Home / malwarePDF  

BrowserModifier:Win32/Neobar


First posted on 06 August 2016.
Source: Microsoft

Aliases :

There are no other names known for BrowserModifier:Win32/Neobar.

Explanation :

Installation
We have seen this threat being distributed by various software bundlers that we detect as
SoftwareBundler:Win32/InstallMonster,
SoftwareBundler:Win32/ICLoader, and SoftwareBundler:Win32/Dlboost.

This threat also uses different application names. We have seen it use the following:

  • advPlugin
  • Best YouTube Downloader
  • Best Youtube Saver
  • BonusBerry
  • Currency Converter
  • Goodshop app
  • I Like It Extension
  • Media Saver
  • OdPodarki
  • Torrent Search
  • Video Saver
  • Video Saver 2
  • VK Downloader
  • VK OK AdBlock
  • VPN TOOLBAR
  • WebBars
  • Youtube AdBlock


When this browser modifier is installed on your PC, it adds a toolbar to your browser and can also change your default search provider.

It adds a toolbar to the following browsers:
  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox


Payload

Adds a toolbar to your browser

This threat adds a toolbar to the user's browser but automatically enables it, thus, preventing the browser to display a consent dialog for the user to choose to enable it.



Figure 1: Manage Add-on page shows the toolbar that BrowserModifier:Win32/Neobar added in Internet Explorer





Figure 2: Extensions page shows what BrowserModifier:Win32/Neobar added in Chrome





Figure 3: Extensions page shows what BrowserModifier:Win32/Neobar added in Firefox

Changes your default search provider

We have seen this threat change the user's default search provider.



Figure 4: A sample setting change in Chrome

After this threat has set the default search provider, it restricts the user from changing it.



Figure 5: A Neobar-infected machine prompts users with a message indicating that they cannot change the search provider setting that the threat configured to be the default.



Adds scheduled tasks

This threat adds scheduled tasks to automatically execute itself, and to check and download updates.



Figure 6: Sample scheduler entry in a Neobar-infected machine



Adds an uninstallation option

This threat adds an uninstallation option in the Programs and Features
section. Users can use this option to remove this software from the system.



Figure 7: Users can use the uninstallation option to remove this software from the system.





Analysis by James Patrick Dee

Last update 06 August 2016

 

TOP

Malware :