As part of our ongoing effort to provide better malware protection, the August 2016 release of the Microsoft Malicious Software Removal Tool (MSRT) includes detections for BrowserModifier: Win32/Neobar, unwanted software, and Win32/Rovnix, a trojan malware family.
This blog discusses BrowserModifier:Win32/Neobar and its inclusion in MSRT supports our unwanted software family detections in Windows Defender, along with other protection features in our Windows 10 protection stack.
BrowserModifier:Win32/Neobar has been classified as unwanted software because it violates the following Objective Criteria:
We have seen BrowserModifier:Win32/Neobar being distributed by various software bundlers that we detect as SoftwareBundler:Win32/InstallMonster, SoftwareBundler:Win32/ICLoader, and SoftwareBundler:Win32/Dlboost.
We have seen this threat use different application names:
The following heatmap shows the geographical spread of Neobar-infected machines:
Figure 1: Geographic distribution of BrowserModifier:Win32/Neobar infection from March to August 2016.
When BrowserModifier:Win32/Neobar is installed on your PC, it could change your default search provider. It also adds a toolbar to your browser, schedule tasks to automatically run itself, and add an uninstallation option.
We have seen this threat add a toolbar to the following browsers:
Figure 2: Neobar toolbar in Internet Explorer
Figure 3: Neobar toolbar in Google Chrome
Figure 4: Neobar toolbar in Mozilla Firefox
This threat adds a toolbar to the user's browser and automatically enable it, thus, preventing the browser to display a consent dialog for the user to choose to enable it.
Figure 5: Manage Add-on page shows the toolbar that BrowserModifier:Win32/Neobar added in Internet Explorer.
Figure 6: Extensions page shows what BrowserModifier:Win32/Neobar added in Chrome.
Figure 7: Extensions page shows what BrowserModifier:Win32/Neobar added in Firefox.
We have seen this threat change the user's default search provider.
Figure 8: A sample setting change in Chrome.
After this threat has set the default search provider, it restricts the user from changing it.
Figure 9: A Neobar-infected machine prompts users with a message indicating that they cannot change the search provider setting that the threat configured as default.
This threat adds scheduled tasks to automatically execute itself, and to check and download updates.
Figure 10: Sample scheduler entry in a Neobar-infected machine
This threat adds an uninstallation option in the Programs and Features section.
Figure 11: Users can use the uninstallation option to remove this software from the system.
To prevent this threat from disrupting your computing experience:
James Patrick Dee