TinyBar
- By W3 Privacy
- Published 05/8/2007
- Parasites
- Unrated
TinyBar
Description
An Internet Explorer toolbar. TinyBar installs no actual software, but adds registry entries that use the Windows system file shdocvw.dll to display a web page as a toolbar. This page may be stored locally or fetched from the internet every time an IE window is opened; it generally contains a search feature and/or link buttons, pointed at a generic portal such as:
- tinybar.com
- allcybersearch.com
- gocybersearch.com
- clickyestoenter.net
- topsearcher.com
- jethomepage.com
- jetseeker.com
- znext.com
- traffic4sure.com
- errorpage404.com
- searchaccurate.com
- ourlinklist.com
- topclicks.net
- iseekresults.com
- wowsearch.com
- ysearchus.com
Address bar search settings are also hijacked to point to the same domain.
Variants
TinyBar/A is the original variant, hijacking to tinybar.com.
TinyBar/B is most widespread, having been used by many of the above domains.
TinyBar/C is a new variant that also hijacks to tinybar.com
TinyBar/D is another new variant including a floating search box in the corner of the screen.
TinyBar/sp is a simple homepage/search-hijacker aimed at one of the above sites. It does not feature the toolbar component and is not detected by the script at this site. (See Hijacker removal.)
TinyBar/atk is a VBScript denial of service attack againstDOXdesk (the site hosting this information page), installed with TinyBar/B around 6th November 2002. (See DoS attack removal).
Also known as
Some variants of TinyBar/B are detected as JS_TRAFFICHBAR.A by Trend Micro, or Trojan.WinREG.STW by Kaspersky anti-virus. Many AV tools also recognise the Java/ActiveX exploit often used to load TinyBar as JS.Exception, HTML.VmExploit, Exploit.Applet.ActiveXComponent or Trojan.AppActXComp.
Distribution
Installed by exploitation of an security hole in the Microsoft Java Virtual Machine through Internet Explorer, when visiting one of the named sites or pop-up advertisements routed to them through various ad networks.
A TinyBar/B variant which gets its toolbar page from public.searchbarcash.com is also installed by the ISTBar/AUpdate parasite.
What it does
Advertising
Yes, depending on what's the in HTML file used as the toolbar interface. TinyBar/C and many B variants include a script that triggers pop-up ads whilst the toolbar is visible.
Privacy violation
No.
Security issues
No, though if it has managed to install by exploitation of the security hole you need to download some patches to stop it happening again.
Stability problems
Variants that fetch the toolbar page from the Internet will cause IE startup to be slow. The installation exploit itself may also cause IE to crash in some versions.
TinyBar/atk also eats a large amount of bandwidth, which may make modem connections so slow as to be unusable.
Removal
Spybot S&D can remove A and B variants.
Manual removal
Open the registry (click 'Start', choose 'Run' and enter 'regedit'). For TinyBar/A, delete these keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_CLASSES_ROOT\CLSID\{69555BE2-9A78-11D2-BA91-00600827878D}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\>>> Search The Web <<<
For TinyBar/B, delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{69550BE2-9A78-11D2-BA91-00600827878D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{69550BE2-9A78-11D2-BA91-00600827878D}
HKEY_CLASSES_ROOT\CLSID\{69550BE2-9A78-11D2-BA91-00600827878D}
For TinyBar/C:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}
HKEY_CLASSES_ROOT\CLSID\{8FB0F3E2-5193-11D7-9F88-0050FC5441CB}
For TinyBar/D:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\{82599E0A-8C81-11D7-9F97-0050FC5441CB}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{82599E0A-8C81-11D7-9F97-0050FC5441CB}
HKEY_CLASSES_ROOT\CLSID\{82599E0A-8C81-11D7-9F97-0050FC5441CB}
For the TinyBar/D variant, also go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and delete entries pointing to '.hta' files. You may see a 'system' entry pointing to systemsearch.hta and/or a name made of random characters pointing to a '.hta' file in the System folder with a random-character filename.
Restart IE and the toolbar should be gone. On variants that store the toolbar page locally, you may find this under the name 'tinybar.htm' or 'hb.htm' inside the System folder (which is inside the Windows folder, called 'System32' in Windows NT, 2000 and XP, or just 'System' under Windows 95, 98 and Me). This file can be deleted, along with 'hb.reg', 'br.reg' or 'br.dll'.
Finally use Internet Options->Programs->Reset Web Settings to restore the normal search page.
Hijacker removal
Before the settings can be restored you must remove the hijacker that is run on every restart. In the registry (Start->Run->regedit), find the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and remove any entries of the form 'regedit /s C:\Windows\System\sp.dll'. Then delete sp.dll (or sp.reg) in the System folder. Then use Reset Web Settings to get the normal search page back.
DoS attack removal
Open the Windows folder and check the 'System' (on Windows 95/98/Me) or 'System32' (on Windows NT/2K/XP) folder for a file called 'atk.vbs'. If you have it, open the registry (Start->Run->regedit) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. There should be a value here, possibly called 'Messanger', pointing at the atk.vbs file. Remove it and restart the machine; you should then be able to delete the atk.vbs file.
