 Description
An Internet Explorer toolbar. TinyBar installs no actual
software, but adds registry entries that use the Windows system
file shdocvw.dll to display a web page as a toolbar. This
page may be stored locally or fetched from the internet every
time an IE window is opened; it generally contains a search
feature and/or link buttons, pointed at a generic portal such
as:
- tinybar.com
- allcybersearch.com
- gocybersearch.com
- clickyestoenter.net
- topsearcher.com
- jethomepage.com
- jetseeker.com
- znext.com
- traffic4sure.com
- errorpage404.com
- searchaccurate.com
- ourlinklist.com
- topclicks.net
- iseekresults.com
- wowsearch.com
- ysearchus.com
Address bar search settings are also hijacked to point to
the same domain.
Variants
TinyBar/A is the original variant, hijacking to
tinybar.com.
TinyBar/B is most widespread, having been used by
many of the above domains.
TinyBar/C is a new variant that also hijacks to
tinybar.com
TinyBar/D is another new variant including a floating
search box in the corner of the screen.
TinyBar/sp is a simple homepage/search-hijacker
aimed at one of the above sites. It does not feature the toolbar
component and is not detected by the script at this site.
(See Hijacker removal.)
TinyBar/atk is a VBScript denial of service attack
against DOXdesk (the site hosting this information page), installed with
TinyBar/B around 6th November 2002.
(See DoS attack removal).
Also known as
Some variants of TinyBar/B are detected as JS_TRAFFICHBAR.A
by Trend Micro, or Trojan.WinREG.STW by Kaspersky
anti-virus. Many AV tools also recognise the Java/ActiveX
exploit often used to load TinyBar as JS.Exception, HTML.VmExploit,
Exploit.Applet.ActiveXComponent or Trojan.AppActXComp.
Distribution
Installed by exploitation of an security hole in the Microsoft
Java Virtual Machine through Internet Explorer, when visiting
one of the named sites or pop-up advertisements routed to
them through various ad networks.
A TinyBar/B variant which gets its toolbar page from public.searchbarcash.com
is also installed by the ISTBar/AUpdate parasite.
What it does
Advertising
Yes, depending on what's the in HTML file used as the toolbar
interface. TinyBar/C and many B variants include a script
that triggers pop-up ads whilst the toolbar is visible.
Privacy violation
No.
Security issues
No, though if it has managed to install by exploitation of
the security hole you need to download some patches to stop
it happening again.
Stability problems
Variants that fetch the toolbar page from the Internet will
cause IE startup to be slow. The installation exploit itself
may also cause IE to crash in some versions.
TinyBar/atk also eats a large amount of bandwidth, which
may make modem connections so slow as to be unusable.
Manual removal
Open the registry (click 'Start', choose 'Run' and enter
'regedit'). For TinyBar/A, delete these keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Explorer Bars\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_CLASSES_ROOT\CLSID\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\>>>
Search The Web <<<
For TinyBar/B, delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Explorer Bars\{69550BE2-9A78-11D2-BA91-00600827878D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{69550BE2-9A78-11D2-BA91-00600827878D}
HKEY_CLASSES_ROOT\CLSID\{69550BE2-9A78-11D2-BA91-00600827878D}
For TinyBar/C:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Explorer Bars\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}
HKEY_CLASSES_ROOT\CLSID\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}
For TinyBar/D:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Explorer Bars\{82599E0A-8C81-11D7-9F97-0050FC5441CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{82599E0A-8C81-11D7-9F97-0050FC5441CB}
HKEY_CLASSES_ROOT\CLSID\{82599E0A-8C81-11D7-9F97-0050FC5441CB}
For the TinyBar/D variant, also go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
and delete entries pointing to '.hta' files. You may see a
'system' entry pointing to systemsearch.hta and/or a name
made of random characters pointing to a '.hta' file in the
System folder with a random-character filename.
Restart IE and the toolbar should be gone. On variants that
store the toolbar page locally, you may find this under the
name 'tinybar.html' or 'hb.html' inside the System folder
(which is inside the Windows folder, called 'System32' in
Windows NT, 2000 and XP, or just 'System' under Windows 95,
98 and Me). This file can be deleted, along with 'hb.reg',
'br.reg' or 'br.dll'.
Finally use Internet Options->Programs->Reset Web Settings
to restore the normal search page.
Hijacker removal
Before the settings can be restored you must remove the hijacker
that is run on every restart. In the registry (Start->Run->regedit),
find the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and remove any entries of the form 'regedit /s C:\Windows\System\sp.dll'.
Then delete sp.dll (or sp.reg) in the System folder. Then
use Reset Web Settings to get the normal search page back.
DoS attack removal
Open the Windows folder and check the 'System' (on Windows
95/98/Me) or 'System32' (on Windows NT/2K/XP) folder for a
file called 'atk.vbs'. If you have it, open the registry (Start->Run->regedit)
and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
There should be a value here, possibly called 'Messanger',
pointing at the atk.vbs file. Remove it and restart the machine;
you should then be able to delete the atk.vbs file.
|
