Content

Generic PUP.x!03FD5EEF

Type
Program
SubType
-
Discovery Date
10/07/2008
Minimum DAT
5400 (10/07/2008)
Updated DAT
5400 (10/07/2008)
Minimum Engine
5.3.00
Description Added
10/07/2008
Description Modified
10/07/2008 2:31 PM (PT)

Tab Navigation

Characteristics

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

File PropertyProperty Value
FileNamew3age!~1.exe
McAfee DetectionGeneric PUP.x
Length71,680 bytes
CRC03FD5EEF
MD548A50AF668BBB2EFD43B778D508FB388
SHA120C39DC42E062DCE3CA1303864EC68A01390CF99

Other Common Detection Aliases

Company NameDetection Name
ahnlabWin-Trojan/Agent.71680.BI
avastWin32:Spyware-gen [Trj]
AVG (GriSoft)Worm/Delf.IBB
AviraTR/Crypt.CFI.Gen
BitDefenderTrojan.Dropper.SHM
EsetWin32/AutoRun.XI
FortiNetPossibleThreat
KasperskyTrojan.Win32.Agent.abue
microsoftWorm:Win32/Slenfbot.ACD
normanW32/Smalltroj.GANP
pandaTrj/Agent.JSE
SophosW32/HostInf-A
SymantecTrojan Horse
Trend MicroWORM_SPYBOT.MCS
vba32Trojan.Win32.Agent.abue
V-BusterTrojan.Agent.FAQC
Vet (Computer Associates)
Win32/Slenfbot!generic

Avert® Labs has observed the following system activities:

ActivityRisk Level
Modifies memory of other processes
Critical
Modifies the operating system security policy
Critical
Enumerates running processes
Medium
Writes executable in the windows folder
Low
Creates registry keys and data values to persist on OS reboot
Informational

Other detections that have been observed.

FileNameMcAfee Supported
%WINDIR%\system32\symboot.exe
Generic PUP.x

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\system32\symboot.exe

    • The following registry elements have been created:

  • hkey_local_machine\software\policies\microsoft\windows nt\systemrestore\
    • disableconfig = 1
  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\policies\system\
    • disableregistrytools = 1
    • disabletaskmgr = 1

    • The following registry elements have been changed:

  • hkey_local_machine\software\microsoft\windows nt\currentversion\systemrestore\
    • disablesr = 1
  • hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer\
    • noclose = 1
  • hkey_local_machine\software\microsoft\windows\currentversion\run\
    • symantec bootsec monitor = symboot.exe
  • hkey_local_machine\system\currentcontrolset\control\session manager\
    • pendingfilerenameoperations = \??\c:\docume~1\admini~1\locals~1\temp
      \w3age!~1.exe

    • The application created the following network connection(s):

  • 172.16.199.200:9103 (irc)
    • PASS su1c1d3 NICK \00\USA\chmhmwf502
    • PASS su1c1d3 NICK \00\USA\chmhmwf502 USER XP-SP0 x x :VMG-CLIENT

    • Removal

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Aliases

    Aliases

      N/A