Content

Generic PUP.z!cj

Type
Program
SubType
Win32
Discovery Date
03/28/2010
Length
Minimum DAT
5934 (03/28/2010)
Updated DAT
5961 (04/23/2010)
Minimum Engine
5.3.00
Description Added
03/28/2010
Description Modified
04/19/2010 11:09 PM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

This is a generic detection that covers multiple unaffiliated/uncategorized Potentially Unwanted Program components. It may also detect new variants of similar software.

File Information:

    • MD5 - 913E7CF0797C4A27AE5CD1B33DFB2C4D
    • SHA1 - 6978808780E2E3B4600FBDC32565211728846436

Aliases:

    • Avast - Win32: BHO-RP
    • Kaspersky  - not-a-virus:AdWare.Win32.BHO.lku
    • Microsoft - Trojan:Win32/Futsurn.A
    • Symantec – Downloader

This is not a virus or a Trojan. It is a Potentially Unwanted Program.

It is a Potentially Unwanted Program and it uses BHOs to display unwanted PopUps or can be used for malicious purposes like gathering information from users while surfing internet. It also downloads and installs malicious files from remote sites.

Whenever the user uses the search engines like Google, Baidu.com, etc., it will keep track of all the keywords that are entered in the search box.

This Potentially Unwanted Program is designed to send various advertisements to the user’s systems.

Upon execution, the following files have been dropped into the system:

    • %SystemDrive%\recycled\ctv.dat [detected as Generic PUP.z!cg]
    • %SystemDrive%\recycled \lip.dat [detected as Generic Backdoor!cgf]
    • %SystemDrive%\recycled \qkf.dat [ detected as Adware-BHO.gen.c]
    • %Windir%\inf\iplbk.inf [detected as Generic Backdoor!cgf]
    • %Windir%\inf\optkec.inf [detected as Generic Backdoor!cgf]
    • %Windir%\kentgo.log [detected as Adware-BHO.gen.c]
    • %Windir%\system32\niprp.dll [detected as Generic Backdoor!cgf]
    • %Windir%\system32\pwfsh.dll log [detected as Adware-BHO.gen.c]
    • %Windir%\Help\PWREP.CHI
    • %Temp%\GLC1.tmp
    • %Temp%\GLG4.tmp
    • %Temp%\GLJ2.tmp
    • %Temp%\set.exe

The following registry keys have been added:

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash.1]
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip]
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Iprip]
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\Parameters]
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\Security]
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\Enum]

It adds the following registry entry to register itself as a BHO.

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {DC888631-57F5-4AF4-86B3-BDE5F854DCBF}]

Upon launching "Internet Explorer", this program connects to the following website and downloads a configuration file which has a list of other websites.

    • Ct.kk[removed].com

The following values have been added to the system:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\VersionIndependentProgID]
      Default = "PWFlash.PowerFlash"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\ProgID]
      Default = "PWFlash.PowerFlash.1"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\InprocServer32]
      Default = "%System32%\pwfsh.dll"
      ThreadingModel = "Apartment"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}]
      Default = "PowerFlash Class"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\TypeLib]
      Default = "{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}"
      Version = "1.0"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\ProxyStubClsid32]
      Default = "{00020424-0000-0000-C000-000000000046}"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\ProxyStubClsid]
      Default = "{00020424-0000-0000-C000-000000000046}"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}]
      Default = "IPowerFlash"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\0\win32]
      (Default) = "%System32%\pwfsh.dll"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\HELPDIR]
      Default = "%System32%\"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\FLAGS]
      Default = "0"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0]
      Default = "PWFlash 1.0 Type Library"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash\CurVer]
      Default = "PWFlash.PowerFlash.1"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash]
      Default = "PowerFlash Class"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash.1\CLSID]
      Default = "{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash.1]
      Default = "PowerFlash Class"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}]
      Default = ""
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Iprip\Parameters]
      ServiceDll = "%System32%\niprp.dll"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Iprip]
      Start = 0x00000002
      Type = 0x00000020
      ErrorControl = 0x00000001
      ImagePath = "%System32%\svchost.exe -k netsvcs"
      DisplayName = "Remote IPRIP Service"
      ObjectName = "LocalSystem"
      Description = "Listener reads Remote Routing Information Protocol (RIP) packets" 

The above confirms that,  the malicious program has been injected into the Svchost.exe process and performs backdoor activity.

This malicious file will restart the system automatically, in order to execute the dropped ".DLL" files.

[Where %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000), %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\, and %Temp% = C:\Documents and Settings\Administrator\Local Settings\Temp\]

Symptoms:

    • Presence of above mentioned file.
    • It uses the port 80 to connect to the site "Ct.kk[removed].com"

Symptoms

Method of Infection

Variants

Variants

    N/A

All Information

Overview -

Characteristics

Characteristics -

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

This is a generic detection that covers multiple unaffiliated/uncategorized Potentially Unwanted Program components. It may also detect new variants of similar software.

File Information:

    • MD5 - 913E7CF0797C4A27AE5CD1B33DFB2C4D
    • SHA1 - 6978808780E2E3B4600FBDC32565211728846436

Aliases:

    • Avast - Win32: BHO-RP
    • Kaspersky  - not-a-virus:AdWare.Win32.BHO.lku
    • Microsoft - Trojan:Win32/Futsurn.A
    • Symantec – Downloader

This is not a virus or a Trojan. It is a Potentially Unwanted Program.

It is a Potentially Unwanted Program and it uses BHOs to display unwanted PopUps or can be used for malicious purposes like gathering information from users while surfing internet. It also downloads and installs malicious files from remote sites.

Whenever the user uses the search engines like Google, Baidu.com, etc., it will keep track of all the keywords that are entered in the search box.

This Potentially Unwanted Program is designed to send various advertisements to the user’s systems.

Upon execution, the following files have been dropped into the system:

    • %SystemDrive%\recycled\ctv.dat [detected as Generic PUP.z!cg]
    • %SystemDrive%\recycled \lip.dat [detected as Generic Backdoor!cgf]
    • %SystemDrive%\recycled \qkf.dat [ detected as Adware-BHO.gen.c]
    • %Windir%\inf\iplbk.inf [detected as Generic Backdoor!cgf]
    • %Windir%\inf\optkec.inf [detected as Generic Backdoor!cgf]
    • %Windir%\kentgo.log [detected as Adware-BHO.gen.c]
    • %Windir%\system32\niprp.dll [detected as Generic Backdoor!cgf]
    • %Windir%\system32\pwfsh.dll log [detected as Adware-BHO.gen.c]
    • %Windir%\Help\PWREP.CHI
    • %Temp%\GLC1.tmp
    • %Temp%\GLG4.tmp
    • %Temp%\GLJ2.tmp
    • %Temp%\set.exe

The following registry keys have been added:

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash.1]
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip]
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Iprip]
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\Parameters]
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\Security]
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip\Enum]

It adds the following registry entry to register itself as a BHO.

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {DC888631-57F5-4AF4-86B3-BDE5F854DCBF}]

Upon launching "Internet Explorer", this program connects to the following website and downloads a configuration file which has a list of other websites.

    • Ct.kk[removed].com

The following values have been added to the system:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\VersionIndependentProgID]
      Default = "PWFlash.PowerFlash"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\ProgID]
      Default = "PWFlash.PowerFlash.1"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}\InprocServer32]
      Default = "%System32%\pwfsh.dll"
      ThreadingModel = "Apartment"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}]
      Default = "PowerFlash Class"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\TypeLib]
      Default = "{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}"
      Version = "1.0"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\ProxyStubClsid32]
      Default = "{00020424-0000-0000-C000-000000000046}"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}\ProxyStubClsid]
      Default = "{00020424-0000-0000-C000-000000000046}"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5ECDAA08-B706-41C6-8F09-C69D1C45C66A}]
      Default = "IPowerFlash"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\0\win32]
      (Default) = "%System32%\pwfsh.dll"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\HELPDIR]
      Default = "%System32%\"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0\FLAGS]
      Default = "0"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C3F4AE31-32C0-4D31-A90C-7B774CA8683D}\1.0]
      Default = "PWFlash 1.0 Type Library"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash\CurVer]
      Default = "PWFlash.PowerFlash.1"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash]
      Default = "PowerFlash Class"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash.1\CLSID]
      Default = "{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PWFlash.PowerFlash.1]
      Default = "PowerFlash Class"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC888631-57F5-4AF4-86B3-BDE5F854DCBF}]
      Default = ""
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Iprip\Parameters]
      ServiceDll = "%System32%\niprp.dll"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Iprip]
      Start = 0x00000002
      Type = 0x00000020
      ErrorControl = 0x00000001
      ImagePath = "%System32%\svchost.exe -k netsvcs"
      DisplayName = "Remote IPRIP Service"
      ObjectName = "LocalSystem"
      Description = "Listener reads Remote Routing Information Protocol (RIP) packets" 

The above confirms that,  the malicious program has been injected into the Svchost.exe process and performs backdoor activity.

This malicious file will restart the system automatically, in order to execute the dropped ".DLL" files.

[Where %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000), %SystemDrive% is the drive where the Operating System is installed, in most cases it will be C:\, and %Temp% = C:\Documents and Settings\Administrator\Local Settings\Temp\]

Symptoms:

    • Presence of above mentioned file.
    • It uses the port 80 to connect to the site "Ct.kk[removed].com"

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

    N/A