[Question] EventService "Driver" from ViewSonic Laptop

ZevinZenph

Level 1
Mar 10, 2015
28
Hello,

In simple words, I got a piece of "driver" software from ViewSonic (link's below) and I wish anyone would like to take a deep look for what it does. I'm just a normal PC user and have almost no knowledge for analyzing a program.

Code:
hxxp://www.viewsonic.com/support/downloads/drivers/_download/VNB_eventservice.zip
(I disabled the link by adding "hxxp://" in it.)

And here's the story.

Recently I found a piece of software called "EventService" on my super old ViewSonic VNB101 laptop. I didn't notice it until few days ago, when I was surprised that the timer on the laptop went as fast as Sanic (about 10 mins per second). Soon after I found this "EventService.exe" in the processes, and whenever I kill it, the timer speed works right again.

I opened up control panel, and here's what I saw:
ES1.PNG

FIG.1 (Well... just ignore the Mandarin characters.)
Now everything about this thingy starts to look fishy now.

First, The "OEM" in the description links to the website "ww.oem.com" (I disabled the link by adding "hxxp://" in it), which is now a dead site with nothing but ads. Nevertheless, since "OEM" means "Original Equipment Manufacturer" in English, I suspect that the producer of this application just faked the information.
ES2.PNG

FIG.2 (Look at that yellow donut from WOT at the upper-right corner. lol.)

Second, I opened up the folder that the software is installed to, soon after I found that the executable is NOT signed.
ES5.PNG

FIG.3A

Just for comparison, the picture below shows a program with a certificate (數位簽章) in Chinese.
certExample.PNG

FIG.3B

Third, as you can see in FIG.3A, it says that the program is made by "Gray Workshop". (But wait... Didn't it state that it's made by a company called "OEM"? LOL...) I searched "Gray Workshop EventService" on Google, but nothing informative was found. Now it's even more suspicious.

Fourth, I uploaded both the main executable and it's installer to VirusTotal, and the prior one is flagged by Kaspersky. (However it could be false positive since only Kaspersky flags it, and the installer is totally "fine" on VT.)
ES4.PNG

FIG.4

VT of the main executable:
https://www.virustotal.com/en/file/...c12a63b507400f410b049ba9cb7628f71d4/analysis/

VT of the installer: (Note that the installer is NOT signed, either.)
https://www.virustotal.com/en/file/...f959fd2865688d0e874716acfa2d1793001/analysis/

BTW, the file "Log.txt" in FIG.3A looks like this:
ES3.PNG

FIG.5 (I don't know what "3G Module" it's talking about though.)

Your analysis will be greatly appreciated! I really want to know what this fishy thing does.

EDIT@(2016-03-13 11:00 UTC): I forgot a super important indicator, that is, the installer provides NO EULA or any detail about its service! Installers providing no EULA and description of its services are almost always considered fishy and not-legit.

-ZevinZenph
 
Last edited by a moderator:
H

hjlbx

How do I upload more than 2 files onto these platforms? Anubis seems to be the only one that supports auxiliary files. I uploaded the installed files using a .zip file onto Hybrid-analysis, and it failed. :/

Don't zip.

You should have no problem uploading eventservice.exe.
 

ZevinZenph

Level 1
Mar 10, 2015
28
Last edited:
H

hjlbx

Well... Ok then.
I just upload only the EventService.exe onto Hybrid-Analysis, and here's the link:
https://www.hybrid-analysis.com/sam...b507400f410b049ba9cb7628f71d4?environmentId=4

Although it says that the file is malicious, I doubt the reliability of the result. Here's the reason:
View attachment 88127
As you can see, the sample crashed cause the auxiliary files were not presented.

The missing pmdll.dll has nothing to do with whether or not EventService.exe is malicious.

It is rated as malicious because of behavioral analysis and detection by AV signature, but the threat score is low at 20.

There is no network activity + only two AVs are detecting it as malicious (Aegis and Kaspersky); only two AV engine detections is not definitive evidence that the file is malicious.

The file is suspicious - especially being installed at C:\EventService.exe - which is unusual.

Anyhow, you should really take this matter up with malware removal expert @TwinHeadedEagle on the malware removal assistance sub-forum.
 

ZevinZenph

Level 1
Mar 10, 2015
28
The missing pmdll.dll has nothing to do with whether or not EventService.exe is malicious.

It is rated as malicious because of behavioral analysis and detection by AV signature, but the threat score is low at 20.

There is no network activity + only two AVs are detecting it as malicious (Aegis and Kaspersky); only two AV engine detections is not definitive evidence that the file is malicious.

The file is suspicious - especially being installed at C:\EventService.exe - which is unusual.

Anyhow, you should really take this matter up with malware removal expert @TwinHeadedEagle on the malware removal assistance sub-forum.

Thanks for your advice. I'll post a request there later. :)

But I still have some questions.

1. Why pmdll.dll has nothing to do with whether or not EventService.exe is malicious?
I don't know how .dll files work, but they seem to be libraries. Is it possible if EventService.exe calls something coded in pmdll.dll?
2. Are you sure that the file installs itself to C:\ ? Whenever I upload a file onto hybrid-analysis, the file seems stored in C:\ (I've tried this many times). And, the installer installs the file to "C:\Program Files\OEM\EventService\" on my laptop under Sandboxie (FIG.3A in the main post), and nothing was found under the C-drive directory in the sandbox.

I'm not being mad or trying to say the file is definitely safe/malicious. I just want to keep everything logical.

Edit: Now things get more confusing, with the service it registered is whitelisted on FRST scan. Any idea? :/
 
Last edited:
H

hjlbx

Did you copy EventService.exe from C:\Program Files\OEM\EventService and place the copy in C:\ and then upload it ?

The Hybrid Analysis is showing the file path as C:\EventService.exe.

Did you unhide all hidden and protected system files in Explorer ?
 
  • Like
Reactions: Solarquest

ZevinZenph

Level 1
Mar 10, 2015
28
Did you copy EventService.exe from C:\Program Files\OEM\EventService and place the copy in C:\ and then upload it ?

The Hybrid Analysis is showing the file path as C:\EventService.exe.

Did you unhide all hidden and protected system files in Explorer ?

No. Both VirusTotal and Hybrid-analysis places uploaded file(s) in C:\ by default. (Tried many times with many different file. I use that service quite a lot TBH.)
And yes. Both hidden and system files are unhidden. So do filename extensions.
:)
 
Last edited:

ZevinZenph

Level 1
Mar 10, 2015
28
Update: I accidentally found the source codes of phymem.sys and pmdll.dll.
Here's the link: Access Physical Memory, Port and PCI Configuration Space - CodeProject

They look like some sort of libraries that allow the program to access physical memory directly. Wow...
Why must it access the physical memory???

And... I managed to make a self-extract-and-launch file with WinRAR and uploaded it onto both Anubis and Hybrid-Analysis. Here's the result:
Anubis: Anubis - Malware Analysis for Unknown Binaries
Hybrid-Analysis: (I've been waiting for 3 hours and the file's still in queue. :()
 
Last edited:
L

LabZero

As I understand, I'm not sure that there are security problems in this thread.

To answer your last question:

DLL are libraries that can be called from multiple programs, and usually contain code that is made available to multiple applications. This allows you to not place duplicate code in different applications.
When multiple apps use the same library of functions, a DLL can reduce the duplication of code that is loaded on the disk and in physical memory, and this explains the access to the physical memory.
 
H

hjlbx

@ZevinZenph

IF it still bothers you, then...

You can submit to COMODO Valkyrie. You will get an immediate verdict - and perhaps 6 or so months later you will get a manual analysis verdict made by a COMODO technician.
 

ZevinZenph

Level 1
Mar 10, 2015
28
@hjlbx
I just uploaded my crafted file to Comodo few hours ago. :D
And thank you for the help!

BTW I asked @TwinHeadedEagle and he said that the program's likely to be safe.

Here's the last thing I can get from the Internet. I made another file that do the same thing (self-extracting silently) but self-launching, and uploaded it to Hybrid-analysis, too.

Self-extracting silently + Self-launching (Experimental run):
https://www.hybrid-analysis.com/sam...7c45d06ff1a6d3ee6ae821227fcfc?environmentId=4

Self-extracting silently only (Control run):
https://www.hybrid-analysis.com/sam...ac470e46324d15e765f2bedd8bd21?environmentId=4

It's funny that the malicious indicators count of the experimental run is almost 3 times as many as the control run.
Sorry for bothering you guys during the last few days, thank you guys!!
Let's wait for the manual analysis verdict from COMODO technicians. :)
 
Last edited:

ZevinZenph

Level 1
Mar 10, 2015
28
I've only scanned my PC with ESET and Malwarebytes. Maybe I'll try some more. Thanks for your advice! :)

BTW I made that self-extract test file you mentioned. It's not the original one and contains some modules from WinRAR. And the funny thing is, only EventService.exe is detected by Kaspersky and AngisLab, while all other files remain FUD on VirusTotal. :(
(Check out the VT links in the "Extracted Files" section in this link:
https://www.hybrid-analysis.com/sam...7c45d06ff1a6d3ee6ae821227fcfc?environmentId=4 )
 
H

hjlbx

Submit file for manual analysis (Dr Web): Dr.Web - innovation anti-virus security technologies. Comprehensive protection from Internet threats.

You do not need Dr Web key to submit.

In comment request verdict after manual analysis. Also state file is currently detected as malicious, but it might be a false positive.

Dr Web technician will make final determination.

If you notice, your original submission was for EventService.exe whereas the link for the 5 detections is EventServiceTest.exe - two different files\different hashes.

The only way you are going to get this solved definitively is to have a technician review the file manually - otherwise it is a waste of time.
 
Last edited by a moderator:
  • Like
Reactions: ZevinZenph

ZevinZenph

Level 1
Mar 10, 2015
28
Oops sorry I totally forgot about this thread. :I

The files you mentioned are totally different, with EventService.exe is the original file (one of the files installed by the installer), and EventServiceTest is a self-extracting and self-launching test file, which contains the all 5 files installed, created by using WinRAR.

I've test the WinRAR self-extraction module, and it's red-flagged by around 3 vendors (Well done for their long-lasting false positive. lol).
 
Top