Windows Tutorials - Herong's Tutorial Notes - Trojan and Adware

Windows Tutorials - Herong's Tutorial Notes

Dr. Herong Yang, Version 4.11

Trojan and Adware - Puper (trojan.popuper)

Part: 1 2

Trojan and Adware - Vundo

Controlling IE Addons

Removing Spyware

Web Log Analysis

Paint - Graphics Tool

WinRAR - RAR Compression Tool

FTP Server and Client

Crossover Cable Network

... Table of Contents

(Continued from previous part...)

My Experience with Trojan Puper

My only experience with Trojan Puper was again on my friend's computer this summer. While looking at the c:\windows\system32, I noticed 3 strange suspicious files:

>dir C:\WINDOWS\system32
07/21/2006  09:43 PM            17,750 vqfupqnr.exe
07/24/2006  12:22 AM            17,750 opuryycl.exe
07/24/2006  09:51 PM            17,750 uceysmkw.exe

I zipped all 3 suspicious files into a zip file, exe_200607.zip, and delete them from the system directory.

When I tried to open this zip file, my McAfee VirusScan On-Access Scan showed and reported that those files are Puper trojans:

vqfupqnr.exe   Puper   Trojan  Deleted
opuryycl.exe   Puper   Trojan  Deleted
uceysmkw.exe   Puper   Trojan  Deleted

Okay. This was nice. VirusScan is doing the job to pretect my system. But that VirusScan report seemed wrong. None of the Puper descriptions on the Internet says that Puper Trojan will create an .exe file with a name of 8 random letters.

I need to find a nother virus detection tool to look those suspicious files.

Conclusion

Puper Trojan modifies Internet Explorer settings to redirect default starting and search page to some advertiser Web site.
McAfee VirusScan reports a 17,750 bytes uceysmkw.exe file as a Puper Trojan file.

Part: 1 2

Dr. Herong Yang, updated in 2006

Windows Tutorials - Herong's Tutorial Notes - Trojan and Adware - Puper (trojan.popuper)