Content

Generic PUP.z!f

Type
Program
SubType
Discovery Date
05/03/2009
Length
Minimum DAT
5604 (05/03/2009)
Updated DAT
6409 (07/16/2011)
Minimum Engine
5.2.00
Description Added
05/03/2009
Description Modified
11/23/2009 5:47 PM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information:
  • MD5: D70F0E863A80A28146BC2270B6A0F821
  • SHA: ED6DD3E091B3E1E9F869F7C45CE37804D7C1CD26
  • File Size: 125737 bytes

Aliases:
  • Kaspersky - not-a-virus:AdWare.Win32.BHO.fuw
  • F-Secure - AdWare.Win32.BHO.gea
  • Sunbelt - AdWare.Win32.BHO.gea

Upon execution the malware binary creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32

Above mentioned registry ensures that the malware binary registers itself with the compromised system and execute itself upon every boot.

When executed the malware adds the following registry entry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}

The above mentioned registry entry ensures that the malware registers and hooks itself with internet explorer.

Upon execution following registry entries are added to the compromised user:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-  AB43-E09E9351CE16}\]
    "InprocServer32\:" = "C:\Program Files\Common Files\PushWare\cpush.dll"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32\]
    "ThreadingModel:" = "apartment"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\]
    "AppID:" =  ""
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\]
    "InprocServer32\:" = "C:\Program Files\Common Files\PushWare\cpush.dll"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\]
    "ThreadingModel:" = "apartment"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\]
    "{34A12A06-48C0-420D-8F11-73552EE9631A}\:"  = "CToolbarDetector Object"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\]
    "AppID:" = ""
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\]
    "InprocServer32\:" = "C:\Program Files\Common Files\PushWare\cpush.dll"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\]
    "InprocServer32\ThreadingModel:" = "apartment"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\]
    "AppID:" = ""
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\]
    "win32\:" = "C:\Program Files\Common Files\PushWare\cpush.dll"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\]
    "HELPDIR\:" = "C:\Program Files\Common Files\PushWare\"

The above mentioned registry entries ensures that the malware binary registers itself with the compromised user system.

Malware binary registers itself with the browser helper object

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\: "AdPopup"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentMatch\DisplayName: "PopUp Ads"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentMatch\UninstallString: "C:\Program Files\Common Files\PushWare\Uninst.exe"

The Following files have been added to the compromised system:

  • %Program Files%\Common Files\PushWare\cpush.dll [Detected as AdClicker-BJ]
  • %Program Files%\Common Files\PushWare\Uninst.exe [Detected as potentially unwanted  program Generic PUP]

These are the defaults for typical path variables. (Although they may differ, these are common examples):

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SysDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = C:\Program Files\

Symptoms :

  • Presence of above mentioned files.
  • Registry modification.
  • Monitors user browser activity

 

Symptoms

Method of Infection

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

    N/A

All Information

Overview -

Characteristics

Characteristics -

This is a Trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Information:
  • MD5: D70F0E863A80A28146BC2270B6A0F821
  • SHA: ED6DD3E091B3E1E9F869F7C45CE37804D7C1CD26
  • File Size: 125737 bytes

Aliases:
  • Kaspersky - not-a-virus:AdWare.Win32.BHO.fuw
  • F-Secure - AdWare.Win32.BHO.gea
  • Sunbelt - AdWare.Win32.BHO.gea

Upon execution the malware binary creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32

Above mentioned registry ensures that the malware binary registers itself with the compromised system and execute itself upon every boot.

When executed the malware adds the following registry entry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}

The above mentioned registry entry ensures that the malware registers and hooks itself with internet explorer.

Upon execution following registry entries are added to the compromised user:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-  AB43-E09E9351CE16}\]
    "InprocServer32\:" = "C:\Program Files\Common Files\PushWare\cpush.dll"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32\]
    "ThreadingModel:" = "apartment"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\]
    "AppID:" =  ""
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\]
    "InprocServer32\:" = "C:\Program Files\Common Files\PushWare\cpush.dll"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32\]
    "ThreadingModel:" = "apartment"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\]
    "{34A12A06-48C0-420D-8F11-73552EE9631A}\:"  = "CToolbarDetector Object"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\]
    "AppID:" = ""
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\]
    "InprocServer32\:" = "C:\Program Files\Common Files\PushWare\cpush.dll"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\]
    "InprocServer32\ThreadingModel:" = "apartment"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\]
    "AppID:" = ""
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\]
    "win32\:" = "C:\Program Files\Common Files\PushWare\cpush.dll"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\]
    "HELPDIR\:" = "C:\Program Files\Common Files\PushWare\"

The above mentioned registry entries ensures that the malware binary registers itself with the compromised user system.

Malware binary registers itself with the browser helper object

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\: "AdPopup"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentMatch\DisplayName: "PopUp Ads"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContentMatch\UninstallString: "C:\Program Files\Common Files\PushWare\Uninst.exe"

The Following files have been added to the compromised system:

  • %Program Files%\Common Files\PushWare\cpush.dll [Detected as AdClicker-BJ]
  • %Program Files%\Common Files\PushWare\Uninst.exe [Detected as potentially unwanted  program Generic PUP]

These are the defaults for typical path variables. (Although they may differ, these are common examples):

%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000) %SysDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000) %ProgramFiles% = C:\Program Files\

Symptoms :

  • Presence of above mentioned files.
  • Registry modification.
  • Monitors user browser activity

 

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

    N/A