Home / malwarePDF  

Adware:Win32/Ezula


First posted on 13 September 2011.
Source: SecurityHome

Aliases :

Adware:Win32/Ezula is also known as not-a-virus:AdWare.Win32.EZula.aph (Kaspersky), ADSPY/AdSpy.Gen2 (Avira).

Explanation :

Adware:Win32/Ezula is an advertising component that is installed as a Browser Helper Object (BHO) for Internet Explorer. It communicates with a remote server without adequate user consent and it may display contextual advertisements to the affected user.


Top

Adware:Win32/Ezula is an advertising component that is installed as a Browser Helper Object (BHO) for Internet Explorer. It communicates with a remote server without adequate user consent and it may display contextual advertisements to the affected user.



Installation

When executed, the Adware:Win32/Ezula installer drops the following files:

  • <system folder>\ns<random name>.dll - BHO
  • <system folder>\<unique file name>.exe - uninstaller


Note: <unique file name> is a value derived from a computer's configuration, for example, "<system folder>\48896711-4a5b-f89d-802d-d647284880b6.exe".

Adware:Win32/Ezula creates the following registry entries to register its dropped DLL file as a BHO:

In subkey: HKLM\SOFTWARE\Classes\CLSID\{4b3215d3-c65e-9788-8a52-a087593c7d6d}
Sets value: "(default)"
With data: "bignetdaddy"

In subkey: HKCR\CLSID\{4b3215d3-c65e-9788-8a52-a087593c7d6d}\InprocServer32
Sets value: "@"
With data: "<system folder>\ns<random name>.dll"
Sets value: "ThreadingModel"
With data: "Apartment"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4b3215d3-c65e-9788-8a52-a087593c7d6d}
Sets value: "NoExplorer"
With data: "dword:00000001"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\48896711-4a5b-f89d-802d-d647284880b6
Sets value: "DisplayName"
With data: "Contextual Application Bignetdaddy"

Once installed, Adware:Win32/Ezula exists in the 'Add or Remove Programs' list:



Execution

Displays advertisements

When Internet Explorer is opened, Adware:Win32/Ezula reports its installation on the system and requests advertisements by accessing the following server:

  • a2.bignetdaddy.com


An advertisement it may display may look similar to the following:



Redirects to a certain website

Adware:Win32/Ezula may redirect the browser to the following website:

  • <removed>nextgen.com


The website may appear similar to the following:





Analysis by Mihai Calota

Last update 13 September 2011

 

TOP

Malware :