Threat behavior
TrojanDownloader:Win32/Popuper.A attempts to download unwanted software from a remote Web site. The content could include anything from additional downloader Trojans to imitation security programs.
When TrojanDownloader:Win32/Popuper.A runs, it does the following:
- Drops file "wupmncva.exe" under directory %windir%
- Modifies the registry to load this copy of itself when Windows is started:
Set "wupmncvA" = "%windir%\wupmncva.exe", under key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
%windir%\wupmncva.exe does the following:
- Drops the following files to the %windir% folder:
"jptc.dat"
"wupmncv.exe"
"offun.exe"
"srvwrmhkyw.exe"
"srvgocxgaa.exe"
- Modifies the following registry entry:
Set "DisplayName" = "windows overlay components", under key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\OvMon
- Launches the file %windir%\wupmncv.exe, by running "C:\WINDOWS\wupmncv.exe" -i
- Launches the file %windir%\wupmncva.exe, by running "C:\WINDOWS\wupmncvA.exe"
- Launches the file %windir%\srvwrmhkyw.exe, by running "C:\WINDOWS\srvwrmhkyw.exe"
- Launches the file %windir%\srvgocxgaa.exe, by running "C:\WINDOWS\srvgocxgaa.exe"
%windir%\wupmncva.exe may do the following:
- Drops file "jptc.dat" under directory %windir%
- Modifies the following registry entry:
Set "ProxyBypass" = "1", under key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
- Opens and listens on UDP port 0
%windir%\srvwrmhkyw.exe may do the following:
- Drops file "nst2.tmp" under directory c:\docume~1\admini~1\locals~1\temp
- Drops file "nodeipproc.dll" under directory <system folder>
- Drops file "uninsticn.exe" under directory <system folder>
- Modifies the following registry entry:
Set "DisplayName" = "icons", under key
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AdRotator
Set "Vendor" = "smoke", under key
- HKEY_LOCAL_MACHINE\Software\NodeIpProc
%windir%\srvgocxgaa.exe may do the following:
- Drops file "pshope.exe" under directory c:\program files\pshope
- Drops file "uninstall.exe" under directory c:\program files\pshope
- Modifies the following registry entry:
Set "PSHope" = ""c:\program files\pshope\pshope.exe"", under key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Set "aid" = "13", under key
HKEY_CURRENT_USER\Software\PSHope
- Launches the file c:\program files\pshope\pshope.exe, by running "C:\Program Files\PSHope\PSHope.exe"
- c:\program files\pshope\pshope.exe may do the following:
Modifies the following registry entry:
Set "Version" = "2", under key HKEY_CURRENT_USER\Software\PSHope
TrojanDownloader:Win32/Popuper.A may also modify the registry as follows:
Set "(default)" = "oddbot", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OddBot.AdClicker.1
Set "(default)" = "{2b896072-f6e3-4ff7-ade6-43d5bec6557c}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OddBot.AdClicker.1\CLSID
Set "(default)" = "oddbot", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OddBot.AdClicker
Set "(default)" = "{2b896072-f6e3-4ff7-ade6-43d5bec6557c}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OddBot.AdClicker\CLSID
Set "(default)" = "oddbot.adclicker.1", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OddBot.AdClicker\CurVer
Set "(default)" = "oddbot", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}
Set "(default)" = "oddbot.adclicker.1", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}\ProgID
Set "(default)" = "oddbot.adclicker", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}\VersionIndependentProgID
Set "(default)" = "<system folder>\nodeipproc.dll", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}\InprocServer32
Set "(default)" = "{c845ac9a-70a6-491c-9106-d34a360e1f58}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}\TypeLib
Set "NoExplorer" = """", under key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B896072-F6E3-4FF7-ADE6-43D5BEC6557C}
Set "(default)" = "oddbot 1.0 type library", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C845AC9A-70A6-491C-9106-D34A360E1F58}\1.0
Set "(default)" = "0", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C845AC9A-70A6-491C-9106-D34A360E1F58}\1.0\FLAGS
Set "(default)" = "<system folder>\nodeipproc.dll", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C845AC9A-70A6-491C-9106-D34A360E1F58}\1.0\0\win32
Set "(default)" = "<system folder>\", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C845AC9A-70A6-491C-9106-D34A360E1F58}\1.0\HELPDIR
Set "(default)" = "iadclicker", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{251DF512-6FAF-4AAF-BF19-D99B5F1C9250}
Set "(default)" = "{00020424-0000-0000-c000-000000000046}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{251DF512-6FAF-4AAF-BF19-D99B5F1C9250}\ProxyStubClsid
Set "(default)" = "{00020424-0000-0000-c000-000000000046}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{251DF512-6FAF-4AAF-BF19-D99B5F1C9250}\ProxyStubClsid32
Set "(default)" = "{c845ac9a-70a6-491c-9106-d34a360e1f58}", under key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{251DF512-6FAF-4AAF-BF19-D99B5F1C9250}\TypeLib
Prevention
