ADW_EOREZO
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Adware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This malware is one of the "Printer Virus" that prints several lines of characters when executed on infected systems.
To get a one-glance comprehensive view of the behavior of this Adware, refer to the Threat Diagram shown below.
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
TECHNICAL DETAILS
Arrival Details
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This adware drops the following files:
- {malware path}\user_config.cyp
- {malware path}\user_profil.cyp
It creates the following folders:
- {malware path}\Download
- {malware path}\Software
Other System Modifications
This adware adds the following registry keys:
HKEY_CURRENT_USER\Software\EoRezo
HKEY_LOCAL_MACHINE\SOFTWARE\EoRezo
It adds the following registry entries:
HKEY_CURRENT_USER\Software\EoRezo\
SoftwareUpdate
MainDir = "{malware path}"
HKEY_CURRENT_USER\Software\EoRezo\
SoftwareUpdate
Version = "1.5.0.0"
HKEY_CURRENT_USER\Software\EoRezo\
SoftwareUpdate
SoftwareDir = "{malware path}\Software"
HKEY_CURRENT_USER\Software\EoRezo\
SoftwareUpdate
DownloadDir = "{malware path}\Download"
HKEY_LOCAL_MACHINE\SOFTWARE\EoRezo
HostGUID = "{random GUID}"
Download Routine
This adware accesses the following websites to download files:
- http://{BLOCKED}es.{BLOCKED}zo.com/clib/suf.exe?{random string}
It saves the files it downloads using the following names:
- {malware path}\Download\sufr\4.0.0.{random number}\suf.exe
- {malware path}\Software\sufr\4.0.0.{random number}\suf.exe
Trend Micro detects the dowloaded file as:
- ADW_EOREZO
It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.
Adware Routine
This adware connects to the following URL(s) to display ads on the affected system:
- http://{BLOCKED}of.{BLOCKED}ezo.com/cgi-bin/create_profile.cgi
- http://{BLOCKED}g.{BLOCKED}zo.com/cgi-bin/trace.cgi
- http://{BLOCKED}of.{BLOCKED}zo.com/cgi-bin/get_update.cgi
- http://{BLOCKED}s.{BLOCKED}zo.com/cgi-bin/advert/getads?did=43
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Close all opened browser windows
Step 3
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software
- EoRezo
- EoRezo
- In HKEY_LOCAL_MACHINE\SOFTWARE
- EoRezo
- EoRezo
Step 4
Search and delete these components
- {malware path}\user_config.cyp
- {malware path}\user_profil.cyp
Step 5
Search and delete these folders
- {malware path}\Download
- {malware path}\Software
Step 6
Scan your computer with your Trend Micro product to delete files detected as ADW_EOREZO. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.