Win32/Ponmocup [Threat Name] go to Threat

Win32/Ponmocup.LC [Threat Variant Name]

Category trojan
Size 235008 B
Detection created Jul 30, 2015
Detection database version 12020
Aliases Trojan.Inject1.62335 (Dr.Web)
  Trojan:Win32/Skeeyah.A!bit (Microsoft)
Short description

Win32/Ponmocup.LC is a trojan which tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­%variable1%\­%variable1%]
    • "%variable2%" = %number%

%variable1-2% represent random text. The variable %number% represents a number in the range 1 - 1368 .

Other information

The trojan terminates its execution if it detects that it's running in a specific virtual environment.


The trojan quits immediately if it detects certain security applications running.


Trojan quits immediately if it detects loaded module within its own process or other running processes containing one of the following strings in its name:

  • dbghelp
  • SbieDll
  • api_log
  • dir_watch
  • pstorec

The trojan quits immediately if any of the following folders/files is detected:

  • prlfs.sys
  • hgfs.sys
  • prleth.sys
  • vmhgfs.sys
  • prlmouse.sys
  • prl_pv32.sys
  • prlvideo.sys
  • vpc-s3.sys
  • vmsrvc.sys
  • vmx86.sys
  • vmnet.sys

The trojan quits immediately if the computer name is one of the following:

  • TU-4NH09SMCG1HC

The trojan quits immediately if the user name is one of the following:

  • roo
  • andy
  • snort
  • honey
  • vmware
  • sandbox
  • nepenthes
  • currentuser

The trojan quits immediately if any of the following Registry keys/values is detected:

  • [HKEY_LOCAL_MACHINE\­HARDWARE\­Description\­System]
    • "SystemBiosVersion" = "vbox"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion]
    • "ProductID" = "55274-640-2673064-23950"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion]
    • "ProductID" = "76487-644-3177037-23510"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion]
    • "ProductID" = "76487-337-8429955-22614"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "ProductID" = "55274-640-2673064-23950"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "ProductID" = "76487-644-3177037-23510"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion]
    • "ProductID" = "76487-337-8429955-22614"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft]
    • "Hyper-V"
    • "VirtualMachine"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services]
    • "vmicheartbeat"
    • "vmicvss"
    • "vmicshutdown"
    • "vmicexchange"
    • "vmci"
    • "vmdebug"
    • "vmmouse"
    • "VMTools"
    • "VMMEMCTL"
    • "vmware"
    • "vmx86"
    • "vpcbus"
    • "vpc-s3"
    • "vpcuhub"
    • "msvmmouf"
    • "VBoxMouse"
    • "VBoxGuest"
    • "VBoxSF"
    • "xenevtchn"
    • "xennet"
    • "xennet6"
    • "xensvc"
    • "xenvdb"
  • [HKEY_LOCAL_MACHINE\­HARDWARE\­DEVICEMAP\­Scsi\­Scsi Port 0\­Scsi Bus 0\­Target Id 0\­Logical Unit Id 0]
    • "Identifier" = "vmware"
  • [HKEY_LOCAL_MACHINE\­HARDWARE\­DEVICEMAP\­Scsi\­Scsi Port 0\­Scsi Bus 0\­Target Id 0\­Logical Unit Id 0]
    • "Identifier" = "vbox"
  • [HKEY_LOCAL_MACHINE\­HARDWARE\­ACPI\­DSDT]
    • "VBOX"
    • "xen"
  • [HKEY_LOCAL_MACHINE\­HARDWARE\­ACPI\­FADT]
    • "VBOX"
    • "xen"
  • [HKEY_LOCAL_MACHINE\­HARDWARE\­ACPI\­RSDT]
    • "VBOX"
    • "xen"

The trojan contains a list of (6) URLs.


It tries to download several files from the addresses. The HTTP protocol is used in the communication.


The files are stored in the following locations:

  • %temp%\­google_upd%variable%.exe

The files contain encrypted executables.


After decryption, the trojan runs these files.


A string with variable content is used instead of %variable% .


The trojan may create the following files:

  • %temp%\­~%randomnumber%unins.bat

The trojan then removes itself from the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.