Content

Generic PUP.z!a6c3c007900f

Type
Program
SubType
-
Discovery Date
09/01/2009
Minimum DAT
5727 (09/01/2009)
Updated DAT
5727 (09/01/2009)
Minimum Engine
5300.2777
Description Added
09/01/2009
Description Modified
09/01/2009 1:22 PM (PT)

Tab Navigation

Characteristics

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

File PropertyProperty Value
FileName882c005f.exe
McAfee ArtemisArtemis!a6c3c007900f
McAfee DetectionGeneric PUP.z
Length362,509 bytes
CRC77F8301B
MD5A6C3C007900FC29B20334DCA46D1E33C
SHA17C65A99C419D14501179C3BF4E4E97C533712220

Other Common Detection Aliases

Company NameDetection Name
avastWin32:BHO-VX [Trj]
AVG (GriSoft)Generic3.AALM (Adware)
AviraDR/Vapsup.nem
BitDefenderTrojan.Generic.1710368
clamavTrojan.Zlob-10753
Dr.WebAdware.Vapsup.63
EsetWin32/Adware.AdzgaloreBiz (application) (variant)
FortiNetW32/Vapsup.NEM!tr
KasperskyTrojan.Win32.Vapsup.nem
microsoftbrowsermodifier:win32/fotomoto
pandaAdware/VapSup (spyware)
risingTrojan.Win32.Vapsup.evj
SophosTroj/Vapsup-Gen
SymantecTrojan.Adclicker
Trend MicroADW_ADROTATORP
vba32Trojan.Win32.Vapsup.ngn
V-BusterAdware.Adrotator.Gen.2

Avert® Labs has observed the following system activities:

ActivityRisk Level
Writes executable in the windows folder
Low
Performs a shell execute of downloaded or existing files
Informational
Registers DLLsInformational

Other detections that have been observed.

FileNameMcAfee Supported
%WINDIR%\system32\nse18.dll
Generic PUP.z

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files were analyzed:

  • %USERPROFILE%\local settings\temp\882c005f.exe

    • The following files have been added to the system:

  • %USERPROFILE%\application data\microsoft\crypto
  • %USERPROFILE%\application data\microsoft\crypto\rsa
  • %USERPROFILE%\application data\microsoft\crypto\rsa\s-1-5-21-1202660629-602609370-839522115-500
  • %USERPROFILE%\application data\microsoft\crypto\rsa\s-1-5-21-1202660629-602609370-839522115-500\f7cda73f4a9aaac44ca0c8f4c028ef51_584cabc6-b3f0-4d52-b7e2-3ffbf17c3258
  • %WINDIR%\system32\cont_offersfortoday-remove.exe
  • %WINDIR%\system32\nse18.dll

    • The following registry elements have been created:

  • HKEY_LOCAL_MACHINE\software\classes\clsid\{66bd46c7-ca83-a1b3-896e-8feba49064b2}\
    • (default) = offersfortoday
  • HKEY_LOCAL_MACHINE\software\classes\clsid\{66bd46c7-ca83-a1b3-896e-8feba49064b2}\inprocserver32\
    • (default) = c:\windows\system32\nse18.dll
    • threadingmodel = apartment
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\explorer\browser helper objects\{66bd46c7-ca83-a1b3-896e-8feba49064b2}\
    • noexplorer = ""
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\currentversion\uninstall\cont_offersfortoday\
    • displayname = contextual tool offersfortoday
    • displayversion = 4.6.3.3
    • nomodify = 0
    • norepair = 0
    • uninstallstring = c:\windows\system32\cont_offersfortoday-remove.exe

    • The following registry elements have been changed:

  • HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\
    • pendingfilerenameoperations = \??\c:\docume~1\admini~1\locals~1\temp
      \nss17.tmp\system.dll
    • pendingfilerenameoperations = \??\c:\docume~1\admini~1\locals~1\temp
      \nss17.tmp\system.dll\??\c:\docume~1\admini~1\locals~1\temp\nss17.tmp\

    • The application created the following network connection(s):

  • http
    • hxxp://****************

    • Removal

    All Users:

    Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

    1.Disable System Restore (Windows ME/XP only).

    2.Update to current engine and DAT files for detection and removal.

    3.Run a complete system scan.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

    Aliases

    Aliases

      N/A