ADW_EOREZO.GB

This adware may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This adware may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware drops and executes the following files:

• %User Temp%\is-{random}.tmp\{grayware filename}.tmp ← use to execute routine
• %User Temp%\is-{random}.tmp\CheckProc.cmd ← contains commands to check running process
• %User Temp%\is-{random}.tmp\ex.bat ← execute powershell code to check for AV products
• %User Temp%\is-{random}.tmp\cmd.bat ← creates favicon.ico

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It creates the following folders:

• %User Temp%\is-{random}.tmp

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Dropping Routine

This adware drops the following files:

• %User Temp%\is-{random}.tmp\_isetup\_shfoldr.dll
• %User Temp%\is-{random}.tmp\favicon.ico ← contains SessionName
• %User Temp%\is-{random}.tmp\av.txt ← list of installed AV products
• %User Temp%\is-{random}.tmp\gentlejmp_irow.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Adware Routine

This adware connects to the following URL(s) to display ads on the affected system:

• http://ads.{BLOCKED}epub.com/cgi-bin/advert/getads? (inaccessible)

Other Details

This adware connects to the following website to send and receive information:

• http://prof.{BLOCKED}o.com/cgi-bin/packages/DYNPACKAGES_WEB_GET_INFO.pm?product=all
• http://ads.{BLOCKED}oubutyoucantry.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1031&x_pub_id=4&tag={installed AV Product information}
• http://ads.{BLOCKED}ds.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=2000&x_pub_id=20000&tag={Status Flag}

NOTES:

It appends the following {Status Flag} to "tag=" in the URL to indicate the status of its installation:

• _UPD__GMPROW_OPEN
• _UPD__GMPROW_INI
• _UPD__{System Architecture} (e.g. x86)
• _UPD__DATE_ERROR
• _UPD__DATE_OUT_{date of execution}
• _UPD__VM_{Virtual Environment and Network}
• _UPD__SA_{Installed Application}
• _UPD__SF_{Running Process}

It checks if the following virtual environments and virtual networks exist in the system:

• Virtual Machine.VMC
• VirtualBox
• VMware, Inc.
• parallels
• HMA! Pro VPN
• ExpressVPN
• PureVPN_is1
• Privax
• CyberGhost
• Golden Frog, GmbH. - VyprVPN

If any from the list are found in the system, it appends its relative "tag" as _UPD__VM_{Virtual Environment and Network}, where {Virtual Environment and Network} can be any of the following:

• _vPCS
• _vBxS
• _vBxHD
• _vMWS
• _vMWHD
• _vMWBi
• _vPaBi
• _vPCHD
• _HMAUn
• _ExUn
• _PuUn
• _PIAC
• _HMAU
• _OverUn
• _VypU
• _IPVUU
• _HMAEx

It checks if the following applications are installed and/or running in the system:

• TeamViewer_Desktop.exe
• DFServ.exe
• Fiddler2
• Wireshark
• Colasoft Capsa
• Angry IP Scanner
• Process Monitor
• regedit.exe
• Taskmgr.exe
• OLLYDBG.exe
• Regshot-x64-Unicode.exe
• Regshot-Unicode.exe

Then, if any from the list are found, it adds its relative "tag" as _UPD__SA_{Installed Application}, where {Installed Application} can be any of the following:

• _RDEx
• _VNEx
• _TVEx
• _DFEx
• _FiUn
• _WRSUn
• _WRSS
• _CAPUn
• _CAPS
• _AIPUn
• _AIPS
• _WRSU
• _CAPU
• _FiEx
• _WSHEx
• _CAPEx
• _AIPEx
• _PMEx
• _RGEx
• _TKEx
• _ODBGEx
• _RSEx

It checks if any of the following are running in the system:

• HMA! Pro VPN.exe
• newversion.tmp
• newversion.exe
• gentlemjmp_irow.exe
• Setup.exe
• Setup (1).exe
• Setup (2).exe
• unchecky_svc.exe
• unchecky_gb.exe

It then appends its relative tag if any are found running in the system as _UPD__SF_{Running Process}, where {Running Process} are the following:

• _SETUP
• _PFREG
• _PFTK
• _PFPM
• _PORTAL
• _VPC
• _CLI
• _TVRcu
• _TVRcu
• _UCB

It checks if the following AV Products are installed in the system:

• AVG
• Avast
• Microsoft
• Avira
• Malwarebytes
• Comodo
• Panda
• G Data
• ESET-NOD32
• Symantec
• Kaspersky
• Windows Defender
• Baidu
• Ad-Aware
• McAfee
• K7 Computing
• Doctor Web
• Sophos
• NANO Antivirus

It checks if the following ports are being used:

• 5900
• 5901
• 5902
• 5903
• 5904