Threat behavior
SoftwareBundler:Win32/NetPumper is a download manager that, in its free version, comes bundled with a number of adware components such as Cydoor, Save!, ClockSync, and
WhenU Toolbar.
Installation
When installed, Win32/NetPumper may drop the following files:
%ProgramFiles%\NetPumper\AddUrl.htm
%ProgramFiles%\NetPumper\banner.htm
%ProgramFiles%\NetPumper\banner.jpg
%ProgramFiles%\NetPumper\NetPumper.exe
%ProgramFiles%\NetPumper\NetPumperIEProxy.exe
%ProgramFiles%\NetPumper\NetPumperNNProxy.dll
%ProgramFiles%\NetPumper\NPNetPumper_Application.dll
%ProgramFiles%\NetPumper\NPNetPumper_Audio.dll
%ProgramFiles%\NetPumper\NPNetPumper_Video.dll
%ProgramFiles%\NetPumper\shutdown.exe
%ProgramFiles%\NetPumper\unins000.dat
%ProgramFiles%\NetPumper\unins000.exe
%ProgramFiles%\NetPumper\help (folder)
%ProgramFiles%\Netpumper\zm\minime.exe
%ProgramFiles%\Netpumper\zm\np_0001_1.exe
%ProgramFiles%\Netpumper\turnlog.exe
The registry is modified to run NetPumper at each Windows start.
Adds value: NetPumper
With data: %ProgramFiles%\NetPumper\NetPumperIEProxy.exe
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The installer may add additional registry values, such as the ones listed below.
HKEY_CURRENT_USER\Software\NetPumper
HKEY_CURRENT_USER\Software\Download Plugin
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Download with NetPumper
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E19B133D-184E-4BBA-8A70-38489C9DD31B}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1AA406AB-F581-42AB-B4D1-31D2E13819EF}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A8B0F390-E6BF-4027-A4D4-1E4363F5E27B}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A9E33220-0B05-11D7-88D2-444553540000} HKEY_LOCAL_MACHINE\Software\Classes\NetPumper.AddUrl
HKEY_LOCAL_MACHINE\Software\Classes\NetPumperNNProxy.NetscapeInterface
HKEY_LOCAL_MACHINE\Software\Classes\.xnpd
HKEY_LOCAL_MACHINE\Software\Classes\MIME\Database\Content Type\application/x-netpumper-detector
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{1145A909-A836-44B8-B03A-48D858B0F43E}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\NetPumper_is1
HKEY_LOCAL_MACHINE\Software\NetPumper
HKEY_LOCAL_MACHINE\Software\WhenUSave\Partners\NPUM
Additional Information
SoftwareBundler:Win32/NetPumper may download and install additional adware or trojan components related to the Swizzor and Lop families.
Analysis by Marian Radu
Prevention
