ADW_CONDUBAR
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Adware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This adware arrives as a component bundled with malware/grayware packages. It may be manually installed by a user.
TECHNICAL DETAILS
Arrival Details
This adware arrives as a component bundled with malware/grayware packages.
It may be manually installed by a user.
Autostart Technique
This adware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
BackgroundContainerV2 = ""%System%\Rundll32.exe" "{grayware path}\{grayware name}",DllRun"
Other System Modifications
This adware adds the following registry keys:
HKEY_CURRENT_USER\Software\BackgroundContainerV2
HKEY_CURRENT_USER\Software\BackgroundContainerV2\
LogicFileManager
It adds the following registry entries:
HKEY_CURRENT_USER\Software\BackgroundContainerV2
LastAutoUpdateTime = {value}
HKEY_CURRENT_USER\Software\BackgroundContainerV2\
LogicFileManager
LogicFileVersion = "1.0.0.1"
HKEY_CURRENT_USER\Software\BackgroundContainerV2\
LogicFileManager
LogicFilePath = "{grayware path}\TBUpdaterLogic_1.0.0.1.dll"
Download Routine
This adware connects to the following URL(s) to download its component file(s):
- http://storage.{BLOCKED}int.com/IEBackgroundContainer/TBUpdaterLogic/1.0.0.1/TBUpdaterLogic.dll
It saves the files it downloads using the following names:
- {grayware path}\TBUpdaterLogic_1.0.0.1.dll
Other Details
This adware connects to the following possibly malicious URL:
- http://{BLOCKED}r-ie-updater.{BLOCKED}t.com/update/?productId=TBUpdaterLogic&ver={value}&itemId={value}
- http://usage.toolbar.{BLOCKED}t.com/ToolbarUsage.ashx
- http://usage.toolbar.{BLOCKED}t-services.com/ToolbarUsage.ashx