Content
Generic Pup.z!7ec2eb2a
- Type
- Program
- SubType
- -
- Discovery Date
- 10/02/2009
- Minimum DAT
- 5750 (09/23/2009)
- Updated DAT
- 5750 (09/23/2009)
- Minimum Engine
- 5.3.00
- Description Added
- 10/02/2009
- Description Modified
- 10/02/2009 2:22 AM (PT)
Tab Navigation
Characteristics
Upon execution the Trojan copies itself into the following location.
• %WinDir%\system32\drivers\services.exe
• %USERPROFILE%\Start Menu\Programs\Startup\userinit.exe
• %USERPROFILE%\svchost.exe
Note: Where %WinDir% is the Windows Directory - for example c:\windows, and %USERPROFILE% is c:\Documents and Settings\Administrator\
The Following registry elements have been added
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[system]: "%WinDir%\system32\drivers\services.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon: "%USERPROFILE%\svchost.exe"
• HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\[system]:"%WinDir%\system32\drivers\services.exe"
• HKEY_USERS\S-1-5-21-1004336348-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\winlogon:"%USERPROFILE%\svchost.exe"
The Following registry elements have been Modified.
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit: "%WinDir%\system32\userinit.exe,"
• When executed the Generic Pup.z tries to connect to the site “http://sat [Removed].cn”.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Aliases
Aliases
-
N/A
