1. /
  2. Security Response/
  3. Adware.Peppi


June 13, 2008 8:42:48 PM
Infection Length:
721,920 bytes
Synatix GmbH
Risk Impact:
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
This security risk must be manually installed.

Once executed, the security risk creates the following files:
  • %UserProfile%\Start Menu\Programs\peppi_vorlagen\peppi (Vorlagen-Wizzard).lnk
  • C:\Program Files\peppi_vorlagen\license.txt
  • C:\Program Files\peppi_vorlagen\lisys.exe
  • C:\Program Files\peppi_vorlagen\peppi.exe
  • C:\Program Files\peppi_vorlagen\uninstall.bat
  • %Windir%\system\host.exe

The security risk creates the following registry entry, so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"vhost" = "%System%\host.exe"

It then creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\peppi (Vorlagen-Wizzard)\"DisplayName" = "peppi (Vorlagen-Wizzard)"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\peppi (Vorlagen-Wizzard)\"UninstallString" = "C:\Program Files\peppi_vorlagen\lisys.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"AutoConfigURL" = "file://%UserProfile%\Application Data\proxy.pac"
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\"EnableAutoProxyResultCache" = "0"

It then contacts the following remote location for instructions:

The security risk may also perform the following actions:
  • May modify the contents of search-engine pages
  • May display advertising
  • May cchange the browser home page
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver