, which are non-permanent value, and any variables that depend on any terms, the Internet links, which cause the Trojan family to download other malware, the same icon I will replace parts of addresses, which is in for the safe presentation of information on actions " ISTbar "; - data on the detection of Trojan family " ISTbar "given on the date of last modification made to the text of the description.
Distributed under the title ISTactivex.dll and has a size of 15,872 bytes (in uncompressed form - 57 344 bytes).
When activated (initially can only run other malware) registers itself as an add-on web browser, which creates a new class of keys " HKCR "registry: {EF86873F-04C2-4a95-A373-5703C08EFC7B} When you connect to the Internet the Trojan downloads an infected file their car http://install.xxxtoolbar.com/% /% / addins / istdownload.exe , which then stores as WINDOWS \ ist_install.exe and executes it. This file is a TrojanTrojan-Downloader.ISTbar.MegaLoader (see description below). This version of the Trojan file (ISTactivex.dll ) anti-virus software detected as: Kaspersky Kaspersky Professional :Trojan.Downloader.IstBar.AG
Distributed under the title sexy_download.exe and has a size of 16896 bytes (in uncompressed form - 45056 bytes). Partially encrypted. Installed on your computer Trojan description below). When you connect to the Internet the Trojan downloads an infected file named car http://www.slotch.com/% /% / addins / sexyscreen.exe , which then saves both WINDOWS \ sexyscreen.exe and executes it. In the course of loading the specified file, the Trojan requests instructions from the server http://www.slotch.com/% /% / ist_debug? step = This also refers to his specifications in the form of the following messages: Download timed out, this is due to Likely a Connection problem Error while downloading program Unknown% KB / s % completed %:%:% Failed to recieve Entire file! Error downloading program Error During a Download Error while attempting to program Download, Further details: Error Opening local fileError writing to local file %, the ensure the file Please is Not Being Used by Another program Error Unable to Retrieve Download size Error while querying Remote Server Trojan registration procedures in the system in its encrypted code, but the list of installed software, you can see under the name " Sexy Video ScreenSaver FREE ". This version of the Trojan file ( sexy_download.exe ) anti-virus software detected as: Kaspersky Kaspersky Professional : Trojan.Downloader.Istbar.AH
Distributed under the title istsvc_updater.exe and has a size of 8704 bytes (in uncompressed form - 40960 bytes). Installed on your computer Trojan description below) in a specially created as a subdirectory ofProgram Files \ ISTsvc \ istsvc_updater.exe This version of the Trojan theoretically workable only under the following versions of Windows operating systems: Windows 95 Windows 98 (98 SE) Windows ME Windows NT Windows NT Server Windows NT Workstation When checking the system compatibility also checks whether the system is Windows version 3.1 (it is unclear just why, because this version of Windows is a 16-bit and below the Trojan generally is not operational.) for registration in the Trojan creates a registry key section[HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ ProductOptions] In the system folder "Favorites" (Favorite) Trojan creates a shortcut, clicking on the link that is called http://www.slotch.com/% /% / ist_shortcuts_jump.php If the user runs this reference while working on the Internet there is a potential risk of infection in some machines, etc. Trojan. While the Internet is the Trojan secretly pagehttp://install.xxxtoolbar.com/% /% / ist_shortcuts_list.php , which is caused by file " shortcuts.txt "with list of sites from which the Trojan will download any other malicious programs. The Trojan also searches for and download additional plug-ins (configuration files and modular components) and more recent versions of the program, the image of the page http://www.slotch.com/% /% / istsvc_ads_data.php Repeated appeals to this page carries a Trojan to define a period of time. Another Trojan uploads and executes a file on the pagehttp://install.xxxtoolbar.com/% /% / addins / istsvc.exe This file is the one program - Trojan-Downloader.ISTbar.istsvc or Trojan-Downloader.ISTbar.istsvc-II (see descriptions below). His file -istsvc_updater.exe - Trojan registers in the system (in the list of installed programs) as "software" called a "Bargains ", or" ISTbar ". To do so, creates a corresponding entry in the registry key[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion] and copies the file in one of the following subdirectories created by it: Program Files \ Bargains \ istsvc_updater.exe or Program Files \ISTbar \ ISTbar \ istsvc_updater. exe in the same subdirectory and places the Trojan downloaded files, plug-ins. In order to determine its presence in the system, the Trojan creates a memory of the machine some special "tag" identifier (eg, MUTEX). This version of the Trojan file ( istsvc_updater.exe ) antivirus detected this way: Anti Kaspersky Professional : Trojan.Downloader.IstBar.BO
Distributed under the title istsvc.exe and has a size of 8704 bytes (in uncompressed form - 24576 bytes). Fits into the Trojans Trojan-Downloader.ISTbar.istsvcupdater (see above), Trojan-Downloader.ISTbar.MegaLoader or Trojan-Downloader.ISTbar.MegaLoader-II (see descriptions below), they create a subdirectory: Program Files \ ISTsvc \ istsvc.exe Trojan istsvc.exe has capacity on machines installed with the following web browsers: Internet Explorer Netscape Mozilla Opera This version of the Trojan is only concerned searching and downloading on the affected computer via the Internet its updated versions, as well as site visit statistics, which retains some of the technical data. When you work, in addition to standard Windows'ovskih calls the Trojan also uses some features of the system shell DOS - COMMAND.COM. To be able to enhance its on every system startup trojan creates an entry in the system registry [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce] To be able to run as a service also creates an entry in the system registry [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] his file - istsvc.exe - Trojan registers in the system (the list of installed programs) as "software" called " ISTsvc ". To do this, register yourself with any appropriate entries in the registry key [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion] In order to determine its presence in the system, the Trojan creates a memory of the machine some special "tag" identifier (eg, MUTEX) . Update configuration files (files containing the updated settings) and more recent versions of its program Trojan scans at regular intervals on the page http://www.xxxtoolbar.com/% /% / istsvc_config.php This version of the Trojan can potentially be uninstalled from system by the user, since the Trojan creates the appropriate key as well as file-scripts istsvc_del.bat , containing uninstall it (?) Trojan. As a location for its main file istsvc.exe , as well as other components, the Trojan uses created a subdirectory named Program Files \ ISTbar \ ISTbar \ If the user starts the procedure uninstall the Trojan, then a window appears with the following query: Are you sure you Want to Remove ISTsvc? Some free software require ISTsvc to be installed to continue to work. If you proceed with Uninstallation, Some Software May Stop working. PROCEED WITH unInstall? YES | NO If the user chooses the answer " YES"to delete the Trojan from your system, it will load page http://www.slotch.com/% /% / log_uninstalls.php , on which the count statistics of affected machines by the Trojan, whose value is the last in the presence of an active copy machine it increases by 1. This version of the Trojan file ( istsvc.exe ) anti-virus software detected as: Kaspersky Kaspersky Professional : Trojan.Downloader.IstBar.CE
Distributed under the title ist_install.exe and has a size of 12800 bytes (in uncompressed form - 61440 bytes). Installed on your computer Trojan Trojan-Downloader.ISTbar.plugin_v1.0.0.2 (see above) in the Windows system folder: WINDOWS \ ist_install.exe This version of the Trojan ( ist_install.exe ) theoretically workable only under the following versions of Windows operating systems: Windows 95 Windows 98 (98 SE)Windows ME Windows NT Windows NT Server Windows NT Workstation When checking system compatibility also checks whether the system is Windows version 3.1 (it is unclear just why, because this version of Windows is a 16-bit and below the Trojan generally is not operational .) for registration in the Trojan creates a registry key section [HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ ProductOptions] To enable a startup at every system startup creates several entries in different keys in the system registry. In the System folder "Favorites" (Favorite) Trojan creates a shortcut, clicking on that link is called http://www.slotch.com/% /% / ist_shortcuts_jump.php If the user runs this reference while working on the Internet, there is a potential risk of infection in some machines, etc. Trojan . While the Internet is the Trojan secretly page http://install.xxxtoolbar.com/% /% / ist_shortcuts_list.php , which is caused by file "shortcuts.txt "with a list of sites from which the Trojan will download some others . malware. As a start page Trojan installs http://www.slotch.com/ , changing the appropriate registry key value[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Internet Explorer \ Main] In addition, the Trojan performs the hidden pages in search of the above While working in the Internet, by modifying the registry key value [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Internet Explorer \ Search] Trojan embeds in a web browser search bar for more (SearchBar), which when clicked, loads a page http://www.couldnotfind .com / search_page.html Each time you connect to the Internet the Trojan secretly communicates with the page http://install.xxxtoolbar.com/% /% / ist_show.php , which reads some data. Then, in addition to links, read from the file " shortcuts.txt ", the Trojan searches for and downloads them to the infected machine and executes the following files, which are other Trojans This "Trojan Brothers" is set in under the names referred to in references (some Trojan changes the name before installing them) as the service processes, the Internet search engines, optimizers, system, etc., etc. In this case, to be able to startup in the system are written as simple switches, as well as entire classes of register references. aforementioned Trojan installs files in subdirectories created by it (it changes the names of some files) and then runs these files to the execution:Program Files \ ISTsvc \ istsvc.exe Program Files \ ISTsvc \ istsvc_updater.exe Program Files \ Bargains \ bb.exe Program Files \ Browser Helper Objects \ igetnet.exe Program Files \ Avenue Media \ Internet Optimizer \ euniverse.exe Program Files \ Lycos \ SideSearch \ lycos_ss . exe Program Files \StatBlaster \ sbinstall.exe Program Files \ 180Solutions \ msbb.exe Program Files \ WhenUSave \ whenu.exe Program Files \ KeywordsInc \ keywordsinc.exe Program Files \ ISTbar \ ISTbar \ istbar.dllProgram Files \ PowerScan \ powerscan.exe Program Files \ IST \ powerscan.exe These files are the following Trojans: istsvc.exe - Trojan Trojan-Downloader.ISTbar.istsvc or Trojan-Downloader . ISTbar.istsvc-II , which are described in this article; istsvc_updater.exe - Trojan Trojan-Downloader.ISTbar.istsvcupdater , which are described in this article, or another variant of the Trojan family of ISTbar , whose size is a condensed version of 9728 bytes in dekomressirovannom - 45056 bytes (for the moment the description of this modification is absent); bb.exe - one of many options the installer program (size may vary from 200 to 300 kb , depending on its content), installed on your computer etc. . malicious programs, among which there may be spyware; igetnet.exe - or one of the many variants of the Trojan family of Trojan-Downloader.Dyfuca , or Trojan horse program (the file is compressed utility "UPX" version 1.24 and has a size of 93,184 bytes , to decompress a size of 138 240 bytes), which sets the car different files with undefined contents, has not been studied in detail; euniverse.exe - one of the 2-Trojans, whose dimensions are 184 534 140 015 bytes, respectively, and (not studied in detail), both changing the settings web browser Internet Explorer, but also secretly downloads from the Internet, etc. malware; lycos_ss.exe - a Trojan program Trojan-Downloader.ISTbar.SideFind , which are described in this article, or Trojan horse "SideSearch" size 140 645 bytes (not in detail studied), redirecting Web browser on some sites with unknown contents, from which others can be downloaded malware; sbinstall.exe - was not detected; msbb.exe - was not detected; whenu.exe - a program the size of 65,608 bytes ( has not been studied in detail), which offers (?) download from the Internet some software; keywordsinc.exe - Trojan size 140 148 bytes (not studied in detail), which is recorded in the system as a component of GUI system (under the guise of a module system application "Explorer "), and then secretly load on the affected computer malware, etc.; cnbabeie.exe - was not detected; optimize.exe - one of the numerous modifications of the Trojan family of Trojan-Downloader.Dyfuca ; dating.exe - was not detected; sexy_download.exe - Trojan Trojan-Downloader.ISTbar.SexyLoader , which are described in this article; bridge.exe - Trojan Trojan-Downloader.LittleTroy.16384-A ; istbar.dll - a Trojan program Trojan-Downloader.ISTbar.plugin_v1.1.0 .1 or Trojan-Downloader.ISTbar.plugin-II_v1.1.0.2 , which are described in this article; powerscan.exe - Trojan Trojan-Downloader.PowerScan.11 . antivirus detection all of these trojan files, descriptions of which there are no Online www.daxa.com.ua / virushunter , given at the end of this article. In the list of installed programs, you can see the new objects with the corresponding names of "software program" as well as some others as time and dates of the Trojan assigns to certain files the real values of the parameters, divided by 5 and rounded to an integer value (for the parameter "year" is processed only last 2 digits), which is difficult to detect these new files. This version of the Trojan file ( ist_install.exe ) anti-virus software detected as:Kaspersky Kaspersky Professional : Trojan.Downloader.IstBar.CY
Distributed under the title istbar.dll and has a size of 68,608 bytes (in uncompressed form - 176 128 bytes).Fits into the Trojans Trojan-Downloader.ISTbar.MegaLoader (see above) and Trojan-Downloader.ISTbar.MegaLoader-II (see description below).
In his first start registers itself as an add-on web browser, for which creates a new class in the keys "HKCR" registry: {5F1ABCDB-A875-46c1-8345-B72A4567E486} installed in a subdirectory (or copies itself, if written to a disk in the other folder other than below) Program Files \ ISTbar \ istbar.dll there also writes some of his files: Program Files \ ISTbar \ xml_istbar.php Program Files \ ISTbar \ xml_adultbar.php this file -istbar.dll - is an additional bar (ToolBar), embedded in a web browser interface Internet Explorer. When a user accesses this panel is called one of the following pages: http://www.xxxtoolbar.com/% / removed.html (if the user selects the panel option " Uninstall ", ie removing toolbar) http://www . slotch.com (when selecting options on the panel " Search ") http://istbar.xxxtoolbar.com/% /% / istbar / (when choosing Opitz update toolbar) If the Trojan can not contact the above site, it displays the following message: Alert Can not Retrieve infomation from [link which was called] , depending on the selected option in the toolbar displays a Trojan one of the following dialogue: Please Connect the Internet and restart your browser. This Will Remove from your Computer! Are you sure? If you Want to Stop the Toolbar displayaing adult related Links, Click OK. You can switch back to the adult toolbar at anytime by clicking the same button you just clicked. The Trojan also attempts to search the web for Trojan file istbar_update.exe . If the infected machine is installed Windows 2K/2K Server / XP, then the Trojan saves disk space file with a picture that is used when displaying the toolbar in the web browser Internet Explorer: C: \ Documents and Settings \123 \ Application Data \ Hotbar \ IESkins \ 083001edenC-2.bmp In addition, if the car is a logical drive with named G:, then the Trojan also stores it in a file: G: \ My Documents \ Projects \ ISTbar \ XmlParser.cppThis version of the Trojan file ( istbar.dll ) anti-virus software detected as: Kaspersky Kaspersky Professional: Trojan.Downloader.IstBar.CJ
Distributed under the title ISTactivex.dll and has a size of 17,408 bytes (in uncompressed form - 57 344 bytes).
When activated (initially can only run other malware) registers itself as an add-on web browser, which creates a new class of keys " HKCR "registry: {12398DD6-40AA-4c40-A4EC-A42CFC0DE797} When you connect to the Internet the Trojan downloads an infected file their car http://install.xxxtoolbar.com/% /% / v4.0/istdownload.exe , which then saves both WINDOWS \ iinstall.exe and executes it. This version of the Trojan file ( ISTactivex.dll ) antiviruses detect this: Anti-Virus Kaspersky Professional :Trojan.Downloader.Istbar.EN
Distributed under the title lycos_ss.exe and has a size of 5632 bytes (in uncompressed form - 16384 bytes).Fits into the Trojans Trojan-Downloader.ISTbar.MegaLoader (see above) and Trojan-Downloader.ISTbar.MegaLoader-II (see description below), they create a subdirectory in Program Files \Lycos \ SideSearch \ lycos_ss.exe In first run it copies itself into the created subdirectory as the Program Files \ SideFind \ sidefind.exe , for future reference and will start to operate. As time and dates of the Trojan, this file sets the actual values of the relevant parameters, divided by 5 and rounded to the nearest integer value ( for the parameter "year" is processed only last 2 digits), which hampers the detection of the latter. To log in under the guise of service software creates its own entry in the registry key[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion] When connecting to the Internet the Trojan gets management and load them on the infected machine the following files are some plugins (files, components) Trojan, which it stores on disk as a Program Files \ SideFind \ update \ sidefind.dll Program Files \ SideFind \ update \ sfbho.dll In addition, the Trojan is hidden page http:/ / www.sidefind.com/% /% / sidefind/sfexd002.php , which looks for its updated version. If a newer version is detected, the Trojan loads it into the specially created sub-directory named: Program Files \ SideFind \ update \ sfexd001 , then renames the file to sidefind.exe and overwrites them with the same name the old file. Because the program is listed as a Trojan installed on your system software called " SideFind ", the user can try to uninstall it. When you start the uninstall procedure, the Trojan opens a web browser pagehttp://www.slotch.com/% /% / log_uninstalls.php , and then displays the following prompts: You must close all Internet Explorer instance of all SideFind to Remove Files Properly. PROCEED WITH unInstall? Are you sure you Want to Remove SideFind? PROCEED WITH unInstall? Are you sure?Whether there will actually uninstall the Trojan - hard to say because located on that page count statistics, recording the number of machines infected with the Trojan: in conjunction with this page Trojan increments a counter by 1. This version of the Trojan file ( lycos_ss.exe ) anti-virus software detected as: KasperskyKaspersky Professional : Trojan.Downloader.Istbar.EO
Distributed under the title crack.exe and has a size of 4608 bytes (in uncompressed form - 16384 bytes).Partially encrypted.
When you run the install itself in the system directory under the name WINDOWS \ fen0eGA.exe you log in to the system under the guise of service software creates its own entry in the registry key[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion] When connecting to the Internet the Trojan gets management and load them on the infected machine file http://www.slotch.com/% /% / v4.0/istdownload.exe This file is a malicious program Trojan-Downloader.ISTbar.MegaLoader-II(see description below) that the Trojan saves them in a created subdirectory Program Files \ IST \ istdownload.exe , and then runs it. The other procedures are contained in the code of the Trojan in an encrypted form. This version of the Trojan file ( Crack.exe ) anti-virus software detected as: KasperskyKaspersky Professional : Trojan.Downloader.IstBar.ER
Distributed under the title ISTactivex.dll and has a size of 16896 bytes (in uncompressed form - 57 344 bytes).
All other procedures are identical versions of the above -Trojan-Downloader.ISTbar.plugin II_v1.0.0.2 . This version of the Trojan file ( ISTactivex.dll ) anti-virus software detected as: Kaspersky Kaspersky Professional: Trojan.Downloader.IstBar.FA
Distributed under the title ISTactivex.dll and has a size of 17,408 bytes (in uncompressed form - 57 344 bytes).
When activated (initially can only run other malware) registers itself as an add-on web browser, which creates a new class of keys " HKCR "registry: {386A771C-E96A-421f-8BA7-32F1B706892F} All other procedures are completely identical to the above This version of the Trojan file ( ISTactivex.dll ) anti-virus software detected as: Kaspersky Kaspersky Professional : Trojan.Downloader.Istbar.W
Distributed under the title istdownload.exe and has a size of 16,384 bytes (in uncompressed form - 53 248 bytes). Partially encrypted.
This version of the Trojan theoretically workable only under the following versions of Windows operating systems: Windows 95 Windows 98 (98 SE) Windows ME Windows NT Windows NT Server Windows NT Workstation When checking system compatibility also checks whether the system is Windows version 3.1 (it is unclear why only , because this version of Windows is a 16-bit and below the Trojan generally is not operational). To log in the Trojan creates a registry key section [HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ ProductOptions] To enable a startup at every system startup creates several entries in different keys in the system registry. In the System folder "Favorites" (Favorite) Trojan creates a shortcut, clicking on the link that is called http://www.slotch.com/ While the Internet is the Trojan secretly page http://www . ysbweb.com /%/%/ ist_shortcuts_jump.php , which is caused by file " shortcuts.txt"with a list of sites from which the Trojan will download any other malicious programs. The Trojan also implicitly raises another page: http://www.ysbweb.com/% /% / istdownload_config.php , which searches for and downloads files to your plug-ins. As a start page Trojan installs http://www.couldnotfind. com / search_page.html , changing the appropriate registry key value [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Internet Explorer \ Main] and adding to it an additional value called " BandRest ". In addition to the links, read from the file " shortcuts.txt ", Trojan searches and downloads them to the victim machine and executes the following files, which are other Trojans This "Trojan Brothers" is set in under the names referred to in references (some Trojan changes the name before installing them) as the service processes, the Internet search engines, optimizers, system, etc., etc.. In this case, to be able to startup in the system as simply propisyvaeyutsya keys, and whole classes of register references. aforementioned Trojan installs files in subdirectories created by it (it changes the names of some files) and then runs these files to the execution:Program Files \ IST \%. exe Program Files \ ISTsvc \ istsvc.exe Program Files \ ISTsvc \ istsvc_updater.exe Program Files \ Bargains \ bb.exe Program Files \ Browser Helper Objects \ igetnet.exe Program Files \ IncrediFind \ euniverse.exe Program Files \ Lycos \ SideSearch \ sidefind.exe Program Files \ VGroup \ SAHAgent \ sahagent.exe Program Files \ Lycos \ SideSearch \ lycos_ss.exe Program Files \ Browser Helper Objects \ sr.exe Program Files \ StatBlaster \ sbinstall.exeProgram Files \ 180Solutions \ Msbb \ sais.exe Program Files \ WhenUSave \ whenu.exe Program Files \Twaintec \ emusic.exe Program Files \ dbi \ bdl14173.exe Program Files \ TSA \ targetsaver.exeProgram Files \ Browser Helper Objects \%% Bi. exe Program Files \ Avenue Media \ Internet Optimizer \ optimize.exe WINDOWS \ optimize.exe WINDOWS \ sexy_download.exe Program Files \ CasProg \ bridge.exe Program Files \ ISTbar \ ISTbar \ istbar.dll Program Files \ YourSiteBar \ ysb.dll Program Files \ YourSiteBar \ welcome.html Program Files \ PowerScan \ powerscan.exe Program Files \Voiceglo \ glophone.exe WINDOWS \ WebRebates0.exe WINDOWS \ Web_Rebates.dll Program Files \IST \ config.dll WINDOWS \ istbar_x.dll WINDOWS \ istbar_m.dll WINDOWS \ istbar_s.dll Program Files \ VGroup \ SAHAgent \ ist_install.php Many of these files are the same Trojans that are downloaded version of the Trojan-Downloader.ISTbar.MegaLoader (see description of the Trojan and the list of downloadable files named above). In addition, downloaded files and the following: sidefind.exe - a Trojan program Trojan-Downloader.ISTbar.SideFind , or Trojan-Downloader.ISTbar.SideFind-II , which are described in this article; sahagent.exe - was not detected; SR . exe - program size of 201,883 bytes (not studied in detail) with an indefinite appointment, change some parameters of the web browser Internet Explorer; sais.exe - was not detected; emusic.exe - harmless program size of 203,731 bytes (not studied in detail) to connect to some Web-resources; bdl14173.exe - was not detected; targetsaver.exe - Trojan size 147 033 bytes (not studied in detail) that secretly loads on the affected computer malware, etc. from your own FTP-search engine Web sites; ysb.dll - harmless program size 94,208 bytes (compressed utility "UPX" version 1.24, the size of uncompressed form - 311 296 bytes, detail has not been studied), built its own toolbar (ToolBar - search bar) in the web browser Internet Explorer, as well as dealing with search for some Internet resources;welcome.html - not detected component of the program ysb.dll ; glophone.exe - was not detected;WebRebates0.exe - harmless program size of 98 304 bytes (not studied in detail), studying (?) requested by the user information the Internet; Web_Rebates.dll - not detected component of the programWebRebates0.exe ; config.dll - most obviously, not found a plugin of some of the Trojan family "ISTbar";istbar_x.dll , istbar_m.dll , istbar_s.dll - not found plugins some of the Trojan family "ISTbar";ist_install.php - was not found. antivirus detection of all of these trojan files which descriptions are available on the website www.daxa.com.ua / virushunter , given at the end of this article. the list of installed programs you can see the new objects with the appropriate names "software program" as well as some othersas time and dates of the Trojan installed file sets some real values by appropriate parameters, divided by 5 and rounded to the nearest whole number (for parameter has "year" only processed last 2 digits), which is difficult to detect these new files. For some of the downloaded programs, the Trojan creates a special "tags" identifiers in the system memory (eg, MUTEX) in order to determine their presence on the infected system and not to download appropriate file again. This version of the Trojan file ( istdownload.exe ) anti-virus software detected as: Kaspersky Kaspersky Professional : Trojan.Downloader.IstBar.GP
Distributed under the title sidefind.exe and has a size of 5632 bytes (in uncompressed form - 16384 bytes).Partially encrypted. Originally installed in the system a Trojan Trojan-Downloader.ISTbar.MegaLoader-II(see above), in the following subdirectory was created: Program Files \ Lycos \ SideSearch \ sidefind.exeThis version of the Trojan is a modified version of the Trojan-Downloader.ISTbar. SideFind and almost completely identical to him. The only difference is a link that downloads a Trojan their the rest - the installation procedure, the file names, directories, installation, etc. - Similar to that version. This version of the Trojan file (sidefind.exe ) anti-virus software detected as: Kaspersky Kaspersky Professional :Trojan.Downloader.IstBar.DA
Distributed under the title istbar_silent.dll and has a size of 82,944 bytes (in uncompressed form - 274 432 bytes). Partially encrypted. Installed in the system Trojan Trojan-Downloader.ISTbar.MegaLoader-II (see above).
In his first start istbar_silent.dll uninstall produces some of its previous version. To do this, do the following: - trying to communicate through the Internet, with some servers that are requesting the following these files, Trojan reads the data associated with updating their software. - check existence of registry key class{5F1ABCDB-A875-46c1-8345-B72A4567E486} If this class is found, the Trojan searches for the class to subsection [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ {5F1ABCDB-A875-46c1-8345-B72A4567E486}] and removes the line containing the following code values: "" = "rundll32.exe Advpack.dll, DelNodeRunDLL32 ..." In addition, the rewrites are values in the registry key[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce] This fragment belongs to the "software" (an earlier version of the Trojan), spelled out in the system. Trojan embeds in the web browser Internet Explorer Toolbar (ToolBar - more panel with options). To connect it to the toolbar menu panels web browser Trojan creates a new entry in the registry key: [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Internet Explorer \ Toolbar] "{5F1ABCDB-A875-46c1-8345-B72A4567E486 }"=... Also during of the Internet is constantly looking for the Trojan newer versions of the program, as well as downloads from some servers EXE-file, which installs in the system under the guise of "software" with the name " SlotchBar", placing it on the disk as a Program Files \ ISTbar \ istbar_update.exe and executes it. If, for whatever reason, the Trojan was unable to connect to its servers, then the screen can display a window containing the following message: Alert Can not Retrieve infomation from [link which failed to cause] Please connect the internet and restart your browser. Also, under certain other conditions, the Trojan can be viewed on the screen and this message: This Will Remove from your Computer! Are you sure? If you want the toolbar to stop displayaing adult related links, click OK. You can switch back to the adult toolbar at anytime by clicking the same button you just clicked. If the infected machine is installed Windows 2K/2K Server / XP, then the Trojan saves on your C: drive file with a picture to be used in the show toolbar in the web browser Internet Explorer: C: \ Documents and Settings \ 123 \ Application Data \ Hotbar \ IESkins \ 083001edenC-2.bmp In addition, the Trojan also stores the disk one more file: C: \ Documents and Settings \Karl \ My Documents \ projects \ ISTbar \ XmlParser.cpp This version of the Trojan file ( istbar_silent.dll ) anti-virus software detected as: Kaspersky Kaspersky Professional : Trojan.Downloader.IstBar.GF
Distributed under the title istbar.dll and has a size of 82,432 bytes (in uncompressed form - 274 432 bytes).Partially encrypted. Trojan is installed in the system description above). By its functionality is almost identical to that described above version of the Trojan-Downloader.ISTbar.plugin_v1.1.0.2 . In his first start producing some uninstall its previous version. To do this, do the following: - trying to communicate through the Internet, with some servers that are requesting the following these files, Trojan reads the data associated with updating their software. - Verifies the existence of the registry class key {5F1ABCDB-A875-46c1-8345-B72A4567E486} If this class is found, the Trojan searches for the class to subsection[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components \ {5F1ABCDB-A875-46c1- 8345-B72A4567E486}] and removes the line containing the following code values: "" = "rundll32.exe Advpack.dll, DelNodeRunDLL32 ..." In addition, overwrites any values in the registry key[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce] This fragment belongs to the "software" (an earlier version of the Trojan), spelled out in the system. Trojan embeds in the web browser Internet Explorer Toolbar (ToolBar - additional panel with options). To connect it to the toolbar menu panels web browser Trojan creates a new entry in the registry key: [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Internet Explorer \ Toolbar] "{5F1ABCDB-A875-46c1-8345-B72A4567E486 }"=...Also during of the Internet is constantly looking for the Trojan newer versions of the program, as well as downloads from some file server f7FGFSx.exe , which establishes a system under the guise of "software" with the names " ISTbar "and / or" XXXToolBar ", placing it on the disc as Program Files \ ISTbar \ istbar_update.exe and / or Program Files \ XXXToolBar \ istbar_update.exe and executes it. To determine the presence in the active-to-date version of the Trojan in a certain area of system memory creates a unique label identifier called rgjhj66asfffgghggghhj If for some reason, the Trojan was unable to connect to its servers, then the screen can display a window containing the following message: Alert CAN 't infomation Retrieve from [link which failed to cause] Please Connect the Internet and restart your browser. Also, under certain other conditions, the Trojan can be viewed on the screen and this message: This Will Remove from your Computer! Are you sure? If you want the toolbar to stop displayaing adult related links, click OK. You can switch back to the adult toolbar at anytime by clicking the same button you just clicked. If the infected machine is installed Windows 2K/2K Server / XP, then the Trojan saves on your C: drive file with a picture to be used in the show toolbar in the web browser Internet Explorer: C: \ Documents and Settings \ 123 \ Application Data \ Hotbar \ IESkins \ 083001edenC-2.bmp In addition, the Trojan also stores the disk one more file: C: \ Documents and Settings \ Karl \ My Documents \ projects \ ISTbar \ XmlParser.cpp This version of the Trojan file ( istbar.dll ) anti-virus software detected as: KasperskyKaspersky Professional : Trojan.Downloader.IstBar.GJ
Distributed under the title istsvc.exe and has a size of 12800 bytes (in uncompressed form - 36 864 bytes).On its functionality is identical to the above modifications Trojan-Downloader.ISTbar.istsvc ; installed in the system the same Trojans that specified version, and differs from it only minor technical details.
This version of the Trojan file ( istsvc.exe ) antiviruses detect this: Antivirus Kaspersky Professional :Trojan.Downloader.IstBar.GM
the disclosures of which are absent on our site.
Anti-Virus Kaspersky AntiVirus :
istsvc_updater.exe (no description) a set of antivirus databases) igetnet.exe - Not-a-virus: AdWare.Win32.IGetNet (extended set of antivirus databases) euniverse.exe (size 184 534 bytes) -Trojan.Win32.Keenval.a euniverse.exe (size 140 015 bytes) - Trojan-Downloader.Win32.Keenvallycos_ss.exe (Trojan "SideSearch") - Not-a-virus: AdWare.Win32.Sidesearch.b (extended set of antivirus databases) whenu.exe - Not-a-virus: AdWare.Win32. SaveNow.ay (extended set of antivirus a set of antivirus databases) emusic.exe - Not-a-virus: AdWare.Win32.Emusic.a (extended set of antivirus a set of antivirus databases) WebRebates0.exe - Not-a-virus: AdWare.Win32.WebRebates.d (extended set of antivirus databases) Anti- DrWeb : istsvc_updater.exe (no description) - Trojan.Isbar.122 (in uncompressed form is not 184 534 bytes) - Trojan.KeenValAd euniverse.exe (size 140 015 bytes) - Trojan.KeenValAdand Trojan.Downloader.774 lycos_ss.exe (Trojan "SideSearch") Professional : istsvc_updater.exe (no description) - Trojan.Downloader.IstBar.GN bb.exe - Trojan.Clicker.Vb.EX (shows only selected options)igetnet.exe - Application.Adware.Abetterintrnt.Dr euniverse.exe (size 184 534 bytes) -Trojan.Keenval.A euniverse.exe (size 140 015 bytes) - Trojan.Downloader.Keenval.A lycos_ss.exe(Trojan "SideSearch") finds emusic.exe - shows no targetsaver.exe - Trojan.Downloader.TSUpdate.Fysb.dll - shows no WebRebates0.exe - does not detect
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 21.06.2005
Date of last change: 24.01.2007
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment