Backdoor.Win32.Popwin.bmf [Kaspersky Lab], Generic BackDoor [McAfee], Mal/Emogen-Y [Sophos] and Win32/Popwin
Backdoor:Win32/Popwin.gen!E, Win32/Pipown!generic, Backdoor.Win32.Popwin
Category: Computer Worm
Active & Spreading
Some parts of Asia, Europe, North and South America, Africa and Australia
11 May 2007
W32.Popwin was discovered on May 11, 2007. It tries to propagate via local and removable drives. The worm displays advertisements then downloads possible malicious files in the computer. This worm mostly affects operating systems of Windows 98, 95, XP, Me, NT, Server 2003 and 2000.
W32.Popwin Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Popwin from your computer.
More details about W32.Popwin
Once W32.Popwin is executed, the worm creates [RANDOM 8 DIGIT HEX NUMBER].EXE and [RANDOM 8 DIGIT HEX NUMBER].DLL in the %System% folder. The worm continues to work by creating a service which has [RANDOM 8 DIGIT HEX NUMBER].exe –k in the %System% folder as the ImagePath. Then the worm modifies a particular system registry entry so the created files will be hidden. The worm infects the [RANDOM 8 DIGIT HEX NUMBER].dll file into all actively running processes in the system except the System process. The DLL file attempts to produce a copy of the original file to any local and removable drives using rising.exe as the file. Next, the worm accesses[http://]www.s488.com/qs/updat[REMOVED] and received commands from the hacker. This allows the worm to open a back door to let the attacker perform several actions which include the downloading and executing of files.
Apart from having backdoor capabilities, the W32.Popwin application also downloads files and programs to the affected computer. According to sources, this Trojan application is capable of downloading spyware and adware programs. It also downloads rogue security programs on the user’s system.