"peper" trojan

[Hanna Lillico]

Yeah, know it sounds funny misspelled like that, but that's what it's
called - it's the Germanic (cent. europ.) way of spelling "pepper" I guess.

Anyway, I just apparently had it on one of my LAN stations, and it took me
all of last night and most of today to find out anything about it, so after
the fact, I wondered if anybody else had any experience with it.

The bad files show up in the Task Manager Processes window, and the giveaway
is they change CPU usage from 0 up to 6%, once every second, on the clock.
The files, with names like rbii.exe, WofE5.exe and UrghOY.exe, change in
size with each blink, running around 4 megs.

Since the names are random, and often change with each boot, it's hard to do
a Google on the files, but I got lucky and found a long list on Wilders
Security Forum with a couple of familiar names, which gave me the Trojan's
name, which eventually led me to www.mjc1.com/files/peperpage/ which had the
removal process steps. They worked and my CPU usage is stable again. A
search of the SARC site for anything related to this trojan or its files
turned up nothing - apparently unknown to them.

Now, after the dust has settled, I'm starting to think - since my entire
Internet search produced only 1 site with a remedy, perhaps the writers were
in fact the authors of the Trojan...? Did I in fact trade a pesky popup
spawner for a more pernicious program that installed something heavy while
it was (helpfully) ferreting out the last of the Peper files? The page
above gives exact advice on deleting the infected Registry keys, but the
actual infected .exe apparently needs the Uninstaller provided at the bottom
of the page.

Am I being paranoid here, simply because I saw "Enemy Of The State" last
night on TV, or is that site legit? Again, has anyone else had to deal with
this particular Trojan?

~RL

 

[charles]

On Tue, 20 Apr 2004 07:54:15 GMT, "Hanna Lillico"

Am I being paranoid here, simply because I saw "Enemy Of The State" last
night on TV, or is that site legit? Again, has anyone else had to deal with
this particular Trojan?

~RL

AKA Sandboxer. I ran into it recently and it is a real pain to find and
kill. Luckily there are automated uninstallers that do the job.

Googling per these links located solutions:

http://www.google.com/search?q=2LRX2W83X2T3MQ&btnG=Google+Search
http://www.google.com/search?q=peper trojan&btnG=Google+Search

 

[FromTheRafters]

[snipped "peper" description]

Sounds like this:

http://www.sophos.com/virusinfo/analyses/trojpepera.html

Am I being paranoid here, simply because I saw "Enemy Of The State" last
night on TV,

It's kind of an 'eye opener' - but it *is* a little over the top.

One man's 'healthy paranoia' is another's unwelcome FUD.

or is that site legit?

The time to ask about legitimacy is *before* downloading
and executing programs on your machine. ;o)

 

[Rustiferion]

Thanks, both of you

Computer Cops had the Sandboxer, which had "Peper.Trojan" as an alias. The
removal instructions were similar, (although the mjc1.com site version was
easier to follow) so that was it, I reckon.

Although the registry is clean and Trojan is not running, I'm still
concerned about residual files, a few of which I have found. Since the
machine is not my own (my preteen daughter's, could you tell?) I'm not sure
what files are supposed to be there, ya know? The one I'm concerned about
now is jklz.exe, which has been asking my firewall for internet access. I
have not been able to find a reference in any search, anywhere. The
filename hasn't changed, so it may not be associated with Peper after all,
but does anyone else have this one? It's in the System32 folder.

~RL

 

[FromTheRafters]

Thanks, both of you

Don't thank me yet. :Oo

Although the registry is clean and Trojan is not running, I'm still
concerned about residual files...[...]...

This trojan may or may not have been associated with something
as relatively benign as adware. All that is known (I assume) is that
it had been installed. It is sort of like forgetting to close your door
(around here you can have all sorts of woodland creatures inside
your home after doing so), and then upon finding it standing open
you close it. It takes care of the vulnerability, but the raccoons can
still be eating all of the catfood.

 

[onoma]

Yeah, know it sounds funny misspelled like that, but that's what it's
called - it's the Germanic (cent. europ.) way of spelling "pepper" I guess.

Anyway, I just apparently had it on one of my LAN stations, and it took me
all of last night and most of today to find out anything about it, so after
the fact, I wondered if anybody else had any experience with it.

The bad files show up in the Task Manager Processes window, and the giveaway
is they change CPU usage from 0 up to 6%, once every second, on the clock.
The files, with names like rbii.exe, WofE5.exe and UrghOY.exe, change in
size with each blink, running around 4 megs.

Since the names are random, and often change with each boot, it's hard to do
a Google on the files, but I got lucky and found a long list on Wilders
Security Forum with a couple of familiar names, which gave me the Trojan's
name, which eventually led me to www.mjc1.com/files/peperpage/ which had the
removal process steps. They worked and my CPU usage is stable again. A
search of the SARC site for anything related to this trojan or its files
turned up nothing - apparently unknown to them.

Now, after the dust has settled, I'm starting to think - since my entire
Internet search produced only 1 site with a remedy, perhaps the writers were
in fact the authors of the Trojan...? Did I in fact trade a pesky popup
spawner for a more pernicious program that installed something heavy while
it was (helpfully) ferreting out the last of the Peper files? The page
above gives exact advice on deleting the infected Registry keys, but the
actual infected .exe apparently needs the Uninstaller provided at the bottom
of the page.

Am I being paranoid here, simply because I saw "Enemy Of The State" last
night on TV, or is that site legit? Again, has anyone else had to deal with
this particular Trojan?

~RL

I also was affected by this trojan last week. I used the same site to
remove it, referred by Hijackthis support at Net integration. This trojan
slowed everything down and kept installing search bars, and crapware. I'm
glad to have gotten rid of it. Interestingly enough, none of my troubles
started til my pre-teen installed AIM.

Onoma

 

[Rustiferion]

This trojan may or may not have been associated with something
as relatively benign as adware. All that is known (I assume) is that
it had been installed. It is sort of like forgetting to close your door
(around here you can have all sorts of woodland creatures inside
your home after doing so), and then upon finding it standing open
you close it. It takes care of the vulnerability, but the raccoons can
still be eating all of the catfood.

That's why I'm watching the pet door closely, and would like to know why
"jklz" wants to get out. I suppose I could just delete it and tell my
daughter it's TS when she can't get back into her online horse game.

I don't assume for a moment that Peper was either simple adware or benign,
in fact I'm assuming it was malignant: Sandboxer is mostly a popup spawner
but Peper is a keylogger Trojan and I can only proceed assuming that the
security on my entire LAN has been breached. Password changes are underway,
but it will do no good if the logger is still trying to phone home...

~RL

 

[Rustiferion]

I also was affected by this trojan last week. I used the same site to
remove it, referred by Hijackthis support at Net integration. This trojan
slowed everything down and kept installing search bars, and crapware. I'm
glad to have gotten rid of it. Interestingly enough, none of my troubles
started til my pre-teen installed AIM.

Onoma

My daughter is on Yahoo IM, and has been for a while, so I can't drop this
on their doorstep. At the moment, she claims complete innocence, so no
forensic help there...

Are you watching your firewall? Is anything unpronounceable trying to get
out on the internet? Did HJT tell you the post-action log was clean? I
haven't sent in a report yet (it's a guy thing, I guess: I don't need no
stinking help!) but I probably should. This last perhaps-orphaned file has
me worried...

~RL

 

[onoma]

My daughter is on Yahoo IM, and has been for a while, so I can't drop this
on their doorstep. At the moment, she claims complete innocence, so no
forensic help there...

Are you watching your firewall? Is anything unpronounceable trying to get
out on the internet? Did HJT tell you the post-action log was clean? I
haven't sent in a report yet (it's a guy thing, I guess: I don't need no
stinking help!) but I probably should. This last perhaps-orphaned file has
me worried...

~RL

Well, being a girl, I have no problem asking for help or even for directions


Please see my thread on net-integration:
http://forums.net-integration.net/index.php?showtopic=13253

I am completely clean now, no problems at all and no indication of nasties
trying to enter my system.

Onoma

 

[FromTheRafters]

That's why I'm watching the pet door closely, and would like to know why
"jklz" wants to get out. I suppose I could just delete it and tell my
daughter it's TS when she can't get back into her online horse game.

You could submit the file to further scrutiny, but sometimes malware
uses legitimate programs to do its work.

I don't assume for a moment that Peper was either simple adware or benign,
in fact I'm assuming it was malignant: Sandboxer is mostly a popup spawner
but Peper is a keylogger Trojan and I can only proceed assuming that the
security on my entire LAN has been breached. Password changes are underway,
but it will do no good if the logger is still trying to phone home...

It sounds like you have a good understanding. So many people get
confused about this sort of thing that I thought it worth mentioning.
In most cases the recommendation for recovery after compromise
is to start from scratch - completely rebuild the software platform.