Home / malwarePDF  

BrowserModifier:Win32/Tango


First posted on 06 July 2010.
Source: SecurityHome

Aliases :

BrowserModifier:Win32/Tango is also known as Trojan.Win32.Pasta.lmp (Kaspersky), TR/Pasta.liy (Avira), Trojan.Win32.Pasta (Ikarus), Trojan horse Generic18.RGV (AVG), Malware.MUTL (Norman).

Explanation :

BrowserModifier:Win32/Tango is a web browser toolbar that may be installed without adequate user consent. It changes the browser's search provider and also monitors visited websites to display related keywords in the toolbar.
Top

BrowserModifier:Win32/Tango is a web browser toolbar that may be installed without adequate user consent. It changes the browser's search provider and also monitors visited websites to display related keywords in the toolbar. Installation Win32/Tango creates the following file: <system folder>\<4 characters>.dll where the first two characters are random and the last two are related to the toolbar's version number. For example, a user with toolbar version 0.0.7.8 may have a file named 9f78.DLL, 0e78.DLL, 5578.DLL or so on, in the system folder. BrowserModifier:Win32/Tango creates the following registry entries: HKLM\CLASSES\CLSID\<clsid> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\<clsid> HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\<clsid> HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\EXT\Stats\<clsid> HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\<clsid> where <clsid> is a randomly generated CLSID. BrowserModifier:Win32/Tango also adds the following uninstaller information to the registry: Adds value: "DisplayName" With data: "Tango" Adds value: "UninstallString" With data: "mshta.exe http://remove.gettango.com/" To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<clsid> where <clsid> is the same randomly generated CLSID. Note: If the user attempts using this uninstaller entry for Win32/Tango, they are redirected to a website which indicates there is no relation between the site and the toolbar. There is no known operational uninstaller for this toolbar. Additional information Modifies Internet Explorer The Tango Toolbar displayed in Internet Explorer, such as seen in the following graphic: When the web browser's search box is used to search the Internet, the user is directed to a website that indicates there is no relation between the site and the toolbar. Displays a confirmation window When installed, BrowserModifier:Win32/Tango displays a confirmation window, as seen in the image below:

Analysis by Aaron Hulett

Last update 06 July 2010

 

TOP

Malware :