Home / malwarePDF  

Adware:Win32/EoRezo


First posted on 02 November 2011.
Source: SecurityHome

Aliases :

Adware:Win32/EoRezo is also known as Win32/Adware.EoRezo.E application (ESET), AdWare.Win32.EoRezo (Ikarus), Adware-Eorezo (McAfee), ADW_EOZERO (Trend Micro).

Explanation :

Adware:Win32/EoRezo displays targeted advertising to affected users while browsing the Internet, based on downloaded pre-configured information.
Top

Adware:Win32/EoRezo displays targeted advertising to affected users while they are browsing the Internet. The advertising is based on downloaded pre-configured information.



Installation

Adware:Win32/EoRezo creates the following registry entries:

In subkey: HKLM\Software\EoRezo
Sets value: "HostGUID"
With data: "<Host GUID>"

In subkey: HKCU\Software\EoRezo
Sets value: "LCID"
With data: "<LCID>"

Adware:Win32/EoRezo also creates the mutex "EoRezo".

It installs itself as a Browser Helper Object (BHO) and creates the following registry entries:

In subkey: HKLM\SOFTWARE\Classes\AppID\EoEngineBHO.DLL
Sets value: "AppID"
With data: "{afbb7970-789a-4264-ba70-e8127dece400}"

In subkey: HKLM\SOFTWARE\Classes\AppID\{AFBB7970-789A-4264-BA70-E8127DECE400}
Sets value: "(default)"
With data: "eoenginebho"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}
Sets value: "(default)"
With data: "eobho class"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}\InprocServer32
Sets value: "(default)"
With data: "lt;adware file>"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}\ProgID
Sets value: "(default)"
With data: "eoenginebho.eobho.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}\TypeLib
Sets value: "(default)"
With data: "{{18af7201-4f14-4bcf-93fe-45617cf259ff}}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}\VersionIndependentProgID
Sets value: "(default)"
With data: "eoenginebho.eobho"

In subkey: HKLM\SOFTWARE\Classes\EoEngineBHO.EOBHO
Sets value: "(default)"
With data: "eobho class"

In subkey: HKLM\SOFTWARE\Classes\EoEngineBHO.EOBHO.1
Sets value: "(default)"
With data: "eobho class"

In subkey: HKLM\SOFTWARE\Classes\EoEngineBHO.EOBHO.1\CLSID
Sets value: "(default)"
With data: "{c10dc1f4-ccdf-4224-a24d-b23afc3573c8}"

In subkey: HKLM\SOFTWARE\Classes\EoEngineBHO.EOBHO\CLSID
Sets value: "(default)"
With data: "{c10dc1f4-ccdf-4224-a24d-b23afc3573c8}"

In subkey: HKLM\SOFTWARE\Classes\EoEngineBHO.EOBHO\CurVer
Sets value: "(default)"
With data: "eoenginebho.eobho.1"

In subkey: HKLM\SOFTWARE\Classes\Interface\{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}
Sets value: "(default)"
With data: "ieobho"

In subkey: HKLM\SOFTWARE\Classes\Interface\{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}\TypeLib
Sets value: "(default)"
With data: "{18af7201-4f14-4bcf-93fe-45617cf259ff}"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{18AF7201-4F14-4BCF-93FE-45617CF259FF}\1.0
Sets value: "(default)"
With data: "eoenginebho 1.0 type library"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{18AF7201-4F14-4BCF-93FE-45617CF259FF}\1.0\0\win32
Sets value: "(default)"
With data: "<adware file>"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{18AF7201-4F14-4BCF-93FE-45617CF259FF}\1.0\FLAGS
Sets value: "(default)"
With data: "0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{18AF7201-4F14-4BCF-93FE-45617CF259FF}\1.0\HELPDIR
Sets value: "(default)"
With data: "<current folder>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}
Sets value: "(default)"
With data: "eobho"

Execution

Adware:Win32/EoRezo is known to perform the following actions:

  • Display pop-up advertisements
  • Connect to certain servers, for example, "eorezo.com" and "alpha00001.com"
  • Change the home page and search engine used by Internet Explorer and Mozilla Firefox
  • Send out information about the computer to a remote server
  • Connect to a remote server to retrieve configuration data




Analysis by Jireh Sanico

Last update 02 November 2011

 

TOP