Content

Adware-Kazoom.dr

Type
Program
SubType
Dropper
Discovery Date
09/12/2005
Minimum DAT
4579 (09/12/2005)
Updated DAT
4579 (09/12/2005)
Minimum Engine
5.1.00
Description Added
09/12/2005
Description Modified
12/08/2005 3:30 AM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.
See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Summary

This is not a virus or a Trojan. It is a direct-marketing adware application. On execution of the application it installs CEDP Stealer on the system. As soon as this application is accessed first time it opens a web page for “sherv.net” and starts downloading and installing 180search Assistant silently in the background. Two BHOs are also added.

Privacy

EULA is displayed during installation, which clearly mentions that pop-up ads may be displayed while browsing internet.

System Changes

File Name: “D5B96F8E.EXE”
MD5Hash: “73c6a200945a8252e3201d188f01ac1d”

Following folders are added:

  • %PROGRAMFILES%\CEDP Stealer
  • %PROGRAMFILES%\180search Assistant

Following files are added:

  • CEDP.Stealer.exe (detected as Adware-Kazoom)
  • 180sa.exe (detected as Adware-180SA)
  • 180sahook.dll (detected as Adware-ZangoSA)
  • a.exe (detected as Keylog-Briss)
  • bridge.dll (detected as Adware-BHO.gen)
  • AHNUXEKR.exe (detected as Adware-180SA)

The following registry entries are added:

  • HKEY_CLASSES_ROOT\CLSID\
    {9C691A33-7DDA-4C2F-BE4C-C176083F35CF}
    displayname = "brdg Class"
  • HKEY_CLASSES_ROOT\CLSID\
    {74711ec-74711ec-74711ec-74711ec-74711ec}
  • HKEY_CLASSES_ROOT\CLSID\
    {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}
    displayname="CSABHO Object"
  • HKEY_CLASSES_ROOT\Interface\
    {7B178417-3CDA-444F-94FF-312C0A3A78A8}
    displayname="ISABHO"
  • HKEY_CLASSES_ROOT\Interface\
    {4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}
    displayname="Ibrdg"
  • HKEY_CLASSES_ROOT\TypeLib\
    {DDAF2479-6F00-4599-998A-3ED75686C6D0}
  • HKEY_CLASSES_ROOT\TypeLib\
    {68BF4626-D66B-4383-A6AF-62E57E9B6CD4}
  • HKEY_CURRENT_USER\SOFTWARE\CEDP_Stealer
  • HKEY_CURRENT_USER\Software\180sa
  • HKEY_CURRENT_USER\Software\180solutions
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects\
    {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects\
    {9C691A33-7DDA-4C2F-BE4C-C176083F35CF}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run “systray”
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run “RunDLL”
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run “AHNUXEKR”
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run “180sa”

Network Impact

Additional overhead in bandwidth may occur due to download of content.

Aliases

Aliases

  • Adware/nCase – Panda