Analysis by: Christopher Daniel So

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Dropped by other malware, Downloaded from the Internet

This malware is one of the "Printer Virus" that prints several lines of characters when executed on infected systems.

To get a one-glance comprehensive view of the behavior of this Adware, refer to the Threat Diagram shown below.

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

  TECHNICAL DETAILS

File Size: Varies
File Type: EXE
Memory Resident: No
Initial Samples Received Date: 19 Sep 2011
Payload: Connects to URLs/IPs, Downloads files

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware drops the following files:

  • {malware path}\user_config.cyp
  • {malware path}\user_profil.cyp

It creates the following folders:

  • {malware path}\Download
  • {malware path}\Software

Other System Modifications

This adware adds the following registry keys:

HKEY_CURRENT_USER\Software\EoRezo

HKEY_LOCAL_MACHINE\SOFTWARE\EoRezo

It adds the following registry entries:

HKEY_CURRENT_USER\Software\EoRezo\
SoftwareUpdate
MainDir = "{malware path}"

HKEY_CURRENT_USER\Software\EoRezo\
SoftwareUpdate
Version = "1.5.0.0"

HKEY_CURRENT_USER\Software\EoRezo\
SoftwareUpdate
SoftwareDir = "{malware path}\Software"

HKEY_CURRENT_USER\Software\EoRezo\
SoftwareUpdate
DownloadDir = "{malware path}\Download"

HKEY_LOCAL_MACHINE\SOFTWARE\EoRezo
HostGUID = "{random GUID}"

Download Routine

This adware accesses the following websites to download files:

  • http://{BLOCKED}es.{BLOCKED}zo.com/clib/suf.exe?{random string}

It saves the files it downloads using the following names:

  • {malware path}\Download\sufr\4.0.0.{random number}\suf.exe
  • {malware path}\Software\sufr\4.0.0.{random number}\suf.exe

Trend Micro detects the dowloaded file as:

  • ADW_EOREZO

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Adware Routine

This adware connects to the following URL(s) to display ads on the affected system:

  • http://{BLOCKED}of.{BLOCKED}ezo.com/cgi-bin/create_profile.cgi
  • http://{BLOCKED}g.{BLOCKED}zo.com/cgi-bin/trace.cgi
  • http://{BLOCKED}of.{BLOCKED}zo.com/cgi-bin/get_update.cgi
  • http://{BLOCKED}s.{BLOCKED}zo.com/cgi-bin/advert/getads?did=43

  SOLUTION

Minimum Scan Engine: 9.200
SSAPI PATTERN File: 1.269.00
SSAPI PATTERN Date: 06 Mar 2012

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Close all opened browser windows

Step 3

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software
    • EoRezo
  • In HKEY_LOCAL_MACHINE\SOFTWARE
    • EoRezo

Step 4

Search and delete these components

[ Learn More ]
There may be some components that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • {malware path}\user_config.cyp
  • {malware path}\user_profil.cyp

Step 5

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • {malware path}\Download
  • {malware path}\Software

Step 6

Scan your computer with your Trend Micro product to delete files detected as ADW_EOREZO. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.