ADW_EOREZO.GA

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware creates the following folders:

• %User Temp%\is-{random 1}.tmp
• %User Temp%\is-{random 2}.tmp
• %User Temp%\is-{random 3}.tmp
• %User Temp%\is-{random 3}.tmp\_isetup
• %User Temp%\is-{random 4}.tmp
• %User Temp%\is-{random 4}.tmp\_isetup
• %Program Files%\predm

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Dropping Routine

This adware drops the following files:

• %User Temp%\is-{random 1}.tmp\{malware file name}.tmp
• %User Temp%\is-{random 2}.tmp\_isetup\_shfoldr.dll
• %User Temp%\is-{random 2}.tmp\itdownload.dll
• %User Temp%\is-{random 2}.tmp\dm.exe
• %User Temp%\is-{random 3}.tmp\dm.tmp
• %User Temp%\is-{random 4}.tmp\_isetup\_shfoldr.dll
• %User Temp%\is-{random 4}.tmp\itdownload.dll
• %User Temp%\is-{random 4}.tmp\VirutalMachineDetect.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other Details

This adware connects to the following possibly malicious URL:

• http://mires.{BLOCKED}o.com/download/dyn/dm.exe