As part of our ongoing effort to provide better malware protection, the August 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for BrowserModifier: Win32/Neobar, unwanted software, and Win32/Rovnix, a trojan malware family.
This blog discusses BrowserModifier:Win32/Neobar and its inclusion in MSRT supports our unwanted software family detections in Windows Defender, along with other protection features in our Windows 10 protection stack.
BrowserModifier:Win32/Neobar has been classified as unwanted software because it violates the following Objective Criteria:
- Lack of choice – the threat bypasses user consent options from the browser or operating system.
- Lack of control – the threat could prevent or limit the user from viewing or modifying browser features or settings.
We have seen BrowserModifier:Win32/Neobar being distributed by various software bundlers that we detect as SoftwareBundler:Win32/InstallMonster, SoftwareBundler:Win32/ICLoader, and SoftwareBundler:Win32/Dlboost.
We have seen this threat use different application names:
- Best YouTube Downloader
- Best Youtube Saver
- Currency Converter
- Goodshop app
- I Like It Extension
- Media Saver
- Torrent Search
- Video Saver
- Video Saver 2
- VK Downloader
- VK OK AdBlock
- VPN TOOLBAR
- Youtube AdBlock
The following heatmap shows the geographical spread of Neobar-infected machines:
Figure 1: Geographic distribution of BrowserModifier:Win32/Neobar infection from March to August 2016.
When BrowserModifier:Win32/Neobar is installed on your PC, it could change your default search provider. It also adds a toolbar to your browser, schedule tasks to automatically run itself, and add an uninstallation option.
We have seen this threat add a toolbar to the following browsers:
- Internet Explorer
- Google Chrome
- Mozilla Firefox
Figure 2: Neobar toolbar in Internet Explorer
Figure 3: Neobar toolbar in Google Chrome
Figure 4: Neobar toolbar in Mozilla Firefox
Adds a toolbar to browser
This threat adds a toolbar to the user's browser and automatically enable it, thus, preventing the browser to display a consent dialog for the user to choose to enable it.
Figure 5: Manage Add-on page shows the toolbar that BrowserModifier:Win32/Neobar added in Internet Explorer.
Figure 6: Extensions page shows what BrowserModifier:Win32/Neobar added in Chrome.
Figure 7: Extensions page shows what BrowserModifier:Win32/Neobar added in Firefox.
Changes to default search provider
We have seen this threat change the user's default search provider.
Figure 8: A sample setting change in Chrome.
After this threat has set the default search provider, it restricts the user from changing it.
Figure 9: A Neobar-infected machine prompts users with a message indicating that they cannot change the search provider setting that the threat configured as default.
Adds scheduled tasks
This threat adds scheduled tasks to automatically execute itself, and to check and download updates.
Figure 10: Sample scheduler entry in a Neobar-infected machine
Adds an uninstallation option
This threat adds an uninstallation option in the Programs and Features section.
Figure 11: Users can use the uninstallation option to remove this software from the system.
To prevent this threat from disrupting your computing experience:
- Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
- Use Microsoft Edge to get SmartScreen protection. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
- Avoid browsing web sites that are known for hosting malware (such as illegal music, movies and TV, and software download sites).
- Ensure your antimalware protection (such as Windows Defender and Microsoft Malicious Software Removal Tool) is up-to-date.
- Enable Microsoft Active Protection Service (MAPS) to get the latest cloud-based unwanted software detection and blocking.
James Patrick Dee