Home / malwarePDF  

Adware:Win32/EasyOn


First posted on 28 September 2011.
Source: SecurityHome

Aliases :

Adware:Win32/EasyOn is also known as Win32/Adware.Kraddare.CA application (ESET), AdSearcher (Ikarus), Adware-EasyOn (McAfee), W32/Adware.JA (Norman).

Explanation :

Adware:Win32/EasyOn is an adware application that may display unwanted pop-up advertisements and redirect search queries.


Top

Adware:Win32/EasyOn is an adware application that may display unwanted pop-up advertisements and redirect search queries.



Installation

When installed, Adware:Win32/EasyOn may be present as the following files:

  • %ProgramFiles%\EasyOn\EasyOn.dll
  • %ProgramFiles%\EasyOn\EasyOn.exe
  • %ProgramFiles%\EasyOn\setting.dat
  • %ProgramFiles%\EasyOn\Uninstall.exe


The registry is modified to run the adware at each Windows start.

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "EasyOn"
With data: "%ProgramFiles%\EasyOn\EasyOn.exe"

The registry is modified to run the DLL component as a BHO named "EasyOn" or "EasyOnHelper" so that it runs when the web browser is launched.

In subkey: HKCR\EasyOn.BandHelper
Sets value: "@"
With data: "BandHelper Class"

In subkey: HKCR\EasyOn.BandHelper\CLSID
Sets value: "@"
With data: "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

In subkey: HKCR\EasyOn.BandHelper\CurVer
Sets value: "@"
With data: "EasyOn.BandHelper.1"

In subkey: HKCR\EasyOn.BandHelper.1
Sets value: "@"
With data: "BandHelper Class"

In subkey: HKCR\EasyOn.BandHelper.1\CLSID
Sets value: "@"
With data: "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

In subkey: HKCR\EasyOn.SideBand
Sets value: "@"
With data: "SideBand Class"

In subkey: HKCR\EasyOn.SideBand\CLSID
Sets value: "@"
With data: "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

In subkey: HKCR\EasyOn.SideBand\CurVer
Sets value: "@"
With data: "EasyOn.SideBand.1"

In subkey: HKCR\EasyOn.SideBand.1
Sets value: "@"
With data: "SideBand Class"

In subkey: HKCR\EasyOn.SideBand.1\CLSID
Sets value: "@"
With data: "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

In subkey: HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}
Sets value: "@"
With data: "EasyOnHelper"

In subkey: HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32
Sets value: "@"
With data: "%ProgramFiles%\EasyOn\EasyOn.dll"

In subkey: HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}
Sets value: "@"
With data: "EasyOn"

In subkey: HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32
Sets value: "@"
With data: "%ProgramFiles%\EasyOn\EasyOn.dll"

In subkey: HKCU\Software\EasyOn
Sets value: "id"
With data: "<value>"
Sets value: "version"
With data: "<value>"
Sets value: "sp"
With data: "<value>"

In subkey: HKLM\SOFTWARE\Classes\EasyOn.BandHelper
Sets value: "@"
With data: "BandHelper Class"

In subkey: HKLM\SOFTWARE\Classes\EasyOn.BandHelper\CLSID
Sets value: "@"
With data: "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

In subkey: HKLM\SOFTWARE\Classes\EasyOn.BandHelper\CurVer
Sets value: "@"
With data: "EasyOn.BandHelper.1"

In subkey: HKLM\SOFTWARE\Classes\EasyOn.BandHelper.1
Sets value: "@"
With data: "BandHelper Class"

In subkey: HKLM\SOFTWARE\Classes\EasyOn.BandHelper.1\CLSID
Sets value: "@"
With data: "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

In subkey: HKLM\SOFTWARE\Classes\EasyOn.SideBand
Sets value: "@"
With data: "SideBand Class"

In subkey: HKLM\SOFTWARE\Classes\EasyOn.SideBand\CLSID
Sets value: "@"
With data: "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

In subkey: HKLM\SOFTWARE\Classes\EasyOn.SideBand.1
Sets value: "@"
With data: "SideBand Class"

In subkey: HKLM\SOFTWARE\Classes\EasyOn.SideBand.1\CLSID
Sets value: "@"
With data: "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}
Sets value: "@"
With data: "EasyOnHelper"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32
Sets value: "@"
With data: "%ProgramFiles%\EasyOn\EasyOn.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}
Sets value: "@"
With data: "EasyOn"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32
Sets value: "@"
With data: "%ProgramFiles%\EasyOn\EasyOn.dll"

Creates subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51}

During installation of Adware:Win32/EasyOn, a removal instruction is written in the registry that also creates a display name of "EasyOn" in the list of installed Windows applications, commonly found in the Control Panel applet.

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn
Sets value: "DisplayName"
With data: "EasyOn"
Sets value: "UninstallString"
With data: "%ProgramFiles%\EasyOn\Uninstall.exe"
Sets value: "NoModify"
With data: "dword:00000001"
Sets value: "NoRepair"
With data: "dword:00000001"

Adware:Win32/EasyOn monitors websites accessed on an affected computer - if strings in the visited sites match any of the strings in the following list, the adware may display unwanted pop-up advertisements:

.egloos.com
.tistory.com
100.nate.com
100.naver.com
academic.naver.com
adhow.daum.net
adshop.paran.com
ask.nate.com
blog.chosun.com
blog.daum.net
blog.paran.com
book.nate.com
book.naver.com
cafe.daum.net
clix.bizshop.daum.net
club.cyworld.com
comics.nate.com
cyworld.com
dic.paran.com
enc.daum.net
endic.naver.com
engdic.daum.net
engdic.nate.com
estate.nate.com
finance.naver.com
hankyung.com
imagesearch.naver.com
imnews.imbc.com
jpdic.daum.net
jpdic.naver.com
k.daum.net
keywordshop.nate.com
ko.wikipedia.org
kordic.nate.com
korean.visitkorea.or.kr
kr.blog.yahoo.com
kr.dictionary.search.yahoo.com
kr.finance.yahoo.com
kr.fun.yahoo.com
kr.gugi.yahoo.com
kr.img.search.yahoo.com
kr.ks.yahoo.com
kr.news.yahoo.com
kr.product.shopping.yahoo.com
krdic.daum.net
krdic.naver.com
local.naver.com
map.cyworld.com
map.naver.com
media.paran.com
mm.search.nate.com
movie.naver.com
mt.co.kr/view/mtview
music.naver.com
mydaily.co.kr
myoverture.co.kr
news.donga.com
news.msn.co.kr
news.nate.com
olv.moazine.com
q.freechal.com
report.paran.com
review.nate.com
search.daum.net
search.naver.com
search.pandora.tv
search.paran.com
search.yahoo.com
searchad.naver.com
shopping.daum.net
tourguide.tourexpress.com
tvdaily.co.kr
tvpot.daum.net
video.cyworld.com
video.naver.com
www.aladdin.co.kr
www.hanatour.com
www.mgoon.com
yonhapnews.co.kr

Win32/EasyOn uses the following list of strings to compare the URL of accessed websites to identify search query attempts:

.akmall.com/search/
.aladin.co.kr/search/wsearchresult
.bb.co.kr/main/search/
.career.co.kr/jobs/list/search_detail_list
.cjmall.com/prd/front/search/
.dnshop.com/front/search/
.google
.gsshop.com/search/
.hmall.com/front/scSearchL
.kyobobook
.lotte.com/ec/front/search/
.lotteimall.com/search/
.mm.co.kr/category/
.nseshop.com/jsp/item/item_search
.ogage.co.kr/shop/search_V4
.yeoin.com/search/
.yes24.com/SearchCenter/OzSearchResult
.zeromarket.co.kr/openMall/search/
.zeromarket.com/openMall/search/
/search/SearchCommonMain
mall.shinsegae.com/search/
search.11st
search.danawa
search.gmarket
search.interpark

If there is a match, the adware passes the search keywords to an advertisement server in the following format, resulting in a redirection of search results:

sideon.co.kr/sideon.asp?k=%s&id=%s&m=%s

Adware:Win32/EasyOn may download updates of its components from the domain "easyon.sideon.co.kr".



Analysis by Ric Robielos

Last update 28 September 2011

 

TOP