SIDEBAR.EXE

File Behavior

SIDEBAR.EXE has been seen to perform the following behavior:

• Executes a Process
• Registers a Dynamic Link Library File
• Can communicate with other computer systems using HTTP protocols
• The Process is packed and/or encrypted using a software packing process
• Writes to another Process's Virtual Memory (Process Hijacking)
• Adds a Registry Key (RUN) to auto start Programs on system start up
• This Process Deletes Other Processes From Disk
• This process creates other processes on disk
• Executes Processes stored in Temporary Folders
• Hooks the WININET.DLL function allowing it to read or copy Http and Https web page content and session information
• Creates new folders on the system
• Copies files
• Injects code into other processes
• Performs DNS look ups to resolve URL IP addresses
• The Process is polymorphic and can change its structure
• Enables a COM Object/Server on the Local Machine
• The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
• Enables an In Process Object/Server - Common with DLL Injections
• Uses rootkit techniques to conceal its presence, interrogation or removal
• Adds a new task to the Scheduled Task list
• Changes to the file command map within the registry
• Makes outbound connections to other computers using NETBIOSOUT protocols
• Adds products to the system registry

SIDEBAR.EXE has been the subject of the following behavior:

• Added as a Registry auto start to load Program on Boot up
• Executed as a Process
• Created as a process on disk
• Has code inserted into its Virtual Memory space by other programs
• Terminated as a Process
• Copied to multiple locations on the system
• Registered as a Dynamic Link Library File
• Added as a Registry Key (DXCOM) to auto start Programs on system start up
• Enabled as a COM Object/Server on the Local Machine
• Deleted as a process from disk