1. Symantec/
  2. Security Response/
  3. Adware.Ezula

Adware.Ezula

Updated:
March 25, 2011 3:15:04 PM
Type:
Adware
Risk Impact:
High
Systems Affected:
Windows
When Adware.Ezula is installed, it performs the following actions:
  1. Creates the following files:

    • %UserProfile%\TopText iLookup\Feedback.url
    • %UserProfile%\TopText iLookup\Help.url
    • %UserProfile%\TopText iLookup\My Keywords.lnk
    • %UserProfile%\TopText iLookup\My Preferences.lnk
    • %UserProfile%\TopText iLookup\ReadMe.url
    • %UserProfile%\TopText iLookup\TopText Button Show - Hide.lnk
    • %UserProfile%\EARN\About EARN.lnk
    • %UserProfile%\EARN\EARN website.url
    • %ProgramFiles%\eZula\basis.dst
    • %ProgramFiles%\eZula\basis.kwd
    • %ProgramFiles%\eZula\basis.pu
    • %ProgramFiles%\eZula\basis.rst
    • %ProgramFiles%\eZula\CHCON.dll
    • %ProgramFiles%\eZula\eabh.dll
    • %ProgramFiles%\eZula\genun.ez
    • %ProgramFiles%\eZula\Images\arrow1.gif
    • %ProgramFiles%\eZula\Images\arrow2.gif
    • %ProgramFiles%\eZula\Images\button_small.gif
    • %ProgramFiles%\eZula\Images\icon.gif
    • %ProgramFiles%\eZula\Images\Layer_Bottom.gif
    • %ProgramFiles%\eZula\Images\Layer_Center.gif
    • %ProgramFiles%\eZula\Images\Layer_Top.gif
    • %ProgramFiles%\eZula\Images\new.gif
    • %ProgramFiles%\eZula\Images\PopUp_Follow_divider.gif
    • %ProgramFiles%\eZula\Images\PopUp_Follow_Left.gif
    • %ProgramFiles%\eZula\Images\PopUp_Follow_Off.gif
    • %ProgramFiles%\eZula\Images\PopUp_Follow_On.gif
    • %ProgramFiles%\eZula\Images\PopUp_Follow_Right.gif
    • %ProgramFiles%\eZula\Images\PopUp_Top.gif
    • %ProgramFiles%\eZula\Images\PopUp_Top_Bottom.gif
    • %ProgramFiles%\eZula\Images\Side_B.gif
    • %ProgramFiles%\eZula\Images\Side_L.gif
    • %ProgramFiles%\eZula\Images\Side_R.gif
    • %ProgramFiles%\eZula\Images\Side_Top.gif
    • %ProgramFiles%\eZula\Images\spacer.gif
    • %ProgramFiles%\eZula\INSTALL.LOG
    • %ProgramFiles%\eZula\legend.lgn
    • %ProgramFiles%\eZula\mmod.exe
    • %ProgramFiles%\eZula\param.ez
    • %ProgramFiles%\eZula\rwds.rst
    • %ProgramFiles%\eZula\search.src
    • %ProgramFiles%\eZula\seng.dll
    • %ProgramFiles%\eZula\UNWISE.EXE
    • %ProgramFiles%\eZula\upgrade.vrn
    • %ProgramFiles%\eZula\version.vrn
    • %ProgramFiles%\eZula\wndbannn.src
    • %ProgramFiles%\Web Offer\apev.exe
    • %ProgramFiles%\Web Offer\basisp.dst
    • %ProgramFiles%\Web Offer\basisp.kwd
    • %ProgramFiles%\Web Offer\basisp.pu
    • %ProgramFiles%\Web Offer\basisp.rst
    • %ProgramFiles%\Web Offer\CHPON.dll
    • %ProgramFiles%\Web Offer\eapbh.dll
    • %ProgramFiles%\Web Offer\gendis.ez
    • %ProgramFiles%\Web Offer\INSTALL.LOG
    • %ProgramFiles%\Web Offer\paramp.ez
    • %ProgramFiles%\Web Offer\rwdsp.rst
    • %ProgramFiles%\Web Offer\sepng.dll
    • %ProgramFiles%\Web Offer\UNWISE.EXE
    • %ProgramFiles%\Web Offer\upgradep.vrn
    • %ProgramFiles%\Web Offer\versionp.vrn
    • %ProgramFiles%\Web Offer\wndbannnp.src
    • %ProgramFiles%\Web Offer\wo.exe
    • %Windir%\woinstall.exe
    • %Windir%\eZinstall.exe
    • %Windir%\Downloaded Program Files\ezstub.dll
    • %Windir%\Downloaded Program Files\ezstub.INF
    • %System%\ezstub.exe
    • %System%\ezpopstub.exe

      Notes:
    • %UserProfile% is a variable that refers to the c:\Documents and Settings\<current user>\Start Menu\Programs folder.
    • %ProgramFiles% is a variable that refers to the Program Files folder. By default, this is C:\Program Files.
    • %Windir% is a variable that refers to the Windows folder. By default, this is C:\WINNT on 2k machines and C:\Windows on XP machines.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. Adds the values:

    "eZmmod" = "C:\PROGRA~1\ezula\mmod.exe"
    "eZWO" = "C:\PROGRA~1\Web Offer\wo.exe"

    to the registry subkey:

    HKEY_ALL_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  3. Creates the following registry subkeys:


    HKEY_CLASSES_ROOT\AppID\eZulaBootExe.EXE
    HKEY_CLASSES_ROOT\AppID\eZulaMain.EXE
    HKEY_CLASSES_ROOT\AppID\{8A044397-5DA2-11D4-B185-0050DAB79376}
    HKEY_CLASSES_ROOT\AppID\{C0335198-6755-11D4-8A73-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{07F0A543-47BA-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{07F0A545-47BA-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{19DFB2CB-9B27-11D4-B192-0050DAB79376}
    HKEY_CLASSES_ROOT\CLSID\{2079884B-6EF3-11D4-8A74-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{2306ABE4-4D42-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{25630B47-53C6-4E66-A945-9D7B6B2171FF}
    HKEY_CLASSES_ROOT\CLSID\{2BABD334-5C3F-11D4-B184-0050DAB79376}
    HKEY_CLASSES_ROOT\CLSID\{370F6354-41C4-4FA6-A2DF-1BA57EE0FBB9}
    HKEY_CLASSES_ROOT\CLSID\{3D7247DE-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{3D7247E8-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{50B4D2B3-723F-41B3-AEC4-0BD66F0F45FF}
    HKEY_CLASSES_ROOT\CLSID\{55910916-8B4E-4C1E-9253-CCE296EA71EB}
    HKEY_CLASSES_ROOT\CLSID\{58359010-BF36-11d3-99A2-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{6DF5E318-6994-4A41-85BD-45CCADA616F8}
    HKEY_CLASSES_ROOT\CLSID\{788C6F6F-C2EA-4A63-9C38-CE7D8F43BCE4}
    HKEY_CLASSES_ROOT\CLSID\{78BCF937-45B0-40A7-9391-DCC03420DB35}
    HKEY_CLASSES_ROOT\CLSID\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA}
    HKEY_CLASSES_ROOT\CLSID\{A166C1B0-5CDB-447A-894A-4B9FD7149D51}
    HKEY_CLASSES_ROOT\CLSID\{B1DD8A69-1B96-11D4-B175-0050DAB79376}
    HKEY_CLASSES_ROOT\CLSID\{C03351A4-6755-11D4-8A73-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{C4FEE4A7-4B8B-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\CLSID\{D290D6E7-BF9D-42F0-9C1B-3BC8AE769B57}
    HKEY_CLASSES_ROOT\CLSID\{E7A05400-4CFA-4DF3-A643-E40F86E8E3D7}
    HKEY_CLASSES_ROOT\CLSID\{F75521B8-76F1-4A4D-84B1-9E642E9C51D0}
    HKEY_CLASSES_ROOT\Interface\{07F0A542-47BA-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{07F0A544-47BA-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{1823BC4B-A253-4767-9CFC-9ACA62A6B136}
    HKEY_CLASSES_ROOT\Interface\{19DFB2CA-9B27-11D4-B192-0050DAB79376}
    HKEY_CLASSES_ROOT\Interface\{241667A3-EC83-4885-84DD-C2DAAFC1C5EA}
    HKEY_CLASSES_ROOT\Interface\{25630B50-53C6-4E66-A945-9D7B6B2171FF}
    HKEY_CLASSES_ROOT\Interface\{27BC6871-4D5A-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}
    HKEY_CLASSES_ROOT\Interface\{370F6353-41C4-4FA6-A2DF-1BA57EE0FBB9}
    HKEY_CLASSES_ROOT\Interface\{3D7247DD-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{3D7247F1-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{4FD8645F-9B3E-46C1-9727-9837842A84AB}
    HKEY_CLASSES_ROOT\Interface\{58359012-BF36-11D3-99A2-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{788C6F6E-C2EA-4A63-9C38-CE7D8F43BCE4}
    HKEY_CLASSES_ROOT\Interface\{78BCF936-45B0-40A7-9391-DCC03420DB35}
    HKEY_CLASSES_ROOT\Interface\{7EDC96E1-5DD3-11D4-B185-0050DAB79376}
    HKEY_CLASSES_ROOT\Interface\{8A0443A2-5DA2-11D4-B185-0050DAB79376}
    HKEY_CLASSES_ROOT\Interface\{8EBB1743-9A2F-11D4-8A7E-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{955CBF48-4313-4B1F-872B-254B7822CCF2}
    HKEY_CLASSES_ROOT\Interface\{9CFA26C2-81DA-4C9D-A501-F144A4A000FA}
    HKEY_CLASSES_ROOT\Interface\{C03351A3-6755-11D4-8A73-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{C4FEE4A6-4B8B-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\Interface\{EF0372DC-F552-11D3-8528-0050DAB79376}
    HKEY_CLASSES_ROOT\Interface\{EF0372DE-F552-11D3-8528-0050DAB79376}
    HKEY_CLASSES_ROOT\Interface\{EFA52460-8822-4191-BA38-FACDD2007910}
    HKEY_CLASSES_ROOT\TypeLib\{07F0A536-47BA-11D4-8A6D-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\TypeLib\{083FA8F4-84F4-11D4-8A77-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\TypeLib\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9}
    HKEY_CLASSES_ROOT\TypeLib\{3D7247D1-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\TypeLib\{58359011-BF36-11D3-99A2-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\TypeLib\{8A044396-5DA2-11D4-B185-0050DAB79376}
    HKEY_CLASSES_ROOT\TypeLib\{9CFA26C0-81DA-4C9D-A501-F144A4A000FA}
    HKEY_CLASSES_ROOT\TypeLib\{9CFA26C1-81DA-4C9D-A501-F144A4A000FA}
    HKEY_CLASSES_ROOT\TypeLib\{BAF13496-8F72-47A1-9CEE-09238EFC75F0}
    HKEY_CLASSES_ROOT\TypeLib\{C0335197-6755-11D4-8A73-0050DA2EE1BE}
    HKEY_CLASSES_ROOT\AtlBrCon.AtlBrCon
    HKEY_CLASSES_ROOT\AtlBrCon.AtlBrCon.1
    HKEY_CLASSES_ROOT\EZulaAgent.eZulaCtrlHost
    HKEY_CLASSES_ROOT\EZulaAgent.eZulaCtrlHost.1
    HKEY_CLASSES_ROOT\eZulaAgent.IEObject
    HKEY_CLASSES_ROOT\eZulaAgent.IEObject.1
    HKEY_CLASSES_ROOT\EZulaAgent.PlugProt
    HKEY_CLASSES_ROOT\EZulaAgent.PlugProt.1
    HKEY_CLASSES_ROOT\eZulaAgent.ToolBarBand
    HKEY_CLASSES_ROOT\eZulaAgent.ToolBarBand.1
    HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl
    HKEY_CLASSES_ROOT\EZulaBoot.InstallCtrl.1
    HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl
    HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaCode
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaCode.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaHash
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaHash.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaSearch
    HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaSearch.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.PopupDisplay
    HKEY_CLASSES_ROOT\EZulaFSearchEng.PopupDisplay.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.ResultHelper
    HKEY_CLASSES_ROOT\EZulaFSearchEng.ResultHelper.1
    HKEY_CLASSES_ROOT\EZulaFSearchEng.SearchHelper
    HKEY_CLASSES_ROOT\EZulaFSearchEng.SearchHelper.1
    HKEY_CLASSES_ROOT\EZulaMain.eZulaPopSearchPipe
    HKEY_CLASSES_ROOT\EZulaMain.eZulaPopSearchPipe.1
    HKEY_CLASSES_ROOT\EZulaMain.eZulaSearchPipe
    HKEY_CLASSES_ROOT\EZulaMain.eZulaSearchPipe.1
    HKEY_CLASSES_ROOT\EZulaMain.TrayIConM
    HKEY_CLASSES_ROOT\EZulaMain.TrayIConM.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{50B4D2B3-723F-41B3-AEC4-0BD66F0F45FF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{A166C1B0-5CDB-447A-894A-4B9FD7149D51}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{3D7247DE-5DB8-11D4-8A72-0050DA2EE1BE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\eZula
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ezstub.dll
    HKEY_CURRENT_USER\Software\eZula
    HKEY_CURRENT_USER\Software\Web Offer

  4. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\AppID\AtlBrowser.EXE
    HKEY_CLASSES_ROOT\CLSID\{0818D423-6247-11D1-ABEE-00D049C10000}

    Note: These subkeys may be associated with legitimate programs and should only be deleted if you are sure other programs do not use them.
    An example of a legitimate program that uses these subkeys is a Macromedia Flash x32 plugin that is commonly used in online gaming.

  5. Can also add a component to firefox in order to hook keyword searches.

    Note: This component may crash some versions of Mozilla Firefox.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube