McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

-- Update December 28, 2007 --

A new variant of the Puper trojan has been observed which is part of a threat that attempts to spread on the premise that it offers a codec to see a video of the suicide attack that killed Pakistani Prime Minister Benazir Bhutto.  For more information on this threat, please see the Avert Blog.

---

The Puper family of trojans are used to modify the internet explorer home page and search page in addition to monitoring internet usage.

The Puper trojan monitors its own processes and will continually execute them to ensure they stay in memory.  Additionally it will launch every time explorer.exe gets launched.

This trojan may drop hpxxxx.tmp where xxxx is random characters.  This file will be detected as puper.dll and is responsible for the start page and search page behavior.

The file hhk.d is responsible for masking the presence of registry keys created by the puper trojan.

System Changes

Files Added

• %SystemDir%\intmon.exe (2 KB)
  
• %SystemDir%\hp8af9.tmp (51 KB)
  
• %SystemDir%\hhk.dll (6 KB)
  

Please note that the hp8AF9.tmp filename is hp + four random characters + .tmp  

Registry

The following registry keys are created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  \policies\Explorer\run
  "notepad2"=%original file%
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  \Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  \Explorer\Browser Helper Objecta\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
  "(default)"="http://www.oneclicksearches.com/search.php?qq=%1"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
  "provider"=""
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "CustomizeSearch" = "http://www.oneclicksearches.com/search.php?qq=%1"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "SearchAssistant" = "http://www.oneclicksearches.com/search.php?qq=%1"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Search_URL" = "http://www.oneclicksearches.com/search.php?qq=%1"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = "http://www.oneclicksearches.com/search.php?qq=%1"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = "http://www.oneclicksearches.com/bar.html"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = "about:blank"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Enable Browser Extensions"="Yes"
  
• HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\HELPDIR "" =" C:\WINDOWS\System32\"
  
• HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\FLAGS "" = "0"
  
• HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\0\win32 "" = "C:\WINDOWS\System32\hp8AF9.tmp"
  
• HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0 "" = "VM HomePage Type Library"
  
• HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}
  
• HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "Version" = "1.0"
  
• HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "(default)" = "{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}"
  
• HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid32 "" = "{00020424-0000-0000-C000-000000000046}"
  
• HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid "" = "{00020424-0000-0000-C000-000000000046}"
  
• HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F} "" = "IHomePage"
  
• HKEY_CLASSES_ROOT\HP.1\CLSID
  "default"="{f8e5c210-f232-427b-92ee-b5a6ce622951}"
  
• HKEY_CLASSES_ROOT\HP.1
  "default"="HP Class"
  
• HKEY_CLASSES_ROOT\HP\CurVer
  "default"="HP.1"
  
• HKEY_CLASSES_ROOT\HP\CLSID
  "default"="{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"
  
• HKEY_CLASSES_ROOT\HP
  ""="HP Class"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\VersionIndependentProgID
  "" = "VMHomepage"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\TypeLib
  "" = "{f8e5c210-f232-427b-92ee-b5a6ce622951}"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\Programmable
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\ProgID "" = "VMHomepage.1"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32 "ThreadingModel" = "Apartment"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32
  "(default)"="C:\WINDOWS\System32\hp8AF9.tmp"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} "" = "HP Class"
  
• HKEY_CLASSES_ROOT\CLSID\VMHomepage.1
  
• HKEY_CLASSES_ROOT\CLSID\VMHomepage
  "CurVer" = "VMHomepage.1"
  
• HKEY_CLASSES_ROOT\CLSID\VMHomepage
  "CLSID" = "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"
  

The following registry keys are modified:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = "http://www.oneclicksearches.com/"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = "http://www.oneclicksearches.com/search.php?qq=%1"
  

Symptoms

Presence of the files and registry entries referenced above.

Additionally the start page and search page may be reset when changed and there may be performance degradation due to the continual launching of the trojan binaries.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. 

However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system. 

Many of these additionally are mass spammed by the author to entice people into double-clicking on them. 

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the trojan onto the user's system with no user interaction.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update December 28, 2007 --

A new variant of the Puper trojan has been observed which is part of a threat that attempts to spread on the premise that it offers a codec to see a video of the suicide attack that killed Pakistani Prime Minister Benazir Bhutto.  For more information on this threat, please see the Avert Blog.

---

The Puper family of trojans are used to modify the internet explorer home page and search page in addition to monitoring internet usage.

The Puper trojan monitors its own processes and will continually execute them to ensure they stay in memory.  Additionally it will launch every time explorer.exe gets launched.

This trojan may drop hpxxxx.tmp where xxxx is random characters.  This file will be detected as puper.dll and is responsible for the start page and search page behavior.

The file hhk.d is responsible for masking the presence of registry keys created by the puper trojan.

System Changes

Files Added

• %SystemDir%\intmon.exe (2 KB)
  
• %SystemDir%\hp8af9.tmp (51 KB)
  
• %SystemDir%\hhk.dll (6 KB)
  

Please note that the hp8AF9.tmp filename is hp + four random characters + .tmp  

Registry

The following registry keys are created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  \policies\Explorer\run
  "notepad2"=%original file%
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  \Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  \Explorer\Browser Helper Objecta\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
  "(default)"="http://www.oneclicksearches.com/search.php?qq=%1"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
  "provider"=""
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "CustomizeSearch" = "http://www.oneclicksearches.com/search.php?qq=%1"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "SearchAssistant" = "http://www.oneclicksearches.com/search.php?qq=%1"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Search_URL" = "http://www.oneclicksearches.com/search.php?qq=%1"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = "http://www.oneclicksearches.com/search.php?qq=%1"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = "http://www.oneclicksearches.com/bar.html"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = "about:blank"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Enable Browser Extensions"="Yes"
  
• HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\HELPDIR "" =" C:\WINDOWS\System32\"
  
• HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\FLAGS "" = "0"
  
• HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\0\win32 "" = "C:\WINDOWS\System32\hp8AF9.tmp"
  
• HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0 "" = "VM HomePage Type Library"
  
• HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}
  
• HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "Version" = "1.0"
  
• HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "(default)" = "{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}"
  
• HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid32 "" = "{00020424-0000-0000-C000-000000000046}"
  
• HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid "" = "{00020424-0000-0000-C000-000000000046}"
  
• HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F} "" = "IHomePage"
  
• HKEY_CLASSES_ROOT\HP.1\CLSID
  "default"="{f8e5c210-f232-427b-92ee-b5a6ce622951}"
  
• HKEY_CLASSES_ROOT\HP.1
  "default"="HP Class"
  
• HKEY_CLASSES_ROOT\HP\CurVer
  "default"="HP.1"
  
• HKEY_CLASSES_ROOT\HP\CLSID
  "default"="{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"
  
• HKEY_CLASSES_ROOT\HP
  ""="HP Class"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\VersionIndependentProgID
  "" = "VMHomepage"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\TypeLib
  "" = "{f8e5c210-f232-427b-92ee-b5a6ce622951}"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\Programmable
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\ProgID "" = "VMHomepage.1"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32 "ThreadingModel" = "Apartment"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32
  "(default)"="C:\WINDOWS\System32\hp8AF9.tmp"
  
• HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} "" = "HP Class"
  
• HKEY_CLASSES_ROOT\CLSID\VMHomepage.1
  
• HKEY_CLASSES_ROOT\CLSID\VMHomepage
  "CurVer" = "VMHomepage.1"
  
• HKEY_CLASSES_ROOT\CLSID\VMHomepage
  "CLSID" = "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"
  

The following registry keys are modified:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = "http://www.oneclicksearches.com/"
  
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = "http://www.oneclicksearches.com/search.php?qq=%1"
  

Symptoms

Symptoms -

Presence of the files and registry entries referenced above.

Additionally the start page and search page may be reset when changed and there may be performance degradation due to the continual launching of the trojan binaries.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. 

However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system. 

Many of these additionally are mass spammed by the author to entice people into double-clicking on them. 

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the trojan onto the user's system with no user interaction.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A