General Explanation
Type: Adware
Degree of destruction: high
Prevalence: High
What is Adware?
Adware is advertising malware that results in showing ads or appearing multiple banners in the system and encourages you to buy the products by using their services. This type of malware usually enters the user’s system without any notice and unintentionally.
What is WizzMonetize malware?
WizzMonetize adware interferes with the user by opening new tabs in the browser, this happens constantly and once in a few minutes and indeed it is interfering with the possibility of working with the system. WizzMonetize malware creates an environment for downloading and executing other malware. In the current version, this malware will download and execute adware, and Trojans for spying on the system as long as the victim’s system has the capacity for it. In addition to each one of the downloaded malware performing its malicious actions, the vast volume of memory will be occupied and as a result, it will slow down the system.
Technical Explanation
Signs of infection
- One of the signs of infection is suddenly opening system browsers and consequently opening up a series of tabs with different addresses.
- Multiple processes in the current process list of the system all have ambiguous names and a subset of them are open system browsers.
- Being one of the following registry keys in the system:
- @”HKEY_CURRENT_USER\SOFTWARE\Microsoft\wewewe\”
- @”HKEY_CURRENT_USER\SOFTWARE\Microsoft\ewMon\”
- @”HKEY_CURRENT_USER\SOFTWARE\Microsoft\BigTime\”
- So many folders in the ProgramFiles and ProgramData paths with random and ambiguous names that contain exe files and config files (mostly with the name of the cast. config).
The following information can be seen in the victim’s system:
| 79OMZJEX97ZB.exe | 336c3a2bcecc642ca7451246be68b757 | 52 KB | Adware.Win32.WizzMonetize.ap | Malware downloader |
| SecondL.exe | b52bbd6acd78b6f0c574c6e23497512b | 7 KB | Adware.Win32.WizzMonetize.ap | Second downloader |
| OneTwo.exe | a8184ae85e3eea785e2fb19b861c2c49 | 38 KB | Adware.Win32.WizzMonetize.ap | Third downloader |
| Up.exe | A876962ddcc27402f8e15f5ab4864248 | 2.26 MB | Adware.Win32.WizzMonetize.ap | Malware update file |
| AdsShow.exe | bed137e13172448a47b267a43daabc5e | 534 KB | Adware.Win32.FileTour.ap | Redirector |
| wizzcaster_installer_v2.exe | e05a4306989258d76fce906d461be67d | 38 KB | Adware.Win32.WizzMonetize.ap | The installation file of a version of the malware |
| wizzcaster_uninstaller_v2.exe | 392862144023af94141d07d35ab13e73 | 28 KB | Adware.Win32.WizzMonetize.ap | Malware uninstaller file |
Malware main downloader The 79OMZJEX97ZB.exe is a small module that only contains base64 pseudo-code as a hardcode in itself. By using a constant key can decode this pseudo-code and execute it as an independent exe file. The main operation and file download is done by this decoded file.
There are three files that the downloader file 79OMZJEX97ZB.exe will download, as soon as executed. The comparison of the previous type of this malware with the new type shows that the name of the three downloaded files which is mentioned in the table, was constant but malware can change these files because this malware receives an XML from its server which contains the names and links of files download but these three files had constant names and behavior until now. These files are OneTwo.exe, SecondL.exe, and up.exe
Explaining the function of SecondL.exe
This file as soon as executed will download and execute AdsShow.exe. The download link of the file is hardcoded and embedded in the SecondL.exe. The SecondL.exe file can be stored with a random name.
AdsShow.exe file must open the default browser of the system and redirect the browser to advertising sites and often malicious. This is an endless job and will continue until the system memory can handle it. The permanence of this malware will store in folders with random names in the following path. The name of the file will be randomly chosen and does not store with the Adshow name.
%AppData%\[Random]\[Random].exe
OneTwo file
It has a structure like the 79OMZJEX97ZB.exe file. We know it by wizzcaster_installer_v2.exe.
The wizzcaster_v2.exe and the wizzcaster_uninstaller_v2.exe files will be downloaded by this file. This file will be stored in the ProgramFiles path with a random name and in the random folder. the wizzcaster_v2.exe file is a type of different version of the malware. The hacker specifies which version of the malware will be installed on the system by wizzcaster_installer_v2.exe and its link will be placed in XML contents.
Up.exe file
This is the Updater.exe file. The structure of this file is similar to the two previous files and its vivid code will be attained by the base64 decode algorithm. This file, as its name contemplates, has to update the previous version of the malware on the system.
Pay attention that the different versions of malware received different download links from the server. This will result in the difference between the types of adware.
How to deal with it and disinfect the system
This malware is detected by Padvish Antivirus and disinfected from the system. To prevent this malware from entering the system, it is recommended to not enter sites that you do not familiar with. Also always try to scan files that unintentionally enter your system before execution with a validated and trusted antivirus.