Aliases: Backdoor.Win32.Popwin.bmf [Kaspersky Lab], Generic BackDoor [McAfee], Mal/Emogen-Y [Sophos] and Win32/Popwin
Variants: Backdoor:Win32/Popwin.gen!E, Win32/Pipown!generic, Backdoor.Win32.Popwin

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 11 May 2007
Damage: Medium

Characteristics: W32.Popwin was discovered on May 11, 2007. It tries to propagate via local and removable drives. The worm displays advertisements then downloads possible malicious files in the computer. This worm mostly affects operating systems of Windows 98, 95, XP, Me, NT, Server 2003 and 2000.

More details about W32.Popwin

Once W32.Popwin is executed, the worm creates [RANDOM 8 DIGIT HEX NUMBER].EXE and [RANDOM 8 DIGIT HEX NUMBER].DLL in the %System% folder. The worm continues to work by creating a service which has [RANDOM 8 DIGIT HEX NUMBER].exe –k in the %System% folder as the ImagePath. Then the worm modifies a particular system registry entry so the created files will be hidden. The worm infects the [RANDOM 8 DIGIT HEX NUMBER].dll file into all actively running processes in the system except the System process. The DLL file attempts to produce a copy of the original file to any local and removable drives using rising.exe as the file. Next, the worm accesses[http://]www.s488.com/qs/updat[REMOVED] and received commands from the hacker. This allows the worm to open a back door to let the attacker perform several actions which include the downloading and executing of files.

Apart from having backdoor capabilities, the W32.Popwin application also downloads files and programs to the affected computer. According to sources, this Trojan application is capable of downloading spyware and adware programs. It also downloads rogue security programs on the user’s system.