McAfee > Theat Center > PUP Detail Page

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application.  If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software.   Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a Trojan.  It is an adware application that may generate pop-up advertisements while browsing the internet.

On executing the files, installation window appears to indicate that some software is being installed. It claims to speed up Web surfing. It installs a toolbar in Explorer window as below:

It drops one more toolbar as below:

On restarting the system each time a pop-up appears:

EULA appears during the installation process.

System Changes

File name: cnbar.exe
MD5: e702db4c8a5d97ebd82cb914d8d9f964

File name: NetSF.exe
MD5: d7d1bff7b6520622f8ba9a442fe130cc

Creates following directories:

• "%PROGRAMFILES%\COMMON~2"
• "%PROGRAMFILES%\CommonName"
• "%PROGRAMFILES%\eZula"

It creates a menu sub-item named "Net Sonic" & "Top Text iLookup" under the "Program" folder within the Start Menu.

The following files are added:

• CNForm.exe
• eZinstall.exe
• ezstub.exe
• EZULASTB.EXE
• mmod.exe
• NetSonicCleanup.exe
• NetSonicUninst.exe
• w3kselfinst.exe
• WebMain.exe
• CHCON.dll
• CNBarIE.dll
• eabh.dll
• InstallDll.dll
• NetSonic.dll
• seng.dll
• w3knet.dll
• W3KNET_W3I.DLL
• w3kpopup.dll
• W3Util2.dll

The following registry entries are added:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "W3KNetwork"
• HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\
  Toolbar "{A3E3F04C-F98C-4295-95EF-41C57425B077}"
• HKEY_CLASSES_ROOT\CLSID\
  {ECB81A15-365C-4953-827F-6E848634C1F0}
• HKEY_CLASSES_ROOT\CNBar.Activater
• HKEY_CLASSES_ROOT\CNBar.BandSink
• HKEY_CLASSES_ROOT\CNBar.CNBarBand
• HKEY_CLASSES_ROOT\CNBar.ExplorerBar
• HKEY_CLASSES_ROOT\CNForm.CNBarHelper
• HKEY_CLASSES_ROOT\CNForm.History
• HKEY_CLASSES_ROOT\AppID\
  {8A044397-5DA2-11D4-B185-0050DAB79376}
• HKEY_CLASSES_ROOT\AppID\
  {C0335198-6755-11D4-8A73-0050DA2EE1BE}
• HKEY_CLASSES_ROOT\AppID\eZulaBootExe.EXE
• HKEY_CLASSES_ROOT\AppID\eZulaMain.EXE
• HKEY_CLASSES_ROOT\CLSID\
  {07F0A543-47BA-11D4-8A6D-0050DA2EE1BE}
• HKEY_CLASSES_ROOT\CLSID\
  {19DFB2CB-9B27-11D4-B192-0050DAB79376}
• HKEY_CLASSES_ROOT\CLSID\
  {3D7247E8-5DB8-11D4-8A72-0050DA2EE1BE}
• HKEY_CLASSES_ROOT\CLSID\
  {55910916-8B4E-4C1E-9253-CCE296EA71EB}
• HKEY_CLASSES_ROOT\CLSID\
  {C03351A4-6755-11D4-8A73-0050DA2EE1BE}
• HKEY_CLASSES_ROOT\EZulaAgent.eZulaCtrlHost
• HKEY_CLASSES_ROOT\eZulaAgent.IEObject
• HKEY_CLASSES_ROOT\EZulaAgent.PlugProt
• HKEY_CLASSES_ROOT\eZulaAgent.ToolBarBand
• HKEY_CLASSES_ROOT\EZulaBootExe.InstallCtrl
• HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaCode
• HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaHash
• HKEY_CLASSES_ROOT\EZulaFSearchEng.eZulaSearch
• HKEY_CLASSES_ROOT\EZulaFSearchEng.PopupDisplay
• HKEY_CLASSES_ROOT\EZulaFSearchEng.ResultHelper
• HKEY_CLASSES_ROOT\EZulaFSearchEng.SearchHelper
• HKEY_CLASSES_ROOT\EZulaMain.eZulaSearchPipe
• HKEY_CLASSES_ROOT\EZulaMain.TrayIConM
• HKEY_CURRENT_USER\SOFTWARE\web3000.com
• HKEY_CURRENT_USER\SOFTWARE\eZula
• HKEY_CURRENT_USER\SOFTWARE\Netscape
• HKEY_CURRENT_USER\SOFTWARE\CommonName
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Explorer\Browser Helper Objects\
  {1E1B2879-88FF-11D2-8D96-D7ACAC95951F}
• HKEY_LOCAL_MACHINE\SOFTWARE\web3000.com
• HKEY_LOCAL_MACHINE\SOFTWARE\CommonName

Network Impact

Additional overhead in bandwidth due to download of content.

Removal

Aliases

Aliases

• CommonName,Search Hijacker - CA eTrust