PUA:Win32/Packunwan

What is PUA:Win32/Packunwan? Threat Description and Removal
PUA:Win32/Packunwan is a name for a packed unwanted software with some really dangerous capabilities

PUA:Win32/Packunwan is a generic detection of potentially unwanted program that uses software packing. It can range from being just annoying to creating a severe threat to the system safety. Depending on this, the degree of damage to the system will vary.

Usually, these unwanted programs are distributed as “recommended software” in freeware, shareware or cracked installers. The name “Packunwan” stands for the unwanted program that uses packing, which makes the analysis more complicated. Programs detected with this name are almost always some no-name tools or duplicates of other programs.

PUA:Win32/Packunwan Overview

The PUA:Win32/Packunwan is a potentially unwanted application (PUA) detection. However, the analysis of samples collected on the Web revealed much more malicious functionality. Due to the diverse nature of reports, it is challenging to ascertain their precise behavior without in-depth analysis. At the same time, this unwanted program was not attributed to any known developer or company, leading to speculation that these programs may be of dubious origin.

PUA:Win32/Packunwan detection screenshot
PUA:Win32/Packunwan detection

While PUAs are not necessarily viruses, they can still be disruptive and pose security risks. Packunwan typically displays unwanted advertisements on your computer. It can also track your browsing activity and change your browser settings. Among the most noticeable is the change to your homepage or search engine.

On the other hand, the behavior of this program is in fact far beyond “showing unwanted ads”. Reviewing the sample shows that it collects way too much system information, which in combination with packing and detection evasion makes it look fishy. The overall activity of Packunwan can lead to compromised privacy and malware injection.

Packunwan Technical Analysis

As I’ve just said, while analyzing Packunwan malware samples, I’ve seen a lot of questionable actions. In particular, it collects way too much info about the system. Not enough to call it spyware, but still more than I would consider acceptable. Also, its networking is outright strange, bordering with what you would expect from dropper malware. Even though not all samples were like this, there was a consistent behavior pattern.

Launch & System Discovery

Upon execution, the reviewed Packunwan sample checks the computer’s location settings for no obvious reason. This is the standard behavior for malware, but not a “driver updater”. To do this, it queries the registry for specific values related to country code configurations.

Location settings in screenshot
Registry entries that Packunwan accesses to get location info

After that, the program starts gathering system information. By checking the selection of registry entries and system functions querying, it retrieves the list of installed software, OS information and system drivers. The latter is needed for the functionality of the “driver updater”, but can also be useful to discover whether the system is a virtual machine.

One anti-analysis trick that I am sure about is checking the disk info through the registry query. The malware checks SCSI registry keys, which uncover whether it is a virtual disk space created by a sandbox environment or a virtual machine. SCSI technology is not supported these days, and it is unlikely for a geek who tries to play with geriatric hardware to use questionable apps.

HKLM\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001
HKLM\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000

Persistence and Detection Evasion

PUA:Win32/Packunwan uses various obfuscation techniques to dodge the detection. As its name implies, its files are packed, i.e. compressed and encrypted. The sample I reviewed encrypted data using RC4 PRGA. Additionally, it attempts to conceal itself by creating files in user directories with extensions that do not match the file type. It at the same time disguises the payload as a part of the “driver updater” files.

For persistence, the program creates Windows services and adds entries to Registry Run keys/startup folders. While being a rather widespread step, it remains effective, especially in poorly protected systems. Packunwan also does not allow you to opt-out of the startup from the interface – a common practice among unwanted programs.

Network Communications

I’ve mentioned that Packunwan is usually distinctive for its networking activity. Though, not every sample had that much of strange things happening in the background as the one I had a deeper look on. Throughout a short period of time, it performs consequent access to the remote server. You can see the example of one of these messages below:

One of the HTTP GET requests from Packunwan sample. Source: Tria.ge

Sure enough, driver updaters should get the drivers they are about to install somewhere. But as far as I’m aware, not even a single program creates that much chaos in networking logs. It is either a poor software design, or the attempt to conceal something by blending it into this mess.

How To Remove PUA:Win32/Packunwan

You will need an antimalware tool to remove PUA:Win32/Packunwan. I recommend GridinSoft Anti-Malware – it will be the optimal solution in such a case. You should run a full scan, whether it is an adware PUA or a dropper. It might take a little longer, but it will guarantee a more effective cleaning.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *