Content

Puper.gen

Type
Trojan
SubType
Generic
Discovery Date
06/20/2006
Length
Minimum DAT
4788 (06/20/2006)
Updated DAT
5176 (12/03/2007)
Minimum Engine
5.1.00
Description Added
06/20/2006
Description Modified
02/13/2007 6:12 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Installation:

File:    isamntr.exe
Hash:   7a2042e082825bbf9f75a63dee54898b

File:    pmsnrr.exe
Hash:   5bf7765a58536081dc082e20a9c5823c

Upon execution following changes occur on user's system.

Files dropped:

Upon execution, isamntr.exe drops files shown below on current directory.

File:    isamini.exe
Hash:   9a632c4f7659636d2cacb9b0d788a4a5

File:    isadd.dll
Hash:   6e18205a0c65e8f91feaeac47643c90c

pmsnrr.exe upon drops file shown below in current folder.

File:    pmmnt.exe
Hash:  7d590632506eda5d32c98fdcce3e9bb7

Run keys added:

Registry keys shown below are added in order to get executed on each reboot.

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run "rare" : C:\Documents and Settings\Administrator\Desktop\pmsnrr.exe
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run "user32.dll" : C:\Documents and Settings\Administrator\Desktop\isamntr.exe

isadd.dll file is installed as Browser Helper Object.

Browser Helper Objects are executable files that are loaded when the browser is launched. They can perform various tasks, such as generating extra pop-up ads, monitoring page navigation, etc.

Trojan displays fake balloon messages as shown below.


If user opens any webpage trojan redirects webpage to protectionwarning.com where below fake virus alert message is displayed.

If user clicks on OK button, browser is again redirected to malwarewiped.com.



For more information about MalwareWipe visit Adware-Malwarewipe.

Symptoms

Display of fake virus alert messages and presence of the files and registry entries referenced confirms the attack.

Method of Infection

Trojan tries to connect to websites shown below.

  • jklgate.com
  • bnmgate.com
  • protectionwarning.com
  • malwarewiped.com

Trojan may display fake alert messages where innocent user may download potentially unwanted program like
Adware-Malwarewipe on his system.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

It is a trojan, drops malicious files on user's system and also displays fake virus alert messages.

Aliases

  • Troj/Zlobmi-Gen (Sophos)
  • TROJ_ZLOB.BEU (Trend)
  • Trojan-Downloader.Win32.Zlob.bnw (Kaspersky)
  • Trojan.Zlob (Symantec)

Characteristics

Characteristics -

Installation:

File:    isamntr.exe
Hash:   7a2042e082825bbf9f75a63dee54898b

File:    pmsnrr.exe
Hash:   5bf7765a58536081dc082e20a9c5823c

Upon execution following changes occur on user's system.

Files dropped:

Upon execution, isamntr.exe drops files shown below on current directory.

File:    isamini.exe
Hash:   9a632c4f7659636d2cacb9b0d788a4a5

File:    isadd.dll
Hash:   6e18205a0c65e8f91feaeac47643c90c

pmsnrr.exe upon drops file shown below in current folder.

File:    pmmnt.exe
Hash:  7d590632506eda5d32c98fdcce3e9bb7

Run keys added:

Registry keys shown below are added in order to get executed on each reboot.

  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run "rare" : C:\Documents and Settings\Administrator\Desktop\pmsnrr.exe
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run "user32.dll" : C:\Documents and Settings\Administrator\Desktop\isamntr.exe

isadd.dll file is installed as Browser Helper Object.

Browser Helper Objects are executable files that are loaded when the browser is launched. They can perform various tasks, such as generating extra pop-up ads, monitoring page navigation, etc.

Trojan displays fake balloon messages as shown below.


If user opens any webpage trojan redirects webpage to protectionwarning.com where below fake virus alert message is displayed.

If user clicks on OK button, browser is again redirected to malwarewiped.com.



For more information about MalwareWipe visit Adware-Malwarewipe.

Symptoms

Symptoms -

Display of fake virus alert messages and presence of the files and registry entries referenced confirms the attack.

Method of Infection

Method of Infection -

Trojan tries to connect to websites shown below.

  • jklgate.com
  • bnmgate.com
  • protectionwarning.com
  • malwarewiped.com

Trojan may display fake alert messages where innocent user may download potentially unwanted program like
Adware-Malwarewipe on his system.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A