Content

Generic PUP.x

Type
Program
SubType
P2P Worm
Discovery Date
03/19/2007
Length
Minimum DAT
4987 (03/19/2007)
Updated DAT
6545 (11/29/2011)
Minimum Engine
5.3.00
Description Added
03/19/2007
Description Modified
11/11/2010 6:45 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

McAfee® Avert® Labs recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this or another bundled application, you may have legal obligations with regard to removing this software, or to using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.aspx for a list of program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.aspx for information about how to enable, disable, and exclude the detection of legitimately installed programs.

--- November 11, 2010 ---

It is a worm, which may propagate via removable drives or network shares or P2P network.

File Information
  • MD5 : 763EEB40832E2DD5ABD6C59E5DA0B7AF
  • SHA : 60EA85D7AA3CB24D833314B4E6D177A2C37C9F0D

Aliases
  • Kaspersky :Trojan.Win32.Nosok.bc
  • Microsoft :Trojan:Win32/Otran
  • Comodo :TrojWare.Win32.Trojan.Generic.9772890

Characteristics –

Upon execution the Worm copies itself into the following locations:
  • %Userprofile%\Start Menu\Programs\Startup\userinit.exe
  • %Userprofile%\svchost.exe
  • %WINDIR%\system32\drivers\services.exe
  • %SYSTEMDRIVE%\autorun.exe
  • [Removable Drive]:\autorun.exe

And drops the following files
  • %SYSTEMDRIVE%\autorun.inf
  • [Removable Drive]:\ autorun.inf
  • %Userprofile%\Local Settings\Temporary Internet Files\Content.IE5\8WEL7ODI\manda[1].htm
  • %Userprofile%\Local Settings\Temporary Internet Files\Content.IE5\8WEL7ODI\satellife[1].htm

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The following registries have been added to the system.
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    [system]="%WINDIR%\system32\drivers\services.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    Winlogon="%Userprofile%\svchost.exe"
  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    [system]="%WINDIR%\system32\drivers\services.exe"
  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    Winlogon="%Userprofile%\svchost.exe"

The following registry values have been modified.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
    Userinit= "%WINDIR%\system32\userinit.exe,%WINDIR%\system32\drivers\services.exe"
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\]
    ImagePath="%WINDIR%\system32\drivers\services.exe"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\]
    ImagePath="%WINDIR%\system32\drivers\services.exe"

The above mentioned registry entries ensure that the Worm executes on Windows Startup.

  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
    Hidden="0x00000002"

The above mentioned registry confirms that the malware binary hides itself from the compromised user.

When executed the malware binary connects to the following site:
  • sate[removed].info using remote port 80

The following Mutex object has been created to ensure only one instance of the worm is running at a time.
  • my_sh_mutex
  • 3dx254

Also, the worm may copy itself using, any one of the following names:

  • Windows 2003 Advanced Server KeyGen.exe
  • UT 2003 KeyGen.exe
  • Half-Life 2 Downloader.exe
  • Password Cracker.exe
  • FTP Cracker.exe
  • Brutus FTP Cracker.exe
  • Hotmail Hacker.exe
  • Hotmail Cracker.exe
  • Norton Anti-Virus 2005 Enterprise Crack.exe
  • DCOM Exploit.exe
  • NetBIOS Hacker.exe
  • NetBIOS Cracker.exe
  • Windows Password Cracker.exe
  • L0pht 4.0 Windows Password Cracker.exe
  • sdbot with NetBIOS Spread.exe
  • Sub7 2.3 Private.exe
  • Microsoft Visual C++ KeyGen.exe
  • Microsoft Visual Basic KeyGen.exe
  • Microsoft Visual Studio KeyGen.exe
  • MSN Password Cracker.exe
  • AOL Instant Messenger (AIM) Hacker.exe
  • ICQ Hacker.exe
  • AOL Password Cracker.exe
  • Keylogger.exe
  • Website Hacker.exe
  • IP Nuker.exe
  • Counter-Strike KeyGen.exe
  • DivX 5.0 Pro KeyGen.exe
  • svchost.exe
  • services.exe
  • userinit.exe

The Worm also capable of spreading via known P2P applications like

  • eMule
  • Altnet
  • Warez
  • FlylinkDC++
  • DCPlusPlus
  • ApexDC++

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc, %Userprofile% - C:\Documents and Settings\[UserName], and %SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers))

Symptoms
  • Presence of above mentioned files and registry keys
  • Presence unexpected network connection to the above mentioned IP Address.

                   -----------------------------------

File Information:

    • File Size : 33462 bytes
    • MD5 : 36F979ED1FC6C0DA719EE74C7F8F69A7
    • SHA : 83FACF58C9D02B564814D0E5A3A06707745BF234

Aliases:
    • NOD32 : Win32/Adware.Cinmus
    • Sunbelt : AdWare.Win32.Cinmus.gen
    • VBA32 : Win32.Adware.Cinmus

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

This malware binary is dropped by its source file which has been detected as Generic PUP.z!f

The following files have been added to the compromised system
    • %Temp%\~nsu.tmp\Au_.exe

These are the defaults for typical path variables. (Although they may differ, these are common examples):


%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SysDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = C:\Program Files\ %Temp% = C:\Documents and Settings\Administrator\Local Settings\Temp\

Symptoms:
    • Presence of above mentioned file.

Symptoms

Method of Infection

Variants

Variants

    N/A

All Information

Overview -

Characteristics

Characteristics -

McAfee® Avert® Labs recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this or another bundled application, you may have legal obligations with regard to removing this software, or to using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.aspx for a list of program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.aspx for information about how to enable, disable, and exclude the detection of legitimately installed programs.

--- November 11, 2010 ---

It is a worm, which may propagate via removable drives or network shares or P2P network.

File Information
  • MD5 : 763EEB40832E2DD5ABD6C59E5DA0B7AF
  • SHA : 60EA85D7AA3CB24D833314B4E6D177A2C37C9F0D

Aliases
  • Kaspersky :Trojan.Win32.Nosok.bc
  • Microsoft :Trojan:Win32/Otran
  • Comodo :TrojWare.Win32.Trojan.Generic.9772890

Characteristics –

Upon execution the Worm copies itself into the following locations:
  • %Userprofile%\Start Menu\Programs\Startup\userinit.exe
  • %Userprofile%\svchost.exe
  • %WINDIR%\system32\drivers\services.exe
  • %SYSTEMDRIVE%\autorun.exe
  • [Removable Drive]:\autorun.exe

And drops the following files
  • %SYSTEMDRIVE%\autorun.inf
  • [Removable Drive]:\ autorun.inf
  • %Userprofile%\Local Settings\Temporary Internet Files\Content.IE5\8WEL7ODI\manda[1].htm
  • %Userprofile%\Local Settings\Temporary Internet Files\Content.IE5\8WEL7ODI\satellife[1].htm

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The following registries have been added to the system.
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    [system]="%WINDIR%\system32\drivers\services.exe"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    Winlogon="%Userprofile%\svchost.exe"
  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    [system]="%WINDIR%\system32\drivers\services.exe"
  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Run\]
    Winlogon="%Userprofile%\svchost.exe"

The following registry values have been modified.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
    Userinit= "%WINDIR%\system32\userinit.exe,%WINDIR%\system32\drivers\services.exe"
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\]
    ImagePath="%WINDIR%\system32\drivers\services.exe"
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\]
    ImagePath="%WINDIR%\system32\drivers\services.exe"

The above mentioned registry entries ensure that the Worm executes on Windows Startup.

  • [HKEY_USERS\S-1-5-(Varies)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\]
    Hidden="0x00000002"

The above mentioned registry confirms that the malware binary hides itself from the compromised user.

When executed the malware binary connects to the following site:
  • sate[removed].info using remote port 80

The following Mutex object has been created to ensure only one instance of the worm is running at a time.
  • my_sh_mutex
  • 3dx254

Also, the worm may copy itself using, any one of the following names:

  • Windows 2003 Advanced Server KeyGen.exe
  • UT 2003 KeyGen.exe
  • Half-Life 2 Downloader.exe
  • Password Cracker.exe
  • FTP Cracker.exe
  • Brutus FTP Cracker.exe
  • Hotmail Hacker.exe
  • Hotmail Cracker.exe
  • Norton Anti-Virus 2005 Enterprise Crack.exe
  • DCOM Exploit.exe
  • NetBIOS Hacker.exe
  • NetBIOS Cracker.exe
  • Windows Password Cracker.exe
  • L0pht 4.0 Windows Password Cracker.exe
  • sdbot with NetBIOS Spread.exe
  • Sub7 2.3 Private.exe
  • Microsoft Visual C++ KeyGen.exe
  • Microsoft Visual Basic KeyGen.exe
  • Microsoft Visual Studio KeyGen.exe
  • MSN Password Cracker.exe
  • AOL Instant Messenger (AIM) Hacker.exe
  • ICQ Hacker.exe
  • AOL Password Cracker.exe
  • Keylogger.exe
  • Website Hacker.exe
  • IP Nuker.exe
  • Counter-Strike KeyGen.exe
  • DivX 5.0 Pro KeyGen.exe
  • svchost.exe
  • services.exe
  • userinit.exe

The Worm also capable of spreading via known P2P applications like

  • eMule
  • Altnet
  • Warez
  • FlylinkDC++
  • DCPlusPlus
  • ApexDC++

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc, %Userprofile% - C:\Documents and Settings\[UserName], and %SystemDrive% = the drives were Windows is installed(C: will be the default in most of the computers))

Symptoms
  • Presence of above mentioned files and registry keys
  • Presence unexpected network connection to the above mentioned IP Address.

                   -----------------------------------

File Information:

    • File Size : 33462 bytes
    • MD5 : 36F979ED1FC6C0DA719EE74C7F8F69A7
    • SHA : 83FACF58C9D02B564814D0E5A3A06707745BF234

Aliases:
    • NOD32 : Win32/Adware.Cinmus
    • Sunbelt : AdWare.Win32.Cinmus.gen
    • VBA32 : Win32.Adware.Cinmus

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

This malware binary is dropped by its source file which has been detected as Generic PUP.z!f

The following files have been added to the compromised system
    • %Temp%\~nsu.tmp\Au_.exe

These are the defaults for typical path variables. (Although they may differ, these are common examples):


%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SysDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = C:\Program Files\ %Temp% = C:\Documents and Settings\Administrator\Local Settings\Temp\

Symptoms:
    • Presence of above mentioned file.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

    N/A