by Crecia Scovill

The trojan.Popuper, or popuper infection is very common on the Internet these days. It is most commonly spread through pornographic sites and peer-to-peer file sharing systems. Popuper takes advantage of the common use of ActiveX Controls that are widely used for media content (more on this topic can be found in the article Codec Craze). Once this infection gets installed, a user will begin receiving popups and warnings telling them that their computer is infected. The infection warnings encourage a user to download and purchase a number of anti-spyware or anti-virus programs, all of which are spyware themselves. Trojan.Popuper will even hijack a user's homepage in attempts to further urge a user to install the rogue applications.

This article contains a look into how a user can contract the popuper infection, including images pertaining to the process involved with contracting the popuper infection. Trojan.Popuper is often installed with many other infections as well as rogue protection or security software. Some of the icons or messages you may see here could also be part of the rogue applications that are installed with popuper. This specific encounter of the popuper infection was received from a pornographic web page that prompted installation of a required ActiveX component in order to view their free pornography videos.

The site used to contract this version of the popuper infection was a free pornographic webpage. There were many picture previews for a multitude of free pornographic videos, as well as multiple pages of different types of pornography. Once a user clicks on one of these pictures to try and watch the associated video, a window such as this would appear:

Notice the white text saying “Windows Media Player cannot play video file. Click here to download missing Video ActiveX Object.”? The media file will not play without this supposed ActiveX Object, it will just sit there on that screen until a user clicks on the Hyperlink to install the ActiveX Object. Once the user clicks on a link they will get a download prompt or two similar to this:

If a user were to cancel, they would still not be able to view the video. Once the installer file runs, and the installation begins, the user will see this End Users License Agreement (EULA):

It is always important that a user carefully examine the End Users License Agreement before installing software, especially for any of the free programs that are out there. Often times the EULA will state whether there will be any applications bundled with the freeware, if the freeware uses advertisements, if it tracks information, or any other possibly undesirable actions that may be taken by the software. Some of the key points of this EULA are the bundled software and the fact that they are not responsible for any damage (including loss of use, data, or profits) that may result from the software or any of the third party softwares bundled with it. Here is a small clip from their EULA:

“SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to Licensor or its affiliates during this process. Licensor may offer additional components through our version checking/update system. These components include:

(a) "Internet Explorer Secure Plug-in": Internet Explorer toolbar that protects your computer while you browse by setting high level of security for suspicious hosts.

(b) "Security Messenger": Popup advertising module that opens Internet Explorer ad windows when you are connected to internet.

(c) "Browser Protection Volume": your Internet Explorer homepage will be changed.

(d) Security software: antivirus/antispyware application."

Though the EULA is inclined to describe such actions like bundling and advertisements, there are still many programs out there that will either vaguely mention such actions, fail to mention such undesirable actions being taken, or even completely bypass the EULA all together. It is advised that users be EXTREMELY cautious if there does not appear to be a license agreement and/or terms of use description available in the first steps of an installation or before an installation begins. It is also wise to do research on a program before installation. It is recommended that a user search the internet or consult others about the program you are intending to install and see what others are saying about it.

Once the user accepts the EULA for the ActiveX Object, the software will install. In this case it restarted Internet Explorer and closed the active windows that were open. After it was finished, the following dialog box appeared:

After installation, there were a few new programs installed on the computer, including the Trojan.Popuper infection. On a side note, it does in fact let the user view the videos after the installation of the components--if you can find your way back to the site. Though, it is unlikely that the video clips are worth all of the trouble caused by the applications and related infections installed in order to view them.

The popuper infection displays a flashing icon on the taskbar. By default, the taskbar is located on the bottom of the screen, the icon would appear on right hand corner of the taskbar next to the clock. Below is a picture of the two images that the icon flashes between:

From this icon, popuper displays a “System Alert!” that tells a user that it has detected a number of active spyware applications encouraging users to click on the icon in order to get rid of the unwanted spyware. If clicked, the icon will open the browser and send the user to a rogue anti-spyware site applying additional pressure to download and purchase their program. The site it sends users to changes often, as does the infection and applications installed with it. Below is an image of what the “System Alert!” looks like:

There is also another icon and system alert that may appear. These alerts are more detailed, giving specifications such as the name of an infection, what type of infection it is, and what systems are vulnerable. This alert encourages the user to click on the “baloon” to download security software in order to protect the user's computer. An example of the detailed “System Alert” is provided below:

If a user tries to access the internet through Internet Explorer (IE), they will get a Microsoft Internet Explorer “Warning!” telling them about an infection. It is believed to be from the “Security Messenger” program that was mentioned in the EULA. This will again recommend that the user download some approved security software to fix or protect the user's computer. The window will look something like this:

Closing the window using the close feature on the top right hand corner of the window allows a user to view the hijacked homepage of IE. This is most likely due to the “Browser Protection Volume” feature listed in the EULA. This page will have a list of “Official Partners” that will supposedly remove the infections on the user's system and/or help protect against vulnerabilities, as well as a section to “Scan and Protect Your PC”. This page will display a number of pieces of information designed to frighten a user into thinking that their computer and identity are at risk. For the most part, all of this information is completely harmless and is easily accessed through a user's browser and IP address, it is nothing to worry about. The supposed “Internet Security” page will look something like this:

There is also a toolbar often associated with the popuper infection, called the “Internet Explorer Secure Plug-in”or the Protection Bar. It is seen in the picture above. Below is a closer look at this toolbar:

There are also a number of other popups that will appear on the computer, which seem to also be courtesy of the “Security Messenger” that was mentioned in the EULA. Quite a few of these popups are attempting to look like official Microsoft Windows applications, warnings, or dialog boxes. Each of these will tell a user in some way that they are at risk and will try to trick them into installing some security software. Some of these popups include:

Though popuper is mostly harmless, it is still an annoying infection that behaves a lot like adware. One of the main risks is the fact that popuper prompts users to install rogue applications, which in turn will try to get a user to purchase the application to fix the problem. Users who actually do purchase the software often find that it did not fix the problems, and find that they have now paid money for a bogus product. Even though the infection seems mostly harmless, some if not all parts of popuper can access the web and communicate to servers. Knowing this, if a user encounters this infection, it is advised that a user avoid financial and otherwise personal transactions on their computer until the infection is cleaned off of the system. It is strongly advised that a user never install applications that unexpectedly prompt installation, and it would also be wise never to purchase a program without thoroughly researching it.

Though the EULA states here that the software is easily uninstalled:

"SOFTWARE UNINSTALLATION: Components bundled with our software may be uninstalled with the help of "Add or Remove Programs" tool in Windows Control Panel. To remove software or any of its components click on a component's name (see above) in the Add or Remove Programs list. “

This is simply not the case. Though most of the software components mentioned in the EULA will uninstall in a fairly simple manner, including the rogue protection software that may or may not have been installed. After uninstallation the user will still receive popups stating that they are infected. The popups displayed will often send a user to the site of a rogue protection software, either the same company it originally installed, or one of the many other programs it has offered in the past. The remaining component is the Trojan.Popuper infection. The main .dll component of the popuper infection loads itself into memory, injects itself into running processes, and often protects itself from detection as well as preventing many security programs from being able to clean the infection. More information on the Trojan.Popuper infection can be found here. The popuper infection is constantly updating and infects more users every day.

Though nothing short of avoiding the internet can prevent a user from contracting an infection, there are steps to help lower the chances of infection. Keeping a computer up to date, using safe surfing habits, and having protection software and/or hardware are very good starters. Users should keep their computers up to date by making sure that they have all of the security updates and system patches installed for their operating system. Safe surfing habits should be used, especially if partaking in any freeware programs, free service sites, or peer-to-peer file sharing. Many security experts advise users to log into a non-administrator account when partaking on non-secure internet transactions in order to lower the permissions available for infections to exploit. Also, users should have up-to-date anti-virus and anti-spyware applications as well as a firewall and possibly a real time scanner. The StopSign Computer Protection Service has all of these components, as well as some non-security features, available to it's members.*

The StopSign Anti-Virus Research group is constantly updating our virus and spyware definitions in order to keep up with infections such as Trojan.Popuper and the rogue protection/security applications often installed with it. StopSign has real-time tech support that allows us to work with customers to see the new outbreaks and to work with users in order to clean infections with Custom Cleaners, before the new definitions are even added to our scanner. This keeps StopSign ahead of the competition, who must wait for their updates to be uploaded and added to their software. We can assist our users immediately through this Custom Cleaning process.

*Currently not all features are compatible with Windows Vista, but our development team is working on creating Vista compatible versions of all of our products.