PUM.bad.proxy

PUM.bad.proxy
Type malware
Subtype Windows Registry hack
Isolation 2011-01-22
Port(s) used 6522, among others
Operating system(s) affected Microsoft Windows
Internet Explorer

PUM.bad.proxy is a form of malware known as a "registry hack", an unauthorized alteration to the Windows Registry file that specifically redirects LAN settings within Internet Explorer, the popular web browser commonly installed as the default web browser for Microsoft Windows. First spotted by users of Malwarebytes' Anti-Malware security software on 22 January 2011,[1] it was reported to Malwarebytes Software over 200 times the first day alone.

Details

The name is assigned by Malwarebytes' Anti-Malware and is not the specific name of a unique virus or hack. The "PUM" defines a "Potentially Unwanted Modification," and the "bad.proxy" defines the modification. The ability to search for and alert a user to "Potentially Unwanted Modifications" was added to Malware Bytes in November, 2010. It is likely that the first day users began reporting PUM.bad.proxy was not the first day the hack existed, but rather the first time Malware Bytes could alert a user to the vulnerability.[2] Also, the fact that the proxy server is often not active when Malware Bytes alerts a user to its presence may indicate that it is a remnant of a virus, hack, or other malicious software that had previously been removed or quarantined.

The hack alters the proxy server address settings to redirect web access requests back to the computer's own internal LAN address, 127.0.0.1, effectively cutting the computer off from access to the internet. Its origin and method of propagation are currently unknown. The altered registry setting only affects users of Internet Explorer (including the most recent version, Internet Explorer 9); other browsers such as Firefox do not depend upon this specific Windows Registry item for proxy address and port settings.

Registry value affected

The affected registry value is HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer. This value is set to "127.0.0.1", the computer's internal address to its own network card. Various port numbers have been reported.

See also

References

  1. "PUM.bad.proxy". malwarebytes.com. Retrieved 2011-05-17.
  2. "New Malware Floating Around". CPAP Talk. Retrieved 2011-08-16.