PUADLManager:Win32/Sepdot

What is PUADIManager:Win32/Sepdot detection? PUA Analysis
Seeing the PUADIManager:Win32/Sepdot detection? This may end up with much more malware

PUADLManager:Win32/Sepdot is a potentially unwanted application that installs additional software. It specifically flags an application software that handles software bundling functionality. Sepdot is often packed into freeware applications or pirated software.

Potentially unwanted applications may look like less dangerous threats, but they can still create the problems. Intrusive advertisements, tracking users’ online activity, harvesting personal information – all this is among the most common symptoms. Sepdot should be removed as fast as any other thing detected by antivirus programs.

PUADLManager:Win32/Sepdot Overview

PUADLManager:Win32/Sepdot is a detection that Microsoft Defender uses to detect potentially unwanted software. As the name suggests, this unwanted application is a package installer. It is most often distributed in freeware applications or pirated software. The peculiarity of such installers is that all the processes of downloading additional software are performed in the background, without the user’s permission.

PUADLManager:Win32/Sepdot detection window screenshot
PUADLManager:Win32/Sepdot detection window

Unwanted apps that Sepdot installs can unleash a barrage of intrusive advertisements, track user’s online activity, and even harvest some personal information. Sometimes, it may offer seemingly helpful functionality, such as driver updating, system cleaning or tweaking Windows interface. However, these are mere facades with no real performance value. Having them running in the system exposes you to significant risk.

Technical Analysis

To understand how PUADLManager:Win32/Sepdot works, let’s test a sample of one on a virtual machine. This particular example is a program for downloading videos from popular online services. The functionality of Sepdot is pretty similar to other bundlers, though there are still some differences. The initial infection vector starts with the user running the infected file.

Persistence And Privilege Escalation

Sepdot creates processes and files in system directories to gain persistence and increase privileges. In particular, it drops the following files into temporary directories and directories of some programs:

%USERPROFILE%\AppData\Local\Temp\aTube_Catcher_files
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Program Files (x86)\Google\GoogleUpdater\122.0.6234.0\updater.exe
C:\Program Files (x86)\Microsoft\Temp\EU4D43.tmp\MicrosoftEdgeUpdate.exe

In addition to these files, the malware drops many DLL files and changes certain specific registry values. Such actions allow PUADLManager:Win32/Sepdot to legitimize its presence in the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\APPID\MicrosoftEdgeUpdate.exe\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\APPID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ServiceParameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LocalizedString

Data Collection

Sepdot collects quite a lot of information about the system, particularly about the user profile, hardware configuration and Windows version. I would suppose that this is purely for fingerprinting the system.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName

The sample does not check values such as BIOS version or other low-level values, but the above registry keys provide comprehensive information about the device it is running. It does not look like VM/debugger evasion either, as the thing does not check any related registry values.

Impact

The effect on the target system is similar to other bundlers. PUADLManager:Win32/Sepdot downloads and installs various potentially unwanted programs along with the main program. Moreover, based on the collected data, this thing downloads and installs “relevant” unwanted software for the user.

Since some services depend on geographical location, this approach allows the most favorable use of the additional software installer’s capabilities. For example, proxies allow the bypassing of regional restrictions. In suitable cases, Sepdot will install proxyware like Stopabit or Taskbarify on such a system.

Taskbarify description
Window of Taskbarify app – one of several PUAs that Sepdot installed on the test system

In other cases, the bundler may introduce adware-like apps or rogue software (fake browsers, system cleaners, etc). Their name explain themselves pretty well, though almost all such apps will collect excessive telemetrics from the user machine.

How To Remove PUADLManager:Win32/Sepdot?

To remove PUADLManager:Win32/Sepdot, you will need an advanced anti-malware tool. GridinSoft Anti-Malware will be the best option, as it can repel with ease even those unwanted apps that other antiviruses ignore. Download Gridinsoft Anti-Malware and run a Full scan. Besides scanning, you can reset your browsers and HOSTS file in the program, which will help eliminate traces of malicious activity in a few clicks.

PUADLManager:Win32/Sepdot

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *