Content

Generic PUP.x!430cc016de5b

Type
Program
SubType
-
Discovery Date
06/22/2009
Minimum DAT
5654 (06/22/2009)
Updated DAT
5654 (06/22/2009)
Minimum Engine
5300.2777
Description Added
06/22/2009
Description Modified
06/22/2009 4:42 PM (PT)

Tab Navigation

Characteristics

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

File PropertyProperty Value
FileNamea0000197.exe
McAfee ArtemisArtemis!430cc016de5b
McAfee DetectionGeneric PUP.x
Length465,874 bytes
CRC62A268CF
MD5430CC016DE5B674808FA46ED4D866592
SHA1D6207D8FCD960E88183F75F839D406E26F043C5C

Other Common Detection Aliases

Company NameDetection Name
ahnlabWin-Trojan/Agent.465874
AVG (GriSoft)generic_c.agmh
Dr.WebTrojan.Proxy.5769
EMSI SoftwareRiskware.Server-Proxy.Win32.3proxy!IK
eSafe (Alladin)suspicious Trojan/Worm [101]
EsetWin32/TrojanProxy.Agent.NFG
FortiNetMisc/3proxy
Kasperskynot-a-virus:Server-Proxy.Win32.3proxy.bo
microsoftprogram:win32/tinyproxy
norman3proxy.a
pandaTrj/Hino.F
SophosTroj/Agent-JNB
SymantecBackdoor.Trojan
Trend MicroTROJ_AGMH.A
vba32~Trojan.Autoit.ITN
V-BusterTrojan.Autoit.NL

Avert® Labs has observed the following system activities:

ActivityRisk Level
Enumerates running processes
Medium
Program often suspends itself
Medium
Uses shared memory of other processes
Low
Creates registry keys and data values to persist on OS reboot
Informational

Other detections that have been observed.

FileNameMcAfee Supported
%USERPROFILE%\application data\psvrr.exe
Generic PUP.x

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files were analyzed:

  • %USERPROFILE%\local settings\temp\a0000197.exe

    • The following files have been added to the system:

  • %USERPROFILE%\application data\psvrr.exe

    • The following registry elements have been created:

  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\
    • c:\documents and settings\administrator\application data\psvr32.exe =
      c:\documents and settings\administrator\application data\psvr32.exe:*
      :enabled:winsvrhost32

    • The following registry elements have been changed:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\currentversion\run\
    • winprox32_1 = c:\documents and settings\administrator\application data
      \psvrr.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\run\
    • winprox32_1 = c:\documents and settings\administrator\application data
      \psvrr.exe

    • The application created the following network connection(s):

  • http
    • hxxp://********************

    • Removal

    All Users:

    Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

    1.Disable System Restore (Windows ME/XP only).

    2.Update to current engine and DAT files for detection and removal.

    3.Run a complete system scan.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

    Aliases

    Aliases

      N/A