TROJ_PPOINTER
Machime, Powerpointer
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware, Via software vulnerabilities
PPOINTER is a malware family of Trojans and backdoors that arrives via software vulnerabilities. It is typically used to gain the following system information:
- BIOS Information
- CPU Information
- Disks Information
- Language
- MAC Address
- Machine Name
- Malware Version
- Memory Size
- Network Adapter Information
- OS Version
It also executes backdoor commands on the infected systems thus compromising its security.
TECHNICAL DETAILS
Yes
Steals information, Compromises system security
Installation
This Trojan drops the following files:
- %Windows%\ime\wmimachine2.dll
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
Autostart Technique
This Trojan registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
Type = "dword:00000020"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
ErrorControl = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
DisplayName = ".NET Runtime Optimization Service v2.086521.BackUp_X86"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
Description = "Microsoft .NET Framework NGEN"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}\Parameters
ServiceDll = "%Windows%\ime\wmimachine2.dll"
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}tsexy.dns-dns.com:443/index.asp
- http://{BLOCKED}n.ddns.us:443/index.asp