- Mar 10, 2015
- 30
Hello,
In simple words, I got a piece of "driver" software from ViewSonic (link's below) and I wish anyone would like to take a deep look for what it does. I'm just a normal PC user and have almost no knowledge for analyzing a program.
(I disabled the link by adding "hxxp://" in it.)
And here's the story.
Recently I found a piece of software called "EventService" on my super old ViewSonic VNB101 laptop. I didn't notice it until few days ago, when I was surprised that the timer on the laptop went as fast as Sanic (about 10 mins per second). Soon after I found this "EventService.exe" in the processes, and whenever I kill it, the timer speed works right again.
I opened up control panel, and here's what I saw:
FIG.1 (Well... just ignore the Mandarin characters.)
Now everything about this thingy starts to look fishy now.
First, The "OEM" in the description links to the website "ww.oem.com" (I disabled the link by adding "hxxp://" in it), which is now a dead site with nothing but ads. Nevertheless, since "OEM" means "Original Equipment Manufacturer" in English, I suspect that the producer of this application just faked the information.
FIG.2 (Look at that yellow donut from WOT at the upper-right corner. lol.)
Second, I opened up the folder that the software is installed to, soon after I found that the executable is NOT signed.
FIG.3A
Just for comparison, the picture below shows a program with a certificate (數位簽章) in Chinese.
FIG.3B
Third, as you can see in FIG.3A, it says that the program is made by "Gray Workshop". (But wait... Didn't it state that it's made by a company called "OEM"? LOL...) I searched "Gray Workshop EventService" on Google, but nothing informative was found. Now it's even more suspicious.
Fourth, I uploaded both the main executable and it's installer to VirusTotal, and the prior one is flagged by Kaspersky. (However it could be false positive since only Kaspersky flags it, and the installer is totally "fine" on VT.)
FIG.4
VT of the main executable:
https://www.virustotal.com/en/file/...c12a63b507400f410b049ba9cb7628f71d4/analysis/
VT of the installer: (Note that the installer is NOT signed, either.)
https://www.virustotal.com/en/file/...f959fd2865688d0e874716acfa2d1793001/analysis/
BTW, the file "Log.txt" in FIG.3A looks like this:
FIG.5 (I don't know what "3G Module" it's talking about though.)
Your analysis will be greatly appreciated! I really want to know what this fishy thing does.
EDIT@(2016-03-13 11:00 UTC): I forgot a super important indicator, that is, the installer provides NO EULA or any detail about its service! Installers providing no EULA and description of its services are almost always considered fishy and not-legit.
-ZevinZenph
In simple words, I got a piece of "driver" software from ViewSonic (link's below) and I wish anyone would like to take a deep look for what it does. I'm just a normal PC user and have almost no knowledge for analyzing a program.
Code:
hxxp://www.viewsonic.com/support/downloads/drivers/_download/VNB_eventservice.zipAnd here's the story.
Recently I found a piece of software called "EventService" on my super old ViewSonic VNB101 laptop. I didn't notice it until few days ago, when I was surprised that the timer on the laptop went as fast as Sanic (about 10 mins per second). Soon after I found this "EventService.exe" in the processes, and whenever I kill it, the timer speed works right again.
I opened up control panel, and here's what I saw:
FIG.1 (Well... just ignore the Mandarin characters.)
Now everything about this thingy starts to look fishy now.
First, The "OEM" in the description links to the website "ww.oem.com" (I disabled the link by adding "hxxp://" in it), which is now a dead site with nothing but ads. Nevertheless, since "OEM" means "Original Equipment Manufacturer" in English, I suspect that the producer of this application just faked the information.
FIG.2 (Look at that yellow donut from WOT at the upper-right corner. lol.)
Second, I opened up the folder that the software is installed to, soon after I found that the executable is NOT signed.
FIG.3A
Just for comparison, the picture below shows a program with a certificate (數位簽章) in Chinese.
FIG.3B
Third, as you can see in FIG.3A, it says that the program is made by "Gray Workshop". (But wait... Didn't it state that it's made by a company called "OEM"? LOL...) I searched "Gray Workshop EventService" on Google, but nothing informative was found. Now it's even more suspicious.
Fourth, I uploaded both the main executable and it's installer to VirusTotal, and the prior one is flagged by Kaspersky. (However it could be false positive since only Kaspersky flags it, and the installer is totally "fine" on VT.)
FIG.4
VT of the main executable:
https://www.virustotal.com/en/file/...c12a63b507400f410b049ba9cb7628f71d4/analysis/
VT of the installer: (Note that the installer is NOT signed, either.)
https://www.virustotal.com/en/file/...f959fd2865688d0e874716acfa2d1793001/analysis/
BTW, the file "Log.txt" in FIG.3A looks like this:
FIG.5 (I don't know what "3G Module" it's talking about though.)
Your analysis will be greatly appreciated! I really want to know what this fishy thing does.
EDIT@(2016-03-13 11:00 UTC): I forgot a super important indicator, that is, the installer provides NO EULA or any detail about its service! Installers providing no EULA and description of its services are almost always considered fishy and not-legit.
-ZevinZenph
Last edited by a moderator:
