Adware:Win32/Hotbar displays a dynamic toolbar and pop-up ads based on its monitoring of your web-browsing activity.
The program installs a browser toolbar that works in Internet Explorer 6 and above, and Firefox 3.6 and above.
The tool is a multi-component adware program designed to monitor your online browsing behavior to deliver targeted ads. It also installs other components related to Win32/ClickPotato and Win32/ShopperReports.
Hotbar also installs graphical skins for Internet Explorer, Outlook, and Outlook Express. It might collect information and silently download and run updates or other code from its servers.
The program is delivered by Pinball Publisher Network to Web Publishers via commission, based on the number of installs, also referred as pay-per-install.
Adware:Win32/Hotbar creates numerous files during an installation, and may install itself to paths that include the following:
- In %LOCALAPPDATA%:
- AppKikxSA
- BlueTurtleGamesSA
- BrightBreezeSA
- CheeryChickenSA
- ClickPotatoLiteSA
- FREEzeFlipSA
- GigglingGamesSA
- hbtools
- HippoGeekSA
- hotbar
- KangoBoxSA
- LhootSA
- MossySkySA
- PopcornTVShowsSA
- RavenBleuSA
- SeekmoSA
- SeeqDoSA
- ShamrockSpringSA
- SnappyDeeSA
- VooMuuSA
- zManateeSA
- In %ProgramFiles%:
- BrightBreeze
- ClickPotatoLite
- FREEzeFlip
- FREEzeFrog
- HBLite
- Hotbar
- MossySky
- Seekmo
- VooMuu
- Zango
- HbTools
It may use one of the following file names:
- HBLiteSA.exe
- HBLiteSAAX.dll
- HBLiteSAHook.dll
- HBLiteUninstaller.exe
- npclntax_HBLiteSA.dll
Adware:Win32/Hotbar adds numerous keys to the registry, including the following:
- HKCU\Software\HbTools
- HKLM\SOFTWARE\HbTools
- HKCU\Software\AppKikxSA
- HKCU\Software\BlueTurtleGamesSA
- HKCU\Software\BrightBreezeSA
- HKCU\Software\CheeryChickenSA
- HKCU\Software\GigglingGamesSA
- HKCU\Software\HippoGeekSA
- HKCU\Software\KangoBoxSA
- HKCU\Software\LhootSA
- HKCU\Software\LukyLuSA
- HKCU\Software\MossySkySA
- HKCU\Software\RavenBleuSA
- HKCU\Software\SeeqDoSA
- HKCU\Software\ShamrockSpringSA
- HKCU\Software\VooMuuSA
- HKCU\Software\zManateeSA
- HKCR\AppID\{0507FDDE-F3B7-49F5-9E8F-C557E991F39B}
- HKCR\CLSID\{0AB71193-EC19-4D70-85C2-E46E2FF02755}
- HKCR\CLSID\{1E0004EC-5DF0-48C7-A8F0-FBB0488A3D94}
- HKCR\CLSID\{31A59636-0FA3-4A56-954D-DB7AD02840D8}
- HKCR\CLSID\{3FA917B9-DF69-477F-9E4F-B60D929DE79F}
- HKCR\CLSID\{40D8240A-E3A0-4D59-AC55-0443120188D1}
- HKCR\CLSID\{420C35C9-E4F2-49F9-BF67-2BE1ECF86989}
- HKCR\CLSID\{66B90ADB-0BE3-40AE-8680-84A6F0577CA0}
- HKCR\CLSID\{74CC49F7-EB32-4A08-B204-948962A6E3DB}
- HKCR\CLSID\{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}
- HKCR\CLSID\{8C875948-9C60-4381-9248-0DF180542D53}
- HKCR\CLSID\{A14C0D8D-E753-4E73-9E2B-4070791D8940}
- HKCR\CLSID\{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881}
- HKCR\CLSID\{ED8525EA-2BFC-4440-BD8A-20EFB9D5E541}
- HKCR\CLSID\{FA16BCE1-5E36-472A-8466-E0CDD5CE00E6}
It may attempt to connect to any of the following affiliate websites:
- appbundler.net
- appcapps.net
- appkikx.com
- appservicesdl.com
- blueturtlegames.com
- brightbreeze.com
- cheerychicken.com
- clickpotato.tv
- coughstuffs.com
- dlsmak.com
- doktorchip.com
- doktorcream.com
- doktordice.com
- doktorevil.com
- doktorpants.com
- doktoryes.com
- dotticom.com
- drcornchip.com
- drnacho.com
- eagleeyeopeners.com
- ficklebox.com
- ficklefix.com
- ficklespot.com
- fivemillionfriends.com
- flixsee.net
- freeflixapp.net
- freelandmedia.com
- freetodl.com
- freezeflip.com
- freezefrog.com
- freezefrog.tv
- fuegohunt.com
- giant-wall-nut.com
- gobsmak.net
- good-findings.com
- gossipingchicks.com
- greeneggapps.net
- greenflyswatter.com
- greentechbug.com
- hippogeek.com
- hotbar.com
- jellyclown.com
- jellyfool.com
- jesssquared.com
- kangobox.com
- lhoot.com
- lhoot.net
- liteflames.com
- loopysquid.com
- lostgaze.com
- loveacceleration.com
- lukylu.com
- luvlygirl.com
- martiandance.com
- missingwatch.com
- moonrkr.com
- mossysky.com
- myrtleboxturtle.com
- netapptastik.net
- nibblecheese.com
- nibbleflip.com
- nibblepants.com
- ninjachop.com
- peachfuzzapples.com
- piccadilyfarm.com
- pickalittlemore.com
- pinballcorp.com
- platrium.com
- pnutbritl.com
- potato-mine.com
- rambaman.com
- ravenbleu.com
- robotskanks.com
- roxiegirl.com
- rubyhound.com
- samuraicart.com
- securewebsiteaccess.com
- seekmo.com
- seeqdeal.com
- seeqdo.com
- sevensplay.com
- shamrockspring.com
- shoeskidoo.com
- shopperreports.com
- smartshopper.com
- snafuday.com
- snappydee.com
- sodazip.com
- softdelio.com
- softnibble.com
- software-dl.info
- source-software.org
- sourceflix.info
- sourcesoftware.info
- sourchips.com
- sourdoktor.com
- spikeyspikeweed.com
- splashspark.com
- sportbacon.com
- spottycom.com
- swiftsave.net
- talkalittle.com
- televisiontwister.com
- thefreeappshop.com
- thefreeappshop.net
- therealizt.com
- thetvpool.com
- thirdeyeopeners.com
- treewrapper.com
- tubesnapper.com
- tubewhirl.com
- updowndiz.com
- videotamale.com
- vidsmak.com
- vidsneak.com
- vidtruck.com
- voomuu.net
- webpfkong.com
- wimpsauce.com
- zango.com
- zeedip.com
- zmanatee.com
It may attempt to connect and install applications (bundled software) via any of the following affiliate websites:
- AppKikx.com
- BlueTurtleGames.com
- BrightBreeze.com
- CheeryChicken.com
- ClickPotato.com
- FREEzeFlip.com
- FREEzeFrog.com
- GigglingGames.com
- HippoGeek.com
- Hotbar.com
- KangoBox.com
- MossySky.com
- Platrium.com
- PopcornTVShows.com
- RavenBleu.com
- Seekmo.com
- SeeqDo.com
- ShamrockSpring.com
- SnappyDee.com
- VooMuu.com
- zManatee.com
The adware affiliates may offer Hotbar as a way to access premium content. Bundled software may also include BrowserModifier:Win32/Zwangi and Adware:Win32/ZangoSearchAssistant.
You may be lured to a cybersquatting website, such as those seen below, where software bundled with Adware:Win32/Hotbar may be available for download:
|
|
PinBall Audacity website
|
Legitimate Audacity website
|
|
|
|
|
PinBall ARES website
|
Legitimate ARES website
|
We have observed Adware:Win32/Hotbar being bundled with the following software:
- 7zip
- Ares
- Audacity
- AVM Converter
- eMule
- Farm Frenzy 3
- FLV Blaster
- Free Download Manager
- Frets on Fire
- Gimp
- IFree TV
- LimeWire
- OpenOffice
- PDFCreator
- Razor Gamer
- RealPlayer
- VLC
- Xvid
For each website that you visit, Hotbar may collect information such as the following:
- What URLs you visited to reach the current webpage (web-usage paths)
- Search terms and demographic data you enter into a browser
- Hotbar button clicks
- Link clicks
- Client-computer IP addresses
- Hotbar cookie IDs
Hotbar may also collect personal or sensitive information, such as data you have entered when "registering" for the program at third-party websites.
Analysis by Methusela Cebrian Ferrer & Michael Johnson