Sunday, May 22, 2005

Diabolical New EliteBar Variant Strikes the Web!!!!

Giancarlo Calo, of SimplyTech.it, freeware Baron of the Internet, by virtue of his EliteBar Removal Tool, reports that a new malware variant has appeared on the net that Trend Micro has designated ADW_ELITEBAR.D. The first contacts with the new variant are described in an April 1 through 19 May, 2005, thread at Simply Tech's EliteBar forum. In the words of Calo, in the original April 1, 2005, forum posting:



Well, as far as we are working on this pest we can say that it is NOT an EliteToolbar malware! It is acting in a half-way as a virus and half-way as a malware/spyware. It is using some new typologies of attack we have never watched before...

We don't know if its a new product of the same guys who released the EliteToolbar malware, but we can say it is not an EliteToolbar malware and we are not yet able to do an automatic remover for it.

According to Calo, Trend Micro seems to have felt, at one point, that its commercial software could remove the infection but Simply Tech still found the malware intact after Trend Micro's process. The Trend Micro ADW_ELITEBAR.D information page presently lists only manual removal instructions.

This is not the only item that is unclear. TM desribes one toolbar on the ADW_ELITEBAR.D page while Calo provides a photo of an infection that leaves two toolbars, one top and one bottom. Just how these inconsistencies will be resolved remains to be seen.

All of that aside, Calo describes a truly diabolical new approach to malware:


It doesn't install any dll and changes the name of its executable on a randomic basis using real words took in documents of the user. It also traces and log the activity of the user and writes a log file with the attributes used for the system files. It works in low-level with the system and it is impossible to dump it from the system memory because it fools you directing your attention on a process that is not the real responsable of the infestation.

This would appear to mean that the main executable file randomly changes its name while the infection is in the computer such that it is all but impossible to target and delete it. The naming process ("...using real words [taken from] documents [in the user's computer]") makes it difficult to tell legit from infected files or to locate the infected file through file searches.

An excellent picture of the double toolbar arrangement is located at the forum posting. Giancarlo Calo, and Simply Tech, offer what little help they can for the time being:


At the moment the only way we can helping you removing this infestation is acting on your pc via a Remote Administration program. If you need for our help write us a mail (simplytech@simplytech.it) about it and feel free to ask for details and times of intervention.

In at least some instances, the help provided will provide SimplyTech with much needed data in return. It is sure to help the effort to head off this variant before it ends up on all of our computers.



Also see:




[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]

1 comment:

amber said...

Exquisite information on investment fraud. I have a investment fraud secrets blog if you want to see some cool stuff.