SecurityHome.eu Adware:Win32/Eorezo

Home / malware PDF

Adware:Win32/Eorezo

First posted on 15 February 2019.
Source: Microsoft
Aliases :
Adware:Win32/Eorezo is also known as Win32/Adware.EoRezo.E application, AdWare.Win32.EoRezo, Adware-Eorezo, ADW_EOZERO.
Explanation :
Installation

The program creates these registry entries:

In subkey: HKLMSoftwareEoRezo
Sets value: "HostGUID"
With data: ""

In subkey: HKCUSoftwareEoRezo
Sets value: "LCID"
With data: ""

It also creates the mutex "EoRezo".

It installs itself as a Browser Helper Object (BHO) and creates the following registry entries:

In subkey: HKLMSOFTWAREClassesAppIDEoEngineBHO.DLL
Sets value: "AppID"
With data: "{afbb7970-789a-4264-ba70-e8127dece400}"

In subkey: HKLMSOFTWAREClassesAppID{AFBB7970-789A-4264-BA70-E8127DECE400}
Sets value: "(default)"
With data: "eoenginebho"

In subkey: HKLMSOFTWAREClassesCLSID{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}
Sets value: "(default)"
With data: "eobho class"

In subkey: HKLMSOFTWAREClassesCLSID{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}InprocServer32
Sets value: "(default)"
With data: ""

In subkey: HKLMSOFTWAREClassesCLSID{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}ProgID
Sets value: "(default)"
With data: "eoenginebho.eobho.1"

In subkey: HKLMSOFTWAREClassesCLSID{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}TypeLib
Sets value: "(default)"
With data: "{{18af7201-4f14-4bcf-93fe-45617cf259ff}}"

In subkey: HKLMSOFTWAREClassesCLSID{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}VersionIndependentProgID
Sets value: "(default)"
With data: "eoenginebho.eobho"

In subkey: HKLMSOFTWAREClassesEoEngineBHO.EOBHO
Sets value: "(default)"
With data: "eobho class"

In subkey: HKLMSOFTWAREClassesEoEngineBHO.EOBHO.1
Sets value: "(default)"
With data: "eobho class"

In subkey: HKLMSOFTWAREClassesEoEngineBHO.EOBHO.1CLSID
Sets value: "(default)"
With data: "{c10dc1f4-ccdf-4224-a24d-b23afc3573c8}"

In subkey: HKLMSOFTWAREClassesEoEngineBHO.EOBHOCLSID
Sets value: "(default)"
With data: "{c10dc1f4-ccdf-4224-a24d-b23afc3573c8}"

In subkey: HKLMSOFTWAREClassesEoEngineBHO.EOBHOCurVer
Sets value: "(default)"
With data: "eoenginebho.eobho.1"

In subkey: HKLMSOFTWAREClassesInterface{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}
Sets value: "(default)"
With data: "ieobho"

In subkey: HKLMSOFTWAREClassesInterface{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLMSOFTWAREClassesInterface{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLMSOFTWAREClassesInterface{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}TypeLib
Sets value: "(default)"
With data: "{18af7201-4f14-4bcf-93fe-45617cf259ff}"

In subkey: HKLMSOFTWAREClassesTypeLib{18AF7201-4F14-4BCF-93FE-45617CF259FF}1.0
Sets value: "(default)"
With data: "eoenginebho 1.0 type library"

In subkey: HKLMSOFTWAREClassesTypeLib{18AF7201-4F14-4BCF-93FE-45617CF259FF}1.0win32
Sets value: "(default)"
With data: ""

In subkey: HKLMSOFTWAREClassesTypeLib{18AF7201-4F14-4BCF-93FE-45617CF259FF}1.0FLAGS
Sets value: "(default)"
With data: "0"

In subkey: HKLMSOFTWAREClassesTypeLib{18AF7201-4F14-4BCF-93FE-45617CF259FF}1.0HELPDIR
Sets value: "(default)"
With data: ""

In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}
Sets value: "(default)"
With data: "eobho"

Behavior

The program is known to:

Display pop-up ads. Connect to certain servers, for example, eorezo.com and alpha00001.com. Change the home page and search engine used by Internet Explorer and Mozilla Firefox. Send out information about your PC to a remote server. Connect to a remote server to get configuration data.

Analysis by Jireh Sanico
Last update 15 February 2019

TOP

Malware :

Last 20