1. /
  2. Security Response/
  3. Adware.Ezula

Adware.Ezula

Updated:
March 25, 2011 3:15:04 PM
Type:
Adware
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
When Adware.Ezula is installed, it performs the following actions:
  1. Creates the following files:

    • %UserProfile%\TopText iLookup\Feedback.url
    • %UserProfile%\TopText iLookup\Help.url
    • %UserProfile%\TopText iLookup\My Keywords.lnk
    • %UserProfile%\TopText iLookup\My Preferences.lnk
    • %UserProfile%\TopText iLookup\ReadMe.url
    • %UserProfile%\TopText iLookup\TopText Button Show - Hide.lnk
    • %UserProfile%\EARN\About EARN.lnk
    • %UserProfile%\EARN\EARN website.url
    • %ProgramFiles%\eZula\basis.dst
    • %ProgramFiles%\eZula\basis.kwd
    • %ProgramFiles%\eZula\basis.pu
    • %ProgramFiles%\eZula\basis.rst
    • %ProgramFiles%\eZula\CHCON.dll
    • %ProgramFiles%\eZula\eabh.dll
    • %ProgramFiles%\eZula\genun.ez
    • %ProgramFiles%\eZula\Images\arrow1.gif
    • %ProgramFiles%\eZula\Images\arrow2.gif
    • %ProgramFiles%\eZula\Images\button_small.gif
    • %ProgramFiles%\eZula\Images\icon.gif
    • %ProgramFiles%\eZula\Images\Layer_Bottom.gif
    • %ProgramFiles%\eZula\Images\Layer_Center.gif
    • %ProgramFiles%\eZula\Images\Layer_Top.gif
    • %ProgramFiles%\eZula\Images\new.gif
    • %ProgramFiles%\eZula\Images\PopUp_Follow_divider.gif
    • %ProgramFiles%\eZula\Images\PopUp_Follow_Left.gif
    • %ProgramFiles%\eZula\Images\PopUp_Follow_Off.gif
    • %ProgramFiles%\eZula\Images\PopUp_Follow_On.gif
    • %ProgramFiles%\eZula\Images\PopUp_Follow_Right.gif
    • %ProgramFiles%\eZula\Images\PopUp_Top.gif
    • %ProgramFiles%\eZula\Images\PopUp_Top_Bottom.gif
    • %ProgramFiles%\eZula\Images\Side_B.gif
    • %ProgramFiles%\eZula\Images\Side_L.gif
    • %ProgramFiles%\eZula\Images\Side_R.gif
    • %ProgramFiles%\eZula\Images\Side_Top.gif
    • %ProgramFiles%\eZula\Images\spacer.gif
    • %ProgramFiles%\eZula\INSTALL.LOG
    • %ProgramFiles%\eZula\legend.lgn
    • %ProgramFiles%\eZula\mmod.exe
    • %ProgramFiles%\eZula\param.ez
    • %ProgramFiles%\eZula\rwds.rst
    • %ProgramFiles%\eZula\search.src
    • %ProgramFiles%\eZula\seng.dll
    • %ProgramFiles%\eZula\UNWISE.EXE
    • %ProgramFiles%\eZula\upgrade.vrn
    • %ProgramFiles%\eZula\version.vrn
    • %ProgramFiles%\eZula\wndbannn.src
    • %ProgramFiles%\Web Offer\apev.exe
    • %ProgramFiles%\Web Offer\basisp.dst
    • %ProgramFiles%\Web Offer\basisp.kwd
    • %ProgramFiles%\Web Offer\basisp.pu
    • %ProgramFiles%\Web Offer\basisp.rst
    • %ProgramFiles%\Web Offer\CHPON.dll
    • %ProgramFiles%\Web Offer\eapbh.dll
    • %ProgramFiles%\Web Offer\gendis.ez
    • %ProgramFiles%\Web Offer\INSTALL.LOG
    • %ProgramFiles%\Web Offer\paramp.ez
    • %ProgramFiles%\Web Offer\rwdsp.rst
    • %ProgramFiles%\Web Offer\sepng.dll
    • %ProgramFiles%\Web Offer\UNWISE.EXE
    • %ProgramFiles%\Web Offer\upgradep.vrn
    • %ProgramFiles%\Web Offer\versionp.vrn
    • %ProgramFiles%\Web Offer\wndbannnp.src
    • %ProgramFiles%\Web Offer\wo.exe
    • %Windir%\woinstall.exe
    • %Windir%\eZinstall.exe
    • %Windir%\Downloaded Program Files\ezstub.dll
    • %Windir%\Downloaded Program Files\ezstub.INF
    • %System%\ezstub.exe
    • %System%\ezpopstub.exe

      Notes:
    • %UserProfile% is a variable that refers to the c:\Documents and Settings\<current user>\Start Menu\Programs folder.
    • %ProgramFiles% is a variable that refers to the Program Files folder. By default, this is C:\Program Files.
    • %Windir% is a variable that refers to the Windows folder. By default, this is C:\WINNT on 2k machines and C:\Windows on XP machines.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds the values:

    "eZmmod" = "C:\PROGRA~1\ezula\mmod.exe"
    "eZWO" = "C:\PROGRA~1\Web Offer\wo.exe"

    to the registry subkey:

    HKEY_ALL_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  3. Creates the following registry subkeys:


    HKEY_CLASSES_ROOT\AppID\eZulaBootExe.EXE
    HKEY_CLASSES_ROOT\AppID\eZulaMain.EXE
    HKEY_CLASSES_ROOT\AppID\{8A044397-5DA2-11D4-B185-0050DAB79376}
    HKEY_CLASSES_ROOT\AppID\{C0335198-6755-11D4-8A73-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{07F0A543-47BA-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{07F0A545-47BA-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{19DFB2CB-9B27-11D4-B192-0050DAB79376}
    HKEY_CLASSES_ROOT\CLSID\{2079884B-6EF3-11D4-8A74-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{2306ABE4-4D42-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{25630B47-53C6-4E66-A945-9D7B6B2171FF}
    HKEY_CLASSES_ROOT\CLSID\{2BABD334-5C3F-11D4-B184-0050DAB79376}
    HKEY_CLASSES_ROOT\CLSID\{370F6354-41C4-4FA6-A2DF-1BA57EE0FBB9}
    HKEY_CLASSES_ROOT\CLSID\{3D7247DE-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{3D7247E8-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{50B4D2B3-723F-41B3-AEC4-0BD66F0F45FF}
    HKEY_CLASSES_ROOT\CLSID\{55910916-8B4E-4C1E-9253-CCE296EA71EB}
    HKEY_CLASSES_ROOT\CLSID\{58359010-BF36-11d3-99A2-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{6DF5E318-6994-4A41-85BD-45CCADA616F8}
    HKEY_CLASSES_ROOT\CLSID\{788C6F6F-C2EA-4A63-9C38-CE7D8F43BCE4}
    HKEY_CLASSES_ROOT\CLSID\{78BCF937-45B0-40A7-9391-DCC03420DB35}
    HKEY_CLASSES_ROOT\CLSID\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA}
    HKEY_CLASSES_ROOT\CLSID\{A166C1B0-5CDB-447A-894A-4B9FD7149D51}
    HKEY_CLASSES_ROOT\CLSID\{B1DD8A69-1B96-11D4-B175-0050DAB79376}
    HKEY_CLASSES_ROOT\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{C4FEE4A7-4B8B-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{D290D6E7-BF9D-42F0-9C1B-3BC8AE769B57}
    HKEY_CLASSES_ROOT\CLSID\{E7A05400-4CFA-4DF3-A643-E40F86E8E3D7}
    HKEY_CLASSES_ROOT\CLSID\{F75521B8-76F1-4A4D-84B1-9E642E9C51D0}
    HKEY_CLASSES_ROOT\Interface\{07F0A542-47BA-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{07F0A544-47BA-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{1823BC4B-A253-4767-9CFC-9ACA62A6B136}
    HKEY_CLASSES_ROOT\Interface\{19DFB2CA-9B27-11D4-B192-0050DAB79376}
    HKEY_CLASSES_ROOT\Interface\{241667A3-EC83-4885-84DD-C2DAAFC1C5EA}
    HKEY_CLASSES_ROOT\Interface\{25630B50-53C6-4E66-A945-9D7B6B2171FF}
    HKEY_CLASSES_ROOT\Interface\{27BC6871-4D5A-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}
    HKEY_CLASSES_ROOT\Interface\{370F6353-41C4-4FA6-A2DF-1BA57EE0FBB9}
    HKEY_CLASSES_ROOT\Interface\{3D7247DD-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{3D7247F1-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{4FD8645F-9B3E-46C1-9727-9837842A84AB}
    HKEY_CLASSES_ROOT\Interface\{58359012-BF36-11D3-99A2-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{788C6F6E-C2EA-4A63-9C38-CE7D8F43BCE4}
    HKEY_CLASSES_ROOT\Interface\{78BCF936-45B0-40A7-9391-DCC03420DB35}
    HKEY_CLASSES_ROOT\Interface\{7EDC96E1-5DD3-11D4-B185-0050DAB79376}
    HKEY_CLASSES_ROOT\Interface\{8A0443A2-5DA2-11D4-B185-0050DAB79376}
    HKEY_CLASSES_ROOT\Interface\{8EBB1743-9A2F-11D4-8A7E-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{955CBF48-4313-4B1F-872B-254B7822CCF2}
    HKEY_CLASSES_ROOT\Interface\{9CFA26C2-81DA-4C9D-A501-F144A4A000FA}
    HKEY_CLASSES_ROOT\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{C4FEE4A6-4B8B-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{EF0372DC-F552-11D3-8528-0050DAB79376}
    HKEY_CLASSES_ROOT\Interface\{EF0372DE-F552-11D3-8528-0050DAB79376}
    HKEY_CLASSES_ROOT\Interface\{EFA52460-8822-4191-BA38-FACDD2007910}
    HKEY_CLASSES_ROOT\TypeLib\{07F0A536-47BA-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\TypeLib\{083FA8F4-84F4-11D4-8A77-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\TypeLib\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}
    HKEY_CLASSES_ROOT\TypeLib\{3D7247D1-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\TypeLib\{58359011-BF36-11D3-99A2-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\TypeLib\{8A044396-5DA2-11D4-B185-0050DAB79376}
    HKEY_CLASSES_ROOT\TypeLib\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA}
    HKEY_CLASSES_ROOT\TypeLib\{9CFA26C1-81DA-4C9D-A501-F144A4A000FA}
    HKEY_CLASSES_ROOT\TypeLib\{BAF13496-8F72-47A1-9CEE-09238EFC75F0}
    HKEY_CLASSES_ROOT\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\AtlBrCon.AtlBrCon
    HKEY_CLASSES_ROOT\AtlBrCon.AtlBrCon.1
    HKEY_CLASSES_ROOT\EZulaAgent.eZulaCtrlHost
    HKEY_CLASSES_ROOT\EZulaAgent.eZulaCtrlHost.1
    HKEY_CLASSES_ROOT\eZulaAgent.IEObject
    HKEY_CLASSES_ROOT\eZulaAgent.IEObject.1
    HKEY_CLASSES_ROOT\EZulaAgent.PlugProt
    HKEY_CLASSES_ROOT\EZulaAgent.PlugProt.1
    HKEY_CLASSES_ROOT\eZulaAgent.ToolBarBand
    HKEY_CLASSES_ROOT\eZulaAgent.ToolBarBand.1
    HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl
    HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl.1
    HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl
    HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaCode
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaCode.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaHash
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaHash.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaSearch
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaSearch.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.PopupDisplay
    HKEY_CLASSES_ROOT\EZulaFSearchEng.PopupDisplay.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.ResultHelper
    HKEY_CLASSES_ROOT\EZulaFSearchEng.ResultHelper.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.SearchHelper
    HKEY_CLASSES_ROOT\EZulaFSearchEng.SearchHelper.1
    HKEY_CLASSES_ROOT\EZulaMain.eZulaPopSearchPipe
    HKEY_CLASSES_ROOT\EZulaMain.eZulaPopSearchPipe.1
    HKEY_CLASSES_ROOT\EZulaMain.eZulaSearchPipe
    HKEY_CLASSES_ROOT\EZulaMain.eZulaSearchPipe.1
    HKEY_CLASSES_ROOT\EZulaMain.TrayIConM
    HKEY_CLASSES_ROOT\EZulaMain.TrayIConM.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{50B4D2B3-723F-41B3-AEC4-0BD66F0F45FF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{A166C1B0-5CDB-447A-894A-4B9FD7149D51}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{3D7247DE-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eZula
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ezstub.dll
    HKEY_CURRENT_USER\Software\eZula
    HKEY_CURRENT_USER\Software\Web Offer

  4. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\AppID\AtlBrowser.EXE
    HKEY_CLASSES_ROOT\CLSID\{0818D423-6247-11D1-ABEE-00D049C10000}

    Note: These subkeys may be associated with legitimate programs and should only be deleted if you are sure other programs do not use them.
    An example of a legitimate program that uses these subkeys is a Macromedia Flash x32 plugin that is commonly used in online gaming.

  5. Can also add a component to firefox in order to hook keyword searches.

    Note: This component may crash some versions of Mozilla Firefox.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver