Content

EffectiveBar

Type
Program
SubType
-
Discovery Date
08/29/2007
Minimum DAT
5108 (08/29/2007)
Updated DAT
5108 (08/29/2007)
Minimum Engine
5.1.00
Description Added
08/29/2007
Description Modified
08/29/2007 9:26 AM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a browser add-on for Internet Explorer. It intercepts search terms, transmits them to a remove server, and displays context-based links in a partitioned area on the left side of the browser window. It may also display separate popups (this is mentioned in the EULA) though this was not observed during testing. A Browser Helper Object is installed in Internet Explorer to accomplish this. Though the sample encountered was externally branded as "Ditto Sidebar", the underlying BHO appears to be the "EffectiveBar" or "EngageSidebar" from EngageMarketing, which may have been created with the intent to be brandable by affiliates.

A license agreement is shown when installed. However, the license agreement does not appear to match well with the actual software installed, citing the "DittoSidebar game software" when no game appears to be included. The agreement mentions the display of sponsored content, but doesn't clearly indicate how the search terms will be culled during normal browsing. The website referenced in the EULA, dittosidebar.com, appears no longer to be functioning. According to WHOIS the domain is currently unregistered at the time of this writing.

Privacy

A privacy policy section is displayed during installation as part of the EULA. It specifies that the software will not collect personally identifiable information.

The software transmits search keyword data to 3rd party servers during browsing.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%ProgramFiles% = \Program Files

Files Added

  • Installer: searchmadesafe.exe (105 KB)
  • %WinDir%\esbagent.jpg (6 KB)
  • %WinDir%\esblogo.jpg (25 KB)
  • %ProgramFiles%\dittosidebar\uninstall.exe (32 KB)
  • %ProgramFiles%\dittosidebar\style.css (5 KB)
  • %ProgramFiles%\dittosidebar\magn.bmp (4 KB)
  • %ProgramFiles%\dittosidebar\effbar.dll (144 KB)
  • c:\documents and settings\(user name)\start menu\programs\dittosidebar\uninstall.lnk (1 KB)

Registry

The following registry keys/values are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EngageSidebar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Engage SideBar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
    "C:\Program Files\DittoSidebar\EffBar.dll"="1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Browser Helper Objects\{15E38167-B065-4BB5-B987-9F04B1E85AEA}
    "default"="EffBarBHO"
  • HKEY_LOCAL_MACHINE\SOFTWARE\EngageSidebar\AdSettings
    "RequestTail"=""
    "Request"="(hex data)"
    "StyleFile"="C:\Program Files\DittoSidebar/style.css"
    "SearchImage"="C:\Program Files\DittoSidebar/magn.bmp"
    "DescLength"="90"
    "BarPlace"="0"
    "PageSize"="6"
  • HKEY_LOCAL_MACHINE\SOFTWARE\EngageSidebar
    "AppDir"="C:\Program Files\DittoSidebar"
    "RegRequest"=""
  • HKEY_CLASSES_ROOT\TypeLib\{E3C9BD06-00F5-47B0-ADAC-9437C0B26270}
    "default"="EffectiveBar 1.0 Type Library"
  • HKEY_CLASSES_ROOT\Interface\{01DD536E-814C-4990-8E65-EA039FDADD9F}
    "default"="IEffBarBHO"
  • HKEY_CLASSES_ROOT\EffectiveBar.EffBarBHO
  • HKEY_CLASSES_ROOT\EffectiveBar.EffBarBHO.1
  • HKEY_CLASSES_ROOT\CLSID\{15E38167-B065-4BB5-B987-9F04B1E85AEA}
    "(default)"="CEffBarBHO Object"
  • HKEY_CLASSES_ROOT\AppID\{E3C9BD06-00F5-47B0-ADAC-9437C0B26270}
    "default"="EffectiveBar"
  • HKEY_CLASSES_ROOT\AppID\EffectiveBar.DLL

Network Impact

Additional overhead in bandwidth due to download of advertising content and transmission of browsing data to remote servers.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Aliases

Aliases

    N/A