Home / malware BrowserModifier:Win32/Tango
First posted on 06 July 2010.
Source: SecurityHomeAliases :
BrowserModifier:Win32/Tango is also known as Trojan.Win32.Pasta.lmp (Kaspersky), TR/Pasta.liy (Avira), Trojan.Win32.Pasta (Ikarus), Trojan horse Generic18.RGV (AVG), Malware.MUTL (Norman).
Explanation :
BrowserModifier:Win32/Tango is a web browser toolbar that may be installed without adequate user consent. It changes the browser's search provider and also monitors visited websites to display related keywords in the toolbar.
Top
BrowserModifier:Win32/Tango is a web browser toolbar that may be installed without adequate user consent. It changes the browser's search provider and also monitors visited websites to display related keywords in the toolbar. Installation Win32/Tango creates the following file: <system folder>\<4 characters>.dll where the first two characters are random and the last two are related to the toolbar's version number. For example, a user with toolbar version 0.0.7.8 may have a file named 9f78.DLL, 0e78.DLL, 5578.DLL or so on, in the system folder. BrowserModifier:Win32/Tango creates the following registry entries: HKLM\CLASSES\CLSID\<clsid> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\<clsid> HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\<clsid> HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\EXT\Stats\<clsid> HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\<clsid> where <clsid> is a randomly generated CLSID. BrowserModifier:Win32/Tango also adds the following uninstaller information to the registry: Adds value: "DisplayName" With data: "Tango" Adds value: "UninstallString" With data: "mshta.exe http://remove.gettango.com/" To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<clsid> where <clsid> is the same randomly generated CLSID. Note: If the user attempts using this uninstaller entry for Win32/Tango, they are redirected to a website which indicates there is no relation between the site and the toolbar. There is no known operational uninstaller for this toolbar. Additional information Modifies Internet Explorer The Tango Toolbar displayed in Internet Explorer, such as seen in the following graphic: When the web browser's search box is used to search the Internet, the user is directed to a website that indicates there is no relation between the site and the toolbar. Displays a confirmation window When installed, BrowserModifier:Win32/Tango displays a confirmation window, as seen in the image below:
Analysis by Aaron HulettLast update 06 July 2010
