Content

Puper.dldr

Type
Trojan
SubType
Downloader
Discovery Date
11/27/2007
Length
Minimum DAT
5172 (11/27/2007)
Updated DAT
5256 (03/20/2008)
Minimum Engine
5.1.00
Description Added
11/27/2007
Description Modified
12/07/2007 10:11 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update December 7, 2007 --

The downloader component of Puper is presented to the user upon visiting mainly a porn site (or any other malicious site crafted for this purpose) for example "us-private-[blocked].blogspot.com/2007/11/2-[blocked]-video.html". The visitor is tricked to download a media codec in order to play the video. An example filename is "videomp3_setup_3912998.exe", which is detected as Puper.dldr.

Upon execution this file downloads another 'VMware aware' puper component in %temp% directory and launches it. An example name of such a file can be "inwm[1].exe" The user is presented with the following EULA. In the background it drops a DLL file and registers it as a BHO which hijacks all attempts to open IE or Explorer windows, even if one hits cancel in the EULA below the DLL is still loaded.

Once the DLL is in place following warning appears every time Internet Explorer or Explorer is launched.

A modified google page is automatically opened with a search keyword "video". The webpage returned by google is modified to insert malicious links.

If in figure 2 above if download option is chosen, a rouge antispyware product called IEdefender is downloaded as shown in snapshot below.

 

Registry Changes

The dropped DLL %windir%stream32a.dll, creates the following registries upon registering.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\stream32a.dll\AppID: "{6430CCA7-032A-4EB0-BCFF-838998E73EF5}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{6430CCA7-032A-4EB0-BCFF-838998E73EF5}\: "Video"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{6430CCA7-032A-4EB0-BCFF-838998E73EF5}\DllSurrogate: ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{6430CCA7-032A-4EB0-BCFF-838998E73EF5}\AccessPermission: [data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6430CCA7-032A-4EB0-BCFF-838998E73EF5}\ProgID\: "stream32a.Video"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6430CCA7-032A-4EB0-BCFF-838998E73EF5}\InprocServer32\: "C:\WINDOWS\stream32a.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{18D23D68-9E03-4FF0-8035-C6184C8784EF}\: "ISystemStream"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60B18D81-366A-4156-83B9-CF310ED9A8B7}\1.0\0\win32\: "C:\WINDOWS\stream32a.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60B18D81-366A-4156-83B9-CF310ED9A8B7}\1.0\: "Video Media Codec"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stream32a.Video\Clsid\: "{6430CCA7-032A-4EB0-BCFF-838998E73EF5}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stream32a.Video\: "Video"

Symptoms

Aformentioned regsitry, files and behavior in the system.

Method of Infection

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Some of the webpages observed to be hosting these malicious files are

  • us-private-[blocked].blogspot.com
  • powermp[blocked].com

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This trojan lures the user to download a fake codec. The fake codec in turn drops a DLL file which is responsible for generating incorrect warnings and tricks the user to eventually download a rogue antispyware IEDefender.

Characteristics

Characteristics -

-- Update December 7, 2007 --

The downloader component of Puper is presented to the user upon visiting mainly a porn site (or any other malicious site crafted for this purpose) for example "us-private-[blocked].blogspot.com/2007/11/2-[blocked]-video.html". The visitor is tricked to download a media codec in order to play the video. An example filename is "videomp3_setup_3912998.exe", which is detected as Puper.dldr.

Upon execution this file downloads another 'VMware aware' puper component in %temp% directory and launches it. An example name of such a file can be "inwm[1].exe" The user is presented with the following EULA. In the background it drops a DLL file and registers it as a BHO which hijacks all attempts to open IE or Explorer windows, even if one hits cancel in the EULA below the DLL is still loaded.

Once the DLL is in place following warning appears every time Internet Explorer or Explorer is launched.

A modified google page is automatically opened with a search keyword "video". The webpage returned by google is modified to insert malicious links.

If in figure 2 above if download option is chosen, a rouge antispyware product called IEdefender is downloaded as shown in snapshot below.

 

Registry Changes

The dropped DLL %windir%stream32a.dll, creates the following registries upon registering.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\stream32a.dll\AppID: "{6430CCA7-032A-4EB0-BCFF-838998E73EF5}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{6430CCA7-032A-4EB0-BCFF-838998E73EF5}\: "Video"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{6430CCA7-032A-4EB0-BCFF-838998E73EF5}\DllSurrogate: ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{6430CCA7-032A-4EB0-BCFF-838998E73EF5}\AccessPermission: [data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6430CCA7-032A-4EB0-BCFF-838998E73EF5}\ProgID\: "stream32a.Video"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6430CCA7-032A-4EB0-BCFF-838998E73EF5}\InprocServer32\: "C:\WINDOWS\stream32a.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{18D23D68-9E03-4FF0-8035-C6184C8784EF}\: "ISystemStream"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60B18D81-366A-4156-83B9-CF310ED9A8B7}\1.0\0\win32\: "C:\WINDOWS\stream32a.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60B18D81-366A-4156-83B9-CF310ED9A8B7}\1.0\: "Video Media Codec"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stream32a.Video\Clsid\: "{6430CCA7-032A-4EB0-BCFF-838998E73EF5}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stream32a.Video\: "Video"

Symptoms

Symptoms -

Aformentioned regsitry, files and behavior in the system.

Method of Infection

Method of Infection -

N/A. Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

Some of the webpages observed to be hosting these malicious files are

  • us-private-[blocked].blogspot.com
  • powermp[blocked].com

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A