Well, as far as we are working on this pest we can say that it is NOT an EliteToolbar malware! It is acting in a half-way as a virus and half-way as a malware/spyware. It is using some new typologies of attack we have never watched before...
We don't know if its a new product of the same guys who released the EliteToolbar malware, but we can say it is not an EliteToolbar malware and we are not yet able to do an automatic remover for it.
According to Calo, Trend Micro seems to have felt, at one point, that its commercial software could remove the infection but Simply Tech still found the malware intact after Trend Micro's process. The Trend Micro ADW_ELITEBAR.D information page presently lists only manual removal instructions.
This is not the only item that is unclear. TM desribes one toolbar on the ADW_ELITEBAR.D page while Calo provides a photo of an infection that leaves two toolbars, one top and one bottom. Just how these inconsistencies will be resolved remains to be seen.
All of that aside, Calo describes a truly diabolical new approach to malware:
It doesn't install any dll and changes the name of its executable on a randomic basis using real words took in documents of the user. It also traces and log the activity of the user and writes a log file with the attributes used for the system files. It works in low-level with the system and it is impossible to dump it from the system memory because it fools you directing your attention on a process that is not the real responsable of the infestation.
This would appear to mean that the main executable file randomly changes its name while the infection is in the computer such that it is all but impossible to target and delete it. The naming process ("...using real words [taken from] documents [in the user's computer]") makes it difficult to tell legit from infected files or to locate the infected file through file searches.
An excellent picture of the double toolbar arrangement is located at the forum posting. Giancarlo Calo, and Simply Tech, offer what little help they can for the time being:
At the moment the only way we can helping you removing this infestation is acting on your pc via a Remote Administration program. If you need for our help write us a mail (firstname.lastname@example.org) about it and feel free to ask for details and times of intervention.
In at least some instances, the help provided will provide SimplyTech with much needed data in return. It is sure to help the effort to head off this variant before it ends up on all of our computers.
- Is Wikipedia Handing Out Your Browsing Information to Thousands? Who needs malware when there's Wikipedia? (VGS alert)
- PokaPoka.exe + Nothing = YupSearch (October 19, 2005). What do people mean when they say they have "YupSearch" instead of "EliteBar"?
- Elite Toolbar Remover Information Page (October 17, 2005).
- LQfix Information Page (October 15, 2005) There's a new tool in town!
- How to Remove PokaPoka. (October 12, 2005) Does your EliteBar variant include PokaPoka.exe?
- EliteBar Removal Tool Updates to 2.0.1. (September 21, 2005) The EliteBar Removal Tool now comes in two flavors and two generations!
- SearchMiracle.EliteBar Then and Now (September 21, 2005). Hijacks, heroes, updates and links.
- EliteBar Removal Tool Updates to 2.0.0!!!!! (September 15, 2005). Includes expanded list of infections removed by the removal tool.
- More on Variant ADW_ELITEBAR.D. (May 27, 2005). "It is a standard XP with two top-end commercial anti-virus programs. Moreover, one of the anti-virus programs -- Trend Micro's PC-Cillin -- we already know..."
- EliteBar Removal Tool Updates to 1.3.0!!!!! (May 20, 2005). Includes expanded list of infections removed by the removal tool.
- Key File Index (May 18, 2005).
- Adware & Malware Identifier Index (May 9, 2005). "The following is an in-progress index of some of the more common malware toolbars/browser helper objects at large on the Internet."
- HijackThis vs. the Elitebar Removal Tool (April 23, 2005). "While this approach may provide some limited, and temporary, relief, SearchMiracle will soon be back in full force."
- EliteBar Removal Tool Alert: Update V.1.2.2.!!! (April 18, 2005). "The new variants of the malware also completely conceal the presence of the EliteToolbarRemoverV10.exe, so that if you are opening the archive you can only see the readme.doc file that is attached to that and you cannot see the *.exe even if though it is really there!"
- HijackThis vs. SearchMiracle/EliteBar (April 11, 2005).
- How to Remove SearchMiracle/ EliteBar (February 27, 2005).
[re: SearchMiracle.EliteBar Search Miracle Elite Bar EliteToolBar Elite Toolbar Elite Tool Bar Elitum ETBrun YupSearch Yup Search.]