Trojan:Win32/Popuper.B is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.
Trojan:Win32/Popuper.B creates the following files on an affected computer:
c:\documents and settings\administrator\local settings\temp\nsisautosetupplugin.dll
c:\documents and settings\administrator\local settings\temp\nsn8.tmp\killproc.dll
c:\documents and settings\administrator\local settings\temp\nsn8.tmp\modern-header.bmp
c:\documents and settings\administrator\local settings\temp\nsn8.tmp\simplefc.dll
c:\documents and settings\administrator\local settings\temp\nsn8.tmp\userinfo.dll
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Modifies system security settings
Trojan:Win32/Popuper.B adds itself to the list of applications that are authorized to access the Internet without being stopped by the Firewall, by making the following registry modification:
Adds value: "C:\Program Files\Chrome\Chrome.exe" With data: "c:\program files\chrome\chrome.exe:*:enabled:chrome" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Contacts remote hosts
The malware may contact the following remote hosts using port 80:
Commonly, malware may contact a remote host for the following purposes:
To confirm Internet connectivity
To report a new infection to its author
To receive configuration or other data
To download and execute arbitrary files (including updates or additional malware)
To receive instruction from a remote attacker
To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 02c400b067470a1592abbcbcd6178be599825344.