Content

Generic Toolbar.b

Type
Program
SubType
Adware
Discovery Date
03/21/2005
Length
Minimum DAT
4420 (01/19/2005)
Updated DAT
5311 (06/05/2008)
Minimum Engine
5.1.00
Description Added
01/19/2005
Description Modified
11/07/2005 10:30 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a toolbar which installs in Internet Explorer. The homepage is also set to www.anquiro.com. A unique identifier is generated and sent to a remote server. It appeared during analysis that the controlling server no longer hosted the required content or applcations to respond. All requests from the toolbar resulted in "not found" 404 errors. No meaningful responses from the server were observed.

This application does not display a license agreement when installed. No link to any EULA or agreement could be found on the anquiro.com website.

Multiple versions of this software appear to exist.  See Generic Toolbar.b.dll for information on another variant.

Privacy

A privacy policy is not displayed during installation. There is a policy posted author's website http://www.anquiro.com/privacypolicy.htm but no indication is given at the time of installation that the user should go there to view it.

The software may transmit browsing data to 3rd party servers during browsing. A unique identifier is created. During investigation it was found that the toolbar made multiple attempts to contact the controlling server, but the server consistently responded with 404 errors. It is not known what the full behavior would be if the server were correctly responding.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Files Added

  • Installer: a0140560.exe (217 KB)
    MD5: 81A5C04423A4C81C5BF54657059FBA6F
  • c:\program files\aniquro\anquiro.dll (416 KB)
    MD5: C1BF0371FB36F4399317163FAF0CD230
  • c:\program files\aniquro\anquiro.inf (1 KB)
  • c:\program files\aniquro\version.txt (1 KB)
  • c:\program files\aniquro\toolbar.crc (1 KB)
  • c:\program files\aniquro\newversion.txt (1 KB)
  • c:\program files\aniquro\nav.bmp (13 KB)
  • c:\program files\aniquro\favicon.ico (1 KB)
  • c:\program files\aniquro\cache\522ea8a804a3e7e4b93df15a1539fc53.xml (name and size may vary)
  • c:\program files\aniquro\basis.xml (16 KB)

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\XBTB00000.XBTB00000IEToolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
    \{A4F64D63-3576-4754-8DD5-4D0A49345FD5}
  • HKEY_CURRENT_USER\Software\XBTB00000
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    "{A4F64D63-3576-4754-8DD5-4D0A49345FD5}"="(hex data)"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
    "{A4F64D63-3576-4754-8DD5-4D0A49345FD5}"="8194"
  • HKEY_CLASSES_ROOT\XBTB00000.XBTB00000.1
  • HKEY_CLASSES_ROOT\XBTB00000.XBTB00000
  • HKEY_CLASSES_ROOT\XBTB00000.IEToolbar.1
  • HKEY_CLASSES_ROOT\XBTB00000.IEToolbar
  • HKEY_CLASSES_ROOT\TypeLib\{5680210F-3D26-449E-9EF5-D03E34C894D9}
  • HKEY_CLASSES_ROOT\Interface\{FABBB49A-4D7B-415B-8250-15C3B854E9FF}
  • HKEY_CLASSES_ROOT\CLSID\{A4F64D63-3576-4754-8DD5-4D0A49345FD5}

The following registry keys are modified:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "Start Page"="http://www.anquiro.com/"

Network Impact

Additional overhead in bandwidth due to communciations with 3rd party servers. Possible additional transmissions during browsing.

Symptoms

Method of Infection

Variants

Variants

    N/A

All Information

Overview -

Characteristics

Characteristics -

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a toolbar which installs in Internet Explorer. The homepage is also set to www.anquiro.com. A unique identifier is generated and sent to a remote server. It appeared during analysis that the controlling server no longer hosted the required content or applcations to respond. All requests from the toolbar resulted in "not found" 404 errors. No meaningful responses from the server were observed.

This application does not display a license agreement when installed. No link to any EULA or agreement could be found on the anquiro.com website.

Multiple versions of this software appear to exist.  See Generic Toolbar.b.dll for information on another variant.

Privacy

A privacy policy is not displayed during installation. There is a policy posted author's website http://www.anquiro.com/privacypolicy.htm but no indication is given at the time of installation that the user should go there to view it.

The software may transmit browsing data to 3rd party servers during browsing. A unique identifier is created. During investigation it was found that the toolbar made multiple attempts to contact the controlling server, but the server consistently responded with 404 errors. It is not known what the full behavior would be if the server were correctly responding.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

Files Added

  • Installer: a0140560.exe (217 KB)
    MD5: 81A5C04423A4C81C5BF54657059FBA6F
  • c:\program files\aniquro\anquiro.dll (416 KB)
    MD5: C1BF0371FB36F4399317163FAF0CD230
  • c:\program files\aniquro\anquiro.inf (1 KB)
  • c:\program files\aniquro\version.txt (1 KB)
  • c:\program files\aniquro\toolbar.crc (1 KB)
  • c:\program files\aniquro\newversion.txt (1 KB)
  • c:\program files\aniquro\nav.bmp (13 KB)
  • c:\program files\aniquro\favicon.ico (1 KB)
  • c:\program files\aniquro\cache\522ea8a804a3e7e4b93df15a1539fc53.xml (name and size may vary)
  • c:\program files\aniquro\basis.xml (16 KB)

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\XBTB00000.XBTB00000IEToolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
    \{A4F64D63-3576-4754-8DD5-4D0A49345FD5}
  • HKEY_CURRENT_USER\Software\XBTB00000
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    "{A4F64D63-3576-4754-8DD5-4D0A49345FD5}"="(hex data)"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
    "{A4F64D63-3576-4754-8DD5-4D0A49345FD5}"="8194"
  • HKEY_CLASSES_ROOT\XBTB00000.XBTB00000.1
  • HKEY_CLASSES_ROOT\XBTB00000.XBTB00000
  • HKEY_CLASSES_ROOT\XBTB00000.IEToolbar.1
  • HKEY_CLASSES_ROOT\XBTB00000.IEToolbar
  • HKEY_CLASSES_ROOT\TypeLib\{5680210F-3D26-449E-9EF5-D03E34C894D9}
  • HKEY_CLASSES_ROOT\Interface\{FABBB49A-4D7B-415B-8250-15C3B854E9FF}
  • HKEY_CLASSES_ROOT\CLSID\{A4F64D63-3576-4754-8DD5-4D0A49345FD5}

The following registry keys are modified:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "Start Page"="http://www.anquiro.com/"

Network Impact

Additional overhead in bandwidth due to communciations with 3rd party servers. Possible additional transmissions during browsing.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

    N/A