Follow:

 

Trojan:Win32/Popureb.B


Trojan:Win32/Popureb.B is a trojan that displays advertisements, and modifies the affected user's Internet Explorer start page.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Additional remediation instructions for Trojan:Win32/Popureb.B:

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:

Threat behavior

Trojan:Win32/Popureb.B is a trojan that displays advertisements, and modifies the affected user's Internet Explorer start page.

Installation

Trojan:Win32/Popureb.B is stored on the disk as encrypted disk sectors by Trojan:Win32/Popureb.A. When the affected computer is started, the infected MBR (Master Boot Record - detected as Trojan:DOS/Popureb.A) decrypts Trojan:Win32/Popureb.B from the disk sectors and saves it as the following:

  • %windir%\mgr.exe

The saved file will be deleted after execution.

Trojan:Win32/Popureb.B modifies the following registry entry to ensure that its copy executes at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "qQ"
With data: "%windir%\mgr.exe"

Payload

Displays advertisements

Trojan:Win32/Popureb.B may also download and display advertisements on the affected computer. In the wild, we have observed Trojan:Win32/Popureb.B contacting the following domain to get configuration information:

  • dh.uuying.com

Modifies browser settings

Trojan:Win32/Popureb.B also modifies Internet Explorer's start page. In the wild, we have observed the trojan setting the Internet Explorer homepage to the following website:

  • www.46.com

 

Analysis by Chun Feng

 


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:

    %windir%\mgr.exe
  • The presence of the following registry modification:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "qQ"
    With data: "%windir%\mgr.exe"

Prevention


Alert level: Severe
First detected by definition: 1.101.1243.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Apr 11, 2011
This entry was first published on: Apr 11, 2011
This entry was updated on: May 13, 2011

This threat is also detected as:
No known aliases