PUA:Win32/Packunwan is a generic detection of potentially unwanted program that uses software packing. It can range from being just annoying to creating a severe threat to the system safety. Depending on this, the degree of damage to the system will vary.
Usually, these unwanted programs are distributed as “recommended software” in freeware, shareware or cracked installers. The name “Packunwan” stands for the unwanted program that uses packing, which makes the analysis more complicated. Programs detected with this name are almost always some no-name tools or duplicates of other programs.
PUA:Win32/Packunwan Overview
The PUA:Win32/Packunwan is a potentially unwanted application (PUA) detection. However, the analysis of samples collected on the Web revealed much more malicious functionality. Due to the diverse nature of reports, it is challenging to ascertain their precise behavior without in-depth analysis. At the same time, this unwanted program was not attributed to any known developer or company, leading to speculation that these programs may be of dubious origin.
While PUAs are not necessarily viruses, they can still be disruptive and pose security risks. Packunwan typically displays unwanted advertisements on your computer. It can also track your browsing activity and change your browser settings. Among the most noticeable is the change to your homepage or search engine.
On the other hand, the behavior of this program is in fact far beyond “showing unwanted ads”. Reviewing the sample shows that it collects way too much system information, which in combination with packing and detection evasion makes it look fishy. The overall activity of Packunwan can lead to compromised privacy and malware injection.
Packunwan Technical Analysis
As I’ve just said, while analyzing Packunwan malware samples, I’ve seen a lot of questionable actions. In particular, it collects way too much info about the system. Not enough to call it a spyware, but still more than I would consider acceptable. Also, its networking is outright strange, bordering with what you would expect from dropper malware. Even though not all samples were like this, there was a consistent behavior pattern.
Launch & System Discovery
Upon execution, the reviewed Packunwan sample checks the computer’s location settings for no obvious reason. This is the standard behavior for a malware, but not a “driver updater”. To do this, it queries the registry for specific values related to country code configurations.
After that, the program starts gathering system information. By checking the selection of registry entries and system functions querying, it retrieves the list of installed software, OS information and system drivers. The latter is needed for the functionality of the “driver updater”, but can also be useful to discover whether the system is a virtual machine.
One anti-analysis trick that I am sure about is checking the disk info through the registry query. The malware checks SCSI registry keys, which uncover whether it is a virtual disk space created by a sandbox environment or a virtual machine. SCSI technology is not supported these days, and it is unlikely for a geek who tries to play with geriatric hardware to use questionable apps.
HKLM\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001
HKLM\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000
Persistence and Detection Evasion
PUA:Win32/Packunwan uses various obfuscation techniques to dodge the detection. As its name implies, its files are packed, i.e. compressed and encryted. The sample I reviewed encrypted data using RC4 PRGA. Additionally, it attempts to conceal itself by creating files in user directories with extensions that do not match the file type. It at the same time disguises the payload as a part of the “driver updater” files.
For persistence, the program creates Windows services and adds entries to Registry Run keys/startup folders. While being a rather widespread step, it remains effective, especially in poorly-protected systems. Packunwan also does not allow you to opt out the startup from the interface – a common practice among unwanted programs.
Network Communications
I’ve mentioned that Packunwan is usually distinctive for its networking activity. Though, not every sample had that much of strange things happening in the background as the one I had a deeper look on. Throughout a short period of time, it performs consequent access to the remote server. You can see the example of one of these messages below:
Sure enough, driver updaters should get the drivers they are about to install somewhere. But as far as I’m aware, not even a single program creates that much chaos in networking logs. It is either a poor software design, or the attempt to conceal something by blending it into this mess.
How To Remove PUA:Win32/Packunwan
You will need an antimalware tool to remove PUA:Win32/Packunwan. I recommend GridinSoft Anti-Malware – it will be the optimal solution in such a case. You should run a full scan, whether it is an adware PUA or a dropper. It might take a little longer, but it will guarantee a more effective cleaning.
