Content
Puper.dr
- Type
- Trojan
- SubType
- Dropper
- Discovery Date
- 04/25/2006
- Length
- Varies
- Minimum DAT
- 4748 (04/25/2006)
- Updated DAT
- 5364 (08/19/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 04/25/2006
- Description Modified
- 12/03/2007 7:48 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update December 3, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/12/01/government_sites_serve_malware/
--
Upon execution, the trojan drops the following file.
- %UserProfile%\Local Settings\Temp\ttvbondon.exe (Puper.dr trojan, detected with DAT 5176)
Then the trojan launch the installer.
When users click "I Agree" button, the trojan downloads the fake codec file from the following remote site.
http://videosoftonline.com/[removed]/VideoAccessCoder.ocx
The download file is saved to the following location.
c:\Program Files\RichVideoCodec\RichVideoCodec.ocx
The file "ttvbondon.exe" attempts to download the following files from the remote site 77.91.228[removed].
- %Windir%\jetctrl.dll (Puper trojan, detected with DAT 5176)
- %Windir%\kopmet.dll (Puper trojan, detected with DAT 5176)
- %Windir%\nretcip.exe (Puper trojan, detected with DAT 5176)
- %Windir%\vipextoxn.dll (Puper trojan, detected with DAT 5176)
- %Windir%\voipwet.dll (Puper trojan, detected with DAT 5176)
Symptoms
- Exsitence of mentioned files
Method of Infection
Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
The trojan is designed to download Puper trojan from the remote site.
Aliases
- Troj/Zlobar-Fam (Sophos)
- Trojan-Downloader.Win32.Zlob.evh (Kaspersky)
- TrojanDownloader:Win32/Zlob.AMM (Microsoft)
Characteristics
Characteristics -
-- Update December 3, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2007/12/01/government_sites_serve_malware/
--
Upon execution, the trojan drops the following file.
- %UserProfile%\Local Settings\Temp\ttvbondon.exe (Puper.dr trojan, detected with DAT 5176)
Then the trojan launch the installer.
When users click "I Agree" button, the trojan downloads the fake codec file from the following remote site.
http://videosoftonline.com/[removed]/VideoAccessCoder.ocx
The download file is saved to the following location.
c:\Program Files\RichVideoCodec\RichVideoCodec.ocx
The file "ttvbondon.exe" attempts to download the following files from the remote site 77.91.228[removed].
- %Windir%\jetctrl.dll (Puper trojan, detected with DAT 5176)
- %Windir%\kopmet.dll (Puper trojan, detected with DAT 5176)
- %Windir%\nretcip.exe (Puper trojan, detected with DAT 5176)
- %Windir%\vipextoxn.dll (Puper trojan, detected with DAT 5176)
- %Windir%\voipwet.dll (Puper trojan, detected with DAT 5176)
Symptoms
Symptoms -
- Exsitence of mentioned files
Method of Infection
Method of Infection -
Trojans do not self-replicate. They often arrive as a desirable or intriguing file and conceal their true nature. Common ways to receive a trojan are through newsgroup postings, IRC, peer-to-peer networks, spam, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
