PPOINTER

PPOINTER is a malware family of Trojans and backdoors that arrives via software vulnerabilities. It is typically used to gain the following system information:

• BIOS Information

• CPU Information

• Disks Information

• Language

• MAC Address

• Machine Name

• Malware Version

• Memory Size

• Network Adapter Information

• OS Version

It also executes backdoor commands on the infected systems thus compromising its security.

Installation

This Trojan drops the following files:

• %Windows%\ime\wmimachine2.dll

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Autostart Technique

This Trojan registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
Type = "dword:00000020"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
DisplayName = ".NET Runtime Optimization Service v2.086521.BackUp_X86"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}
Description = "Microsoft .NET Framework NGEN"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{first netsvcs}\Parameters
ServiceDll = "%Windows%\ime\wmimachine2.dll"

Other Details

This Trojan connects to the following possibly malicious URL:

• http://{BLOCKED}tsexy.dns-dns.com:443/index.asp
• http://{BLOCKED}n.ddns.us:443/index.asp