Content
PopBlok
- Type
- Program
- SubType
- -
- Discovery Date
- 08/09/2007
- Length
- Minimum DAT
- 5095 (08/10/2007)
- Updated DAT
- 5095 (08/10/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 08/09/2007
- Description Modified
- 08/09/2007 5:11 AM (PT)
Tab Navigation
Characteristics
McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.
See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.
PUP detection was added to cover for an arguable 32 bit PE file originally called "2.exe", having a filesize of 549.146 bytes.
The file is using an auto-it install package with the internal file being compressed with the upx packer.
Upon running, a Chinese language small gui appears that appears to generate software keys.
This is just an eye-catching distractor.
In the meantime another file was hiddenly placed on the system called "WMVPLOC.dll", having a filesize of 208.384 bytes.
The file is internally compressed with the pecompact2 packer.
The file wmvploc.dll is most likely a modified version of the IPopBlocker application.
It makes registry keys such as
- HKEY_CLASSES_ROOT\SVRHOST.PopBlocker
- HKEY_CLASSES_ROOT\TypeLib\{86A0CBDE-F9A4-490F-971F-58A21912BEB8}\1.0\0\win32 "(Default)"
with Data: C:\WINNT\wmvploc.dll
Symptoms
Method of Infection
Variants
Variants
N/A
All Information
Overview -
Characteristics
Characteristics -
McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.
See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.
PUP detection was added to cover for an arguable 32 bit PE file originally called "2.exe", having a filesize of 549.146 bytes.
The file is using an auto-it install package with the internal file being compressed with the upx packer.
Upon running, a Chinese language small gui appears that appears to generate software keys.
This is just an eye-catching distractor.
In the meantime another file was hiddenly placed on the system called "WMVPLOC.dll", having a filesize of 208.384 bytes.
The file is internally compressed with the pecompact2 packer.
The file wmvploc.dll is most likely a modified version of the IPopBlocker application.
It makes registry keys such as
- HKEY_CLASSES_ROOT\SVRHOST.PopBlocker
- HKEY_CLASSES_ROOT\TypeLib\{86A0CBDE-F9A4-490F-971F-58A21912BEB8}\1.0\0\win32 "(Default)"
with Data: C:\WINNT\wmvploc.dll
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Removal -
Removal -
Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs
Variants
Variants -
N/A
