Dropped.Generic.Malware.Sdld.BC837EDE_8b39c27407

by malwarelabrobot on March 12th, 2015 in Malware Descriptions.

not-a-virus:AdWare.Win32.SideTab.ay (Kaspersky), Dropped:Generic.Malware.Sdld.BC837EDE (B) (Emsisoft), Dropped:Generic.Malware.Sdld.BC837EDE (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Adware, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8b39c274070bba9a776d868e3336adf7
SHA1: 30a2999bc67a1f0beed3211b4db920c2824d6d23
SHA256: 1a170b67bea8f0b15af6e12abdd63aef8442f7f21cb4d0664f72779dd2532b34
SSDeep: 6144:Qe34aHi7whmJZuS1wFxu75 ZPPfnE2Qyn20UYXiu75 ZPPfnE2Qyn20U:tH2wKZuS2FgF ZPPfnEUnViuF ZPPfnz
Size: 264840 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: NBIZ Corp.
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

regsvr32.exe:540
regsvr32.exe:1648
regsvr32.exe:184
regsvr32.exe:1404
EasyOn.exe:372
EasyOn.exe:1036
%original file name%.exe:312
EOU1008.exe:1316

The Dropped injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process EasyOn.exe:372 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\EasyOn\ex.dat (238 bytes)

The process EasyOn.exe:1036 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EOU1008.exe (20594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process %original file name%.exe:312 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\NSISdl.dll (14 bytes)
%Program Files%\EasyOn\EasyOn.dll (4383 bytes)
%Program Files%\EasyOn\Uninstall.exe (2757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\IpConfig.dll (3322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\UAC.dll (13 bytes)
%Program Files%\EasyOn\EasyOn.exe (1568 bytes)
%Program Files%\EasyOn\1 (9 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\UAC.dll (0 bytes)

The process EOU1008.exe:1316 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\SelfDel.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (4 bytes)
%Program Files%\EasyOn\EasyOn.dll (3696 bytes)
%Program Files%\EasyOn\Uninstall.exe (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\updat.xxx (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\UAC.dll (13 bytes)
%Program Files%\EasyOn\EasyOn.exe (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\IpConfig.dll (3322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\fct.dll (4 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\fct.dll (0 bytes)

Registry activity

The process regsvr32.exe:540 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCR\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib]
"Version" = "1.0"
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"

[HKCR\EasyOn.SideBand\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

[HKCR\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\EasyOn.BandHelper\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

[HKCR\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
"(Default)" = "EasyOn.BandHelper.1"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"

[HKCR\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
"(Default)" = "EasyOn.BandHelper"

[HKCR\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
"(Default)" = "EasyOn.SideBand.1"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"

[HKCR\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\EasyOn.BandHelper]
"(Default)" = "BandHelper Class"

[HKCR\EasyOn.BandHelper.1\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0]
"(Default)" = "EasyOn 1.0 Type Library"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
"(Default)" = "EasyOn.SideBand"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
"(Default)" = "EasyOn"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"

[HKCR\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}]
"(Default)" = "ISideBand"

[HKCR\EasyOn.SideBand]
"(Default)" = "SideBand Class"

[HKCR\EasyOn.SideBand.1]
"(Default)" = "SideBand Class"

[HKCR\EasyOn.BandHelper.1]
"(Default)" = "BandHelper Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 63 42 AC 64 60 78 5E C8 77 D1 D3 60 E6 DC FF"

[HKCR\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}]
"(Default)" = "IBandHelper"

[HKCR\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0\win32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"

[HKCR\EasyOn.SideBand.1\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

[HKCR\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\HELPDIR]
"(Default)" = "%Program Files%\EasyOn\"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"

[HKCR\EasyOn.BandHelper\CurVer]
"(Default)" = "EasyOn.BandHelper.1"

[HKCR\EasyOn.SideBand\CurVer]
"(Default)" = "EasyOn.SideBand.1"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
"(Default)" = "EasyOnHelper"

The Dropped deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum]

The process regsvr32.exe:1648 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCR\EasyOn.SideBand\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

[HKCR\EasyOn.BandHelper\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
"(Default)" = "EasyOn.BandHelper.1"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
"(Default)" = "EasyOn.BandHelper"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
"(Default)" = "EasyOn.SideBand.1"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"

[HKCR\EasyOn.BandHelper]
"(Default)" = "BandHelper Class"

[HKCR\EasyOn.BandHelper.1\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
"(Default)" = "EasyOn.SideBand"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
"(Default)" = "EasyOn"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"

[HKCR\EasyOn.SideBand]
"(Default)" = "SideBand Class"

[HKCR\EasyOn.SideBand.1]
"(Default)" = "SideBand Class"

[HKCR\EasyOn.BandHelper.1]
"(Default)" = "BandHelper Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 9F 9A CF 97 42 87 50 F4 77 CA C2 B3 10 49 7B"

[HKCR\EasyOn.SideBand.1\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"

[HKCR\EasyOn.BandHelper\CurVer]
"(Default)" = "EasyOn.BandHelper.1"

[HKCR\EasyOn.SideBand\CurVer]
"(Default)" = "EasyOn.SideBand.1"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
"(Default)" = "EasyOnHelper"

The Dropped deletes the following registry key(s):

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\Programmable]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Programmable]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]

The process regsvr32.exe:184 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCR\EasyOn.SideBand\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

[HKCR\EasyOn.BandHelper\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
"(Default)" = "EasyOn.BandHelper.1"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
"(Default)" = "EasyOn.BandHelper"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
"(Default)" = "EasyOn.SideBand.1"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"

[HKCR\EasyOn.BandHelper]
"(Default)" = "BandHelper Class"

[HKCR\EasyOn.BandHelper.1\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
"(Default)" = "EasyOn.SideBand"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
"(Default)" = "EasyOn"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"

[HKCR\EasyOn.SideBand]
"(Default)" = "SideBand Class"

[HKCR\EasyOn.SideBand.1]
"(Default)" = "SideBand Class"

[HKCR\EasyOn.BandHelper.1]
"(Default)" = "BandHelper Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 8E 38 89 11 90 8A FF 5C 90 6A 7F 5C 41 93 6D"

[HKCR\EasyOn.SideBand.1\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"

[HKCR\EasyOn.BandHelper\CurVer]
"(Default)" = "EasyOn.BandHelper.1"

[HKCR\EasyOn.SideBand\CurVer]
"(Default)" = "EasyOn.SideBand.1"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
"(Default)" = "EasyOnHelper"

The Dropped deletes the following registry key(s):

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\Programmable]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Programmable]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]

The process regsvr32.exe:1404 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCR\EasyOn.SideBand\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

[HKCR\EasyOn.BandHelper\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
"(Default)" = "EasyOn.BandHelper.1"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
"(Default)" = "EasyOn.BandHelper"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
"(Default)" = "EasyOn.SideBand.1"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"

[HKCR\EasyOn.BandHelper]
"(Default)" = "BandHelper Class"

[HKCR\EasyOn.BandHelper.1\CLSID]
"(Default)" = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
"(Default)" = "EasyOn.SideBand"

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
"(Default)" = "EasyOn"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
"(Default)" = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"

[HKCR\EasyOn.SideBand]
"(Default)" = "SideBand Class"

[HKCR\EasyOn.SideBand.1]
"(Default)" = "SideBand Class"

[HKCR\EasyOn.BandHelper.1]
"(Default)" = "BandHelper Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C CA D7 63 9F 38 ED 9F 6C 7A CF CD D3 39 65 82"

[HKCR\EasyOn.SideBand.1\CLSID]
"(Default)" = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]
"(Default)" = "%Program Files%\EasyOn\EasyOn.dll"

[HKCR\EasyOn.BandHelper\CurVer]
"(Default)" = "EasyOn.BandHelper.1"

[HKCR\EasyOn.SideBand\CurVer]
"(Default)" = "EasyOn.SideBand.1"

[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
"(Default)" = "EasyOnHelper"

The Dropped deletes the following registry key(s):

[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\Programmable]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\VersionIndependentProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories\{00021493-0000-0000-C000-000000000046}]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Programmable]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories]
[HKCR\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32]
[HKCR\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32]

The process EasyOn.exe:372 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\EasyOn]
"SP" = "20150311070419"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 5B C2 09 8C 73 9B 77 FC 5A A5 29 B4 03 58 30"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyOn" = "%Program Files%\EasyOn\EasyOn.exe"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process EasyOn.exe:1036 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\EasyOn]
"SP" = "20150311070409"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 8D A9 12 B6 D0 E8 FC 92 ED 74 28 7F 89 23 A2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyOn" = "%Program Files%\EasyOn\EasyOn.exe"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:312 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 82 8E BE 05 26 89 7F 59 E6 14 90 47 16 AB 95"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"NoModify" = "1"

[HKCU\Software\EasyOn]
"ID" = "EO19"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"UninstallString" = "%Program Files%\EasyOn\Uninstall.exe"
"DisplayName" = "EasyOn"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\EasyOn]
"Version" = "1.0.0.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\EasyOn]
"EasyOn.exe" = "EasyOn"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process EOU1008.exe:1316 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 31 4F 1D AE C0 B1 74 30 FC 97 0A C7 61 98 75"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"NoModify" = "1"

[HKCU\Software\EasyOn]
"Version" = "1.0.0.8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"UninstallString" = "%Program Files%\EasyOn\Uninstall.exe"
"DisplayName" = "EasyOn"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EasyOn]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
4183f9464080d3aa793fcabcf275430c c:\Program Files\EasyOn\EasyOn.dll
50745c4bd9ee3ab2897d1ea4d509c804 c:\Program Files\EasyOn\EasyOn.exe
655e3f72ffe68b32fd814ab424f76ce7 c:\Program Files\EasyOn\Uninstall.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: NBIZ Corp.
Product Name: EasyOn
Product Version:
Legal Copyright: (c) NBIZ. All rights reserved.
Legal Trademarks:
Original Filename:
Internal Name: EasyOn
File Version: 1.0.0.1
File Description: EasyOn
Comments:
Language: Korean (Korea)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 73728 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 266240 5912 6144 2.99293 387a5290a8bcb75f809f379be7531410

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 21
2fb03f46371a9d50f12ce4a713e1eef8
b6b230332f147071b6116be5ef7f0426
7147dce4ef17a9e847811c0a5359e607
8fac142b7d549d4f7f8bb58523c74944
9a9ef113d9596e4081230ebf358a9896
5a805cc408b6fe92d450775f62ea9118
4671f67c8d5b17f8eef4e24bd8516dcb
e4611e132d1c1820be6dc1c4fa3e8e60
ae465e28d9ee01453e4af72a5f6a0bf1
feb9f0c7a06e4bdd9bb121248d96ea39
4060050e71b3f39f81411f8ddb3c4577
43893a33894afb320b7165572517cf90
c742fd59e9c48bc8b9d9f34a84990d3c
9fdccf65054b7b877a82bebda6d78295
2066d86f3fe719b8da77bacf6ac0a7c9
5e216e3949ade0bea4a7529bd03ede66
1965305980904d89329bfd725b40fba4
e862437ae5a36e21693be73d9081ed0c
6f1f6222f4e6871ab2a7aedf6577b8a6
bef4113a159e78b013d624cba2d05de2
e46ab07970386574cb630b60bc6ee9f1

URLs

URL IP
hxxp://easyon.sideon.co.kr/update/EO19/EasyOn.ini 211.206.126.175
hxxp://easyon.sideon.co.kr/update/EO19/EOU1008.exe 211.206.126.175
hxxp://easyon.sideon.co.kr/install.asp?version=1.0.0.1&id=EO19&mac=000C298E22D8 211.206.126.175
hxxp://easyon.sideon.co.kr/setting.dat 211.206.126.175
hxxp://easyon.sideon.co.kr/update.asp?version=1.0.0.8&id=EO19&mac=000C298E22D8&oldversion=1.0.0.1 211.206.126.175
hxxp://easyon.sideon.co.kr/ex.dat 211.206.126.175


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Sidetab or Related Trojan Checkin
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /update/EO19/EasyOn.ini HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
Host: easyon.sideon.co.kr


HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:49 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 26 Apr 2012 13:03:54 GMT
ETag: "11204ab-5d-4be949eb5e280"
Accept-Ranges: bytes
Content-Length: 93
Connection: close
Content-Type: text/plain; charset=UTF-8
[version]..version=1.0.0.8..[Files]..file0=hXXp://easyon.sideon.co.kr/
update/EO19/EOU1008.exe..



GET /update/EO19/EasyOn.ini HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
Host: easyon.sideon.co.kr


HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:56 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 26 Apr 2012 13:03:54 GMT
ETag: "11204ab-5d-4be949eb5e280"
Accept-Ranges: bytes
Content-Length: 93
Connection: close
Content-Type: text/plain; charset=UTF-8
[version]..version=1.0.0.8..[Files]..file0=hXXp://easyon.sideon.co.kr/
update/EO19/EOU1008.exe..



GET /update/EO19/EOU1008.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
Host: easyon.sideon.co.kr
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:49 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 26 Apr 2012 13:03:54 GMT
ETag: "11204aa-3e658-4be949eb5e280"
Accept-Ranges: bytes
Content-Length: 255576
Connection: close
Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................P... .......(.......0....@.........
.................P.......".......................................@....
...0..................`...............................................
............................................UPX0......................
[email protected].... ...0..
.....N..............@.................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.00.UPX!......U..........H......&..-....U....\.}..t .F.E.u..H.
[email protected]..}.V.5p..E.WP.L.e...l.1E....P.}.....
....Dp;....FR.VV..Uu...... M......M....3....Qs.....NU......1....T...PE
.3....v.......s.PB..pw.]..E...P...T....7.......9}q.w...B.s.~X.te.v4.5.
.3t.m....j.W.:.......9..*. )XWKp.ls[.X....h .-....Pj.h`..%Xq......w'.\
_....^3.[.._.L$...F..Si.......AVW.T.....tO.q.3.;5..sB......i...D.....G
........t.BO..t ....u...3.......9...F.1Ar.t[.......QQ.U...i..... ..3..
.W?.B.Fc.....^.9M.t.$.B..;..D..?...i.|...B.....,....R#...u([email protected]..
<<< skipped >>>


GET /update.asp?version=1.0.0.8&id=EO19&mac=000C298E22D8&oldversion=1.0.0.1 HTTP/1.0
Host: easyon.sideon.co.kr
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:56 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 9
Connection: close
Content-Type: text/html; charset=utf-8
complete!..



GET /setting.dat HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
Host: easyon.sideon.co.kr
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:53 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 26 Apr 2012 12:38:22 GMT
ETag: "112058d-13e-4be9443656b80"
Accept-Ranges: bytes
Content-Length: 318
Connection: close
Content-Type: text/plain; charset=UTF-8
[setting]..set0=5A43A6E5A9DDD32900316A1D6D8EE7D0D50C114AF4E03F306C2677
6D62248018900F992D25EB88D1F9B40F3563180937..set1=E3BAFBF650EB2ECF8FE22
3E9981178B1F4C4EE102F565EC84BC407FBD6B3B4984D9200815DB9217499566769232
B4FB9..set2=E78CCA004B4F3FF607BB331B628DF4FF490EAF98DD947606DDDD713B76
87DBDC78CF9DC4A5CEF1690D09ABC0ABDFA5B6..



GET /install.asp?version=1.0.0.1&id=EO19&mac=000C298E22D8 HTTP/1.0
Host: easyon.sideon.co.kr
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:50 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 9
Connection: close
Content-Type: text/html; charset=utf-8
complete!..



GET /ex.dat HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
Host: easyon.sideon.co.kr
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Wed, 11 Mar 2015 05:03:57 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 04 Oct 2012 09:16:15 GMT
ETag: "1120589-ee-4cb38350575c0"
Accept-Ranges: bytes
Content-Length: 238
Connection: close
Content-Type: text/plain; charset=UTF-8
B1584543850A5F6B7F8CE0FB2577E6FD..E4D90776B409CD8359C7AAF0B7965121..C5
EDD7FF8202CC81256298E8D66C8BA4..4FBB6A271BB4594BC492B6CFFE96FEB5..7D76
8105F5AE46ABE8DFCB3DA1AB157F..5D7BB244B5D9D3D1EE8EB835ED1A57A0..54848E
C75447EF28805015957DFEBDC5....

The Dropped connects to the servers at the folowing location(s):

EasyOn.exe_372:

.text
`.rdata
@.data
.rsrc
SSSShPa@
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyA
RegOpenKeyA
ADVAPI32.dll
SHELL32.dll
ole32.dll
InternetCanonicalizeUrlA
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
%Y%m%d%H%M%S
hXXp://easyon.sideon.co.kr/ex.dat
ex.dat
EasyOn.ini
hXXp://easyon.sideon.co.kr/update/
EasyOn.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
regsvr32 /s "%s"
WinInet.dll
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)
1, 0, 0, 8
EasyOn.EXE


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:540
    regsvr32.exe:1648
    regsvr32.exe:184
    regsvr32.exe:1404
    EasyOn.exe:372
    EasyOn.exe:1036
    %original file name%.exe:312
    EOU1008.exe:1316

  2. Delete the original Dropped file.
  3. Delete or disinfect the following files created/modified by the Dropped:

    %Program Files%\EasyOn\ex.dat (238 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EOU1008.exe (20594 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\NSISdl.dll (14 bytes)
    %Program Files%\EasyOn\EasyOn.dll (4383 bytes)
    %Program Files%\EasyOn\Uninstall.exe (2757 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\IpConfig.dll (3322 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp\UAC.dll (13 bytes)
    %Program Files%\EasyOn\EasyOn.exe (1568 bytes)
    %Program Files%\EasyOn\1 (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\SelfDel.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\updat.xxx (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\UAC.dll (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\nsProcess.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\IpConfig.dll (3322 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp\fct.dll (4 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EasyOn" = "%Program Files%\EasyOn\EasyOn.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now