arrow_back
search
close

Adware.Win32.WowSearch.GB

January 10, 2019
 Analysis by: John Anthony Banes
 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

  TECHNICAL DETAILS

File Size:

2,465,301 bytes

File Type:

EXE

Initial Samples Received Date:

17 Dec 2018

Arrival Details

This Adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Installation

This Adware adds the following folders:

  • %Program Files%\EZ YouTube Video Downloader
  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}
  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}\chrome\content
  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}\chrome\skin
  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}\defaults
  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}\defaults\preferences
  • %Program Files%\Security Updates Service
  • %User Temp%\ns{random}.tmp

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), 7 (32-bit), and 8 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), 7 (64-bit), and 8 (64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

It drops the following files:

  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}\chrome.manifest
  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}\chrome\content\main.js
  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}\chrome\content\main.xul
  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}\chrome\skin\icon48.png
  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}\defaults\preferences\prefs.js
  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}\install.rdf
  • %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}\yvd.xpi.7z
  • %Program Files%\EZ YouTube Video Downloader\install.ico
  • %Program Files%\EZ YouTube Video Downloader\uninstall.exe
  • %Program Files%\EZ YouTube Video Downloader\yvd.dll
  • %Program Files%\Security Updates Service\search_checker.exe
  • %Program Files%\Security Updates Service\winupdsvc.exe
  • %User Temp%\jsonparser.dll
  • %User Temp%\ns{random}.tmp
  • %User Temp%\ns{random}.tmp\inetc.dll
  • %User Temp%\ns{random}.tmp\LogEx.dll
  • %User Temp%\ns{random}.tmp\modern-wizard.bmp
  • %User Temp%\ns{random}.tmp\ns{random}.tmp
  • %User Temp%\ns{random}.tmp\nsDialogs.dll
  • %User Temp%\ns{random}.tmp\nsExec.dll
  • %User Temp%\ns{random}.tmp\nsis7z.dll
  • %User Temp%\ns{random}.tmp\nsProcess.dll
  • %User Temp%\ns{random}.tmp\System.dll
  • %User Temp%\ns{random}.tmp\UAC.dll
  • %User Temp%\ns{random}.tmp\version.dll
  • %User Temp%\PrefJsonCpp.exe
  • %User Temp%\sqlite3.exe
  • %User Temp%\ytvd.json
  • %User Temp%\ytvd.json_backup
  • %User Temp%\ytvd_install.log

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), 7 (32-bit), and 8 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), 7 (64-bit), and 8 (64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.)

Other System Modifications

This Adware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{fdbfea30-ec51-4b8d-b4f0-8ca4f7253c0a}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{FDBFEA30-EC51-4B8D-B4F0-8CA4F7253C0A}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{FDBFEA30-EC51-4B8D-B4F0-8CA4F7253C0A}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\EZ YouTube Video Downloader

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{FDBFEA30-EC51-4B8D-B4F0-8CA4F7253C0A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
EZ YouTube Video Downloader

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Ext\Settings\{fdbfea30-ec51-4b8d-b4f0-8ca4f7253c0a}

HKEY_USERS\{SID}\Software\
Microsoft\Windows\CurrentVersion\
Ext\Settings\{fdbfea30-ec51-4b8d-b4f0-8ca4f7253c0a}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{fdbfea30-ec51-4b8d-b4f0-8ca4f7253c0a}
Flags = 1024

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{FDBFEA30-EC51-4B8D-B4F0-8CA4F7253C0A}
(Default) = EZ YouTube Video Downloader {version}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{FDBFEA30-EC51-4B8D-B4F0-8CA4F7253C0A}\InprocServer32
(Default) = %Program Files%\EZYOUT~1\yvd.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{FDBFEA30-EC51-4B8D-B4F0-8CA4F7253C0A}\InprocServer32
ThreadingModel = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\EZ YouTube Video Downloader
loc_inst_chr_ext = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{FDBFEA30-EC51-4B8D-B4F0-8CA4F7253C0A}
NoExplorer = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Ext
IgnoreFrameApprovalCheck = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
EZ YouTube Video Downloader
DisplayIcon = %Program Files%\EZ YouTube Video Downloader\install.ico

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
EZ YouTube Video Downloader
DisplayName = EZ YouTube Video Downloader

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
EZ YouTube Video Downloader
DisplayVersion = {version}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
EZ YouTube Video Downloader
Publisher = XtensionPlus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
EZ YouTube Video Downloader
UninstallString = %Program Files%\EZ YouTube Video Downloader\uninstall.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
EZ YouTube Video Downloader
URLInfoAbout = http://{BLOCKED}o.tv/

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\
Firefox\Extensions
{8167E8F2-A770-4EFB-BA53-8A511051CD9B} = %Program Files%\EZ YouTube Video Downloader\{8167E8F2-A770-4EFB-BA53-8A511051CD9B}

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
chrome_se_last_update = 0

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
chrome_se_next_update = 1

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
chrome_tab_last_update = 0

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
distributor_id = 0

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
firefox_se_last_update = 0

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
firefox_se_next_update = 1

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
firefox_tab_last_update = 0

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
first_run = 0

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
ie_se_last_update = 0

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
ie_se_next_update = 1

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
ie_tab_last_update = 0

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
last_build_check = 0

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
name = Security Updates Service

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
next_build_check = 1

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
tmp = C:\Users\DYITUS~1\AppData\Local\Temp\

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
url = http://{BLOCKED}o.tv/youtubedownloader/update.jsp

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityUpdatesService
version = 1.2.1

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Ext\Settings\{fdbfea30-ec51-4b8d-b4f0-8ca4f7253c0a}
Flags = 1024

HKEY_USERS\{SID}\Software\
Microsoft\Windows\CurrentVersion\
Ext\Settings\{fdbfea30-ec51-4b8d-b4f0-8ca4f7253c0a}
Flags = 1024

Other Details

This Adware connects to the following possibly malicious URL:

  • http://myvdo.tv/{BLOCKED}downloader/update.jsp
  • http://sso.{BLOCKED}r.com/domain/myvdo.tv
  • http://xsso.{BLOCKED}o.tv
  • http://{BLOCKED}nplus.com/thank.htm