Content

Puper

Type
Trojan
SubType
Win32
Discovery Date
05/11/2005
Length
Varies
Minimum DAT
4489 (05/11/2005)
Updated DAT
5663 (07/01/2009)
Minimum Engine
5.1.00
Description Added
05/11/2005
Description Modified
01/28/2009 8:21 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

 -- Update January 28, 2009 --

A new variant of Puper trojan has been found to pretend to be a decoder software needed to play a "Barack Obama video". Instead of allowing the user to watch the clip, it installs the Puper trojan.

The file size is 304,891 bytes and is detected as Puper since the DAT 5509 releasing on January 28, 2009.

Upon execution, the trojan may display any of the fake error messages:

It then drops and executes the following files in %Program Files%\Common Files:

  • Ndm328a2rL.exe (178 KB)

Upon execution of this file, it drops the following malicious Puper components:

  • %System%\mf31926.dll
  •  %System%\qmf31926.dll

It then installs itself as a Browser Helper Object (BHO):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E763654E-3985-3132-A28B-33971B438845}  
  • HKEY_CLASSES_ROOT\CLSID\{E763654E-3985-3132-A28B-33971B438845}\InprocServer32 @= "%System%\qmf31926.dll"

Another Puper component is dropped in %Program Files%\Common Files with the following filename:

  • dRp6PJ28WU.exe (115 KB)

Upon execution of this file, it drops svcnost.exe in Window System directory and add an autostart registry entry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
    svchost.exe = "%System%\svcnost.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon System ="%System%\svcnost.exe"

(Where %System% is the Windows System directory, for example C:\Windows\System32)

It will then retrieve certain information about the system and sent it to http://i5i.in/[block]_new.php. Information may include Operating System and Internet browser used by the victim.

It will also check if an updated copy exist in its website, and may also prevent the affected user from using an Internet browser by terminating these processes.

Another Puper file is dropped in %Program Files%\Common Files with the following filename:

  • AvBAG28jkrx.exe (81.5 KB)

Upon execution of this file, it drops msiconf.exe in Window System directory and add an autostart registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    msiexec.exe = "msiconf.exe"

This component will display a fake message alerting the user of possible Trojan infection:

It will then download and execute a rouge antivirus tool from the following URL(s):

  • hxxp://scanner.rapid-antivirus-2009.com/{blocked}/setup.exe

It will also add the following registry key(s):

  • HKEY_CURRENT_USER\Software\Rapid Antivirus  ID= "5849_Mjh8fHx8Mjh8fHwxMjQ1NzMxNjk4fA"

-- Update October 30, 2008 --

A new variant of Puper trojan has been discovered. The file size is 12,800 bytes and is detected as Puper since the DAT 5419 (released date: October 30, 2008).
Upon execution, the trojan attempts to download samples from the following site:

  •  http://{removed}/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php

At the time of writing, the site was not available. It also modifies the following registry key.

  •  HKEY_CLASSES_ROOT\multimediaControls.chl\CLSID
     "(Default)" = {6BF52A52-394A-11D3-B153-00C04F79FAA6}

 -- Update December 28, 2007 --

A new variant of the Puper trojan has been observed which is part of a threat that attempts to spread on the premise that it offers a codec to see a video of the suicide attack that killed Pakistani Prime Minister Benazir Bhutto.  For more information on this threat, please see the Avert Blog.

The Puper family of trojans are used to modify the internet explorer home page and search page in addition to monitoring internet usage.

The Puper trojan monitors its own processes and will continually execute them to ensure they stay in memory.  Additionally it will launch every time explorer.exe gets launched.

This trojan may drop hpxxxx.tmp where xxxx is random characters.  This file will be detected as puper.dll and is responsible for the start page and search page behavior.

The file hhk.d is responsible for masking the presence of registry keys created by the puper trojan.

System Changes

Files Added

  • %SystemDir%\intmon.exe (2 KB)
  • %SystemDir%\hp8af9.tmp (51 KB)
  • %SystemDir%\hhk.dll (6 KB)

Please note that the hp8AF9.tmp filename is hp + four random characters + .tmp  

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \policies\Explorer\run
    "notepad2"=%original file%
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objecta\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
    "(default)"="http://www.oneclicksearches.com/search.php?qq=%1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
    "provider"=""
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "CustomizeSearch" = "http://www.oneclicksearches.com/search.php?qq=%1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "SearchAssistant" = "http://www.oneclicksearches.com/search.php?qq=%1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Search_URL" = "http://www.oneclicksearches.com/search.php?qq=%1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = "http://www.oneclicksearches.com/search.php?qq=%1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = "http://www.oneclicksearches.com/bar.html"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = "about:blank"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Enable Browser Extensions"="Yes"
  • HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\HELPDIR "" =" C:\WINDOWS\System32\"
  • HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\FLAGS "" = "0"
  • HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\0\win32 "" = "C:\WINDOWS\System32\hp8AF9.tmp"
  • HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0 "" = "VM HomePage Type Library"
  • HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}
  • HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "Version" = "1.0"
  • HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "(default)" = "{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}"
  • HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid32 "" = "{00020424-0000-0000-C000-000000000046}"
  • HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid "" = "{00020424-0000-0000-C000-000000000046}"
  • HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F} "" = "IHomePage"
  • HKEY_CLASSES_ROOT\HP.1\CLSID
    "default"="{f8e5c210-f232-427b-92ee-b5a6ce622951}"
  • HKEY_CLASSES_ROOT\HP.1
    "default"="HP Class"
  • HKEY_CLASSES_ROOT\HP\CurVer
    "default"="HP.1"
  • HKEY_CLASSES_ROOT\HP\CLSID
    "default"="{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"
  • HKEY_CLASSES_ROOT\HP
    ""="HP Class"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\VersionIndependentProgID
    "" = "VMHomepage"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\TypeLib
    "" = "{f8e5c210-f232-427b-92ee-b5a6ce622951}"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\Programmable
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\ProgID "" = "VMHomepage.1"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32 "ThreadingModel" = "Apartment"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32
    "(default)"="C:\WINDOWS\System32\hp8AF9.tmp"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} "" = "HP Class"
  • HKEY_CLASSES_ROOT\CLSID\VMHomepage.1
  • HKEY_CLASSES_ROOT\CLSID\VMHomepage
    "CurVer" = "VMHomepage.1"
  • HKEY_CLASSES_ROOT\CLSID\VMHomepage
    "CLSID" = "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"

The following registry keys are modified:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = "http://www.oneclicksearches.com/"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = "http://www.oneclicksearches.com/search.php?qq=%1"

Symptoms

Presence of the files and registry entries referenced above.

Additionally the start page and search page may be reset when changed and there may be performance degradation due to the continual launching of the trojan binaries.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. 

However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system. 

Many of these additionally are mass spammed by the author to entice people into double-clicking on them. 

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the trojan onto the user's system with no user interaction.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- January 28, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/01/27/myobama_malware_scam/
--

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

 -- Update January 28, 2009 --

A new variant of Puper trojan has been found to pretend to be a decoder software needed to play a "Barack Obama video". Instead of allowing the user to watch the clip, it installs the Puper trojan.

The file size is 304,891 bytes and is detected as Puper since the DAT 5509 releasing on January 28, 2009.

Upon execution, the trojan may display any of the fake error messages:

It then drops and executes the following files in %Program Files%\Common Files:

  • Ndm328a2rL.exe (178 KB)

Upon execution of this file, it drops the following malicious Puper components:

  • %System%\mf31926.dll
  •  %System%\qmf31926.dll

It then installs itself as a Browser Helper Object (BHO):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E763654E-3985-3132-A28B-33971B438845}  
  • HKEY_CLASSES_ROOT\CLSID\{E763654E-3985-3132-A28B-33971B438845}\InprocServer32 @= "%System%\qmf31926.dll"

Another Puper component is dropped in %Program Files%\Common Files with the following filename:

  • dRp6PJ28WU.exe (115 KB)

Upon execution of this file, it drops svcnost.exe in Window System directory and add an autostart registry entry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
    svchost.exe = "%System%\svcnost.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon System ="%System%\svcnost.exe"

(Where %System% is the Windows System directory, for example C:\Windows\System32)

It will then retrieve certain information about the system and sent it to http://i5i.in/[block]_new.php. Information may include Operating System and Internet browser used by the victim.

It will also check if an updated copy exist in its website, and may also prevent the affected user from using an Internet browser by terminating these processes.

Another Puper file is dropped in %Program Files%\Common Files with the following filename:

  • AvBAG28jkrx.exe (81.5 KB)

Upon execution of this file, it drops msiconf.exe in Window System directory and add an autostart registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    msiexec.exe = "msiconf.exe"

This component will display a fake message alerting the user of possible Trojan infection:

It will then download and execute a rouge antivirus tool from the following URL(s):

  • hxxp://scanner.rapid-antivirus-2009.com/{blocked}/setup.exe

It will also add the following registry key(s):

  • HKEY_CURRENT_USER\Software\Rapid Antivirus  ID= "5849_Mjh8fHx8Mjh8fHwxMjQ1NzMxNjk4fA"

-- Update October 30, 2008 --

A new variant of Puper trojan has been discovered. The file size is 12,800 bytes and is detected as Puper since the DAT 5419 (released date: October 30, 2008).
Upon execution, the trojan attempts to download samples from the following site:

  •  http://{removed}/image/qsdyuioff/pubenmgfuy/ifgmzdjl.php

At the time of writing, the site was not available. It also modifies the following registry key.

  •  HKEY_CLASSES_ROOT\multimediaControls.chl\CLSID
     "(Default)" = {6BF52A52-394A-11D3-B153-00C04F79FAA6}

 -- Update December 28, 2007 --

A new variant of the Puper trojan has been observed which is part of a threat that attempts to spread on the premise that it offers a codec to see a video of the suicide attack that killed Pakistani Prime Minister Benazir Bhutto.  For more information on this threat, please see the Avert Blog.

The Puper family of trojans are used to modify the internet explorer home page and search page in addition to monitoring internet usage.

The Puper trojan monitors its own processes and will continually execute them to ensure they stay in memory.  Additionally it will launch every time explorer.exe gets launched.

This trojan may drop hpxxxx.tmp where xxxx is random characters.  This file will be detected as puper.dll and is responsible for the start page and search page behavior.

The file hhk.d is responsible for masking the presence of registry keys created by the puper trojan.

System Changes

Files Added

  • %SystemDir%\intmon.exe (2 KB)
  • %SystemDir%\hp8af9.tmp (51 KB)
  • %SystemDir%\hhk.dll (6 KB)

Please note that the hp8AF9.tmp filename is hp + four random characters + .tmp  

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \policies\Explorer\run
    "notepad2"=%original file%
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objecta\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
    "(default)"="http://www.oneclicksearches.com/search.php?qq=%1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
    "provider"=""
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "CustomizeSearch" = "http://www.oneclicksearches.com/search.php?qq=%1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "SearchAssistant" = "http://www.oneclicksearches.com/search.php?qq=%1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Search_URL" = "http://www.oneclicksearches.com/search.php?qq=%1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = "http://www.oneclicksearches.com/search.php?qq=%1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = "http://www.oneclicksearches.com/bar.html"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = "about:blank"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Enable Browser Extensions"="Yes"
  • HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\HELPDIR "" =" C:\WINDOWS\System32\"
  • HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\FLAGS "" = "0"
  • HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\0\win32 "" = "C:\WINDOWS\System32\hp8AF9.tmp"
  • HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0 "" = "VM HomePage Type Library"
  • HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}
  • HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "Version" = "1.0"
  • HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "(default)" = "{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}"
  • HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid32 "" = "{00020424-0000-0000-C000-000000000046}"
  • HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid "" = "{00020424-0000-0000-C000-000000000046}"
  • HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F} "" = "IHomePage"
  • HKEY_CLASSES_ROOT\HP.1\CLSID
    "default"="{f8e5c210-f232-427b-92ee-b5a6ce622951}"
  • HKEY_CLASSES_ROOT\HP.1
    "default"="HP Class"
  • HKEY_CLASSES_ROOT\HP\CurVer
    "default"="HP.1"
  • HKEY_CLASSES_ROOT\HP\CLSID
    "default"="{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"
  • HKEY_CLASSES_ROOT\HP
    ""="HP Class"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\VersionIndependentProgID
    "" = "VMHomepage"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\TypeLib
    "" = "{f8e5c210-f232-427b-92ee-b5a6ce622951}"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\Programmable
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\ProgID "" = "VMHomepage.1"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32 "ThreadingModel" = "Apartment"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32
    "(default)"="C:\WINDOWS\System32\hp8AF9.tmp"
  • HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} "" = "HP Class"
  • HKEY_CLASSES_ROOT\CLSID\VMHomepage.1
  • HKEY_CLASSES_ROOT\CLSID\VMHomepage
    "CurVer" = "VMHomepage.1"
  • HKEY_CLASSES_ROOT\CLSID\VMHomepage
    "CLSID" = "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"

The following registry keys are modified:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = "http://www.oneclicksearches.com/"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = "http://www.oneclicksearches.com/search.php?qq=%1"

Symptoms

Symptoms -

Presence of the files and registry entries referenced above.

Additionally the start page and search page may be reset when changed and there may be performance degradation due to the continual launching of the trojan binaries.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. 

However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system. 

Many of these additionally are mass spammed by the author to entice people into double-clicking on them. 

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the trojan onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A