Home / malware Win32/Pintu
First posted on 17 October 2013.
Source: MicrosoftAliases :
There are no other names known for Win32/Pintu.
Explanation :
Threat behavior
Installation
Win32/Pintu creates a copy of itself as %APPDATA%\paint.exe. It runs this copy every time Windows starts by dropping a file named <startup folder>\paint.lnk (detected as Trojan:Win32/Pintu.A). It might also add this registry entry to automatically run every time Windows starts:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Paint"
Spreads via...
Removable drives
Win32/Pintu has a virus component (detected as Virus:Win32/Pintu.A) that drops a copy of itself as Paint (no extension) in drive it finds, including removable drives and shared drives. In the same folder, it also creates an INF file named hold.inf (detected as Worm:INF/Pintu.A ). It renames this file to autorun.inf. If the drive is opened from a PC that has the Autorun functionality, Paint is run.
Payload
Renames/replaces files
Win32/Pintu renames executable files in your PC to v<file name>.exe (where <file name>.exe is the original file name). Then it copies itself in your PC as <file name>.exe. To prevent you from finding out, when you run the Pintu file disguised as <file name>.exe, it also runs the original file that's been renamed to v<file name>.exe.
Other information
Pintu might also create zero-sized icon files for your executable files. These icon files have the naming pattern v<file name>.ico.
Analysis by Daniel Chipiristeanu
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
%APPDATA%\paint.exe
<startup folder>\paint.lnk- You see these entries or keys in your registry:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Paint"
Last update 17 October 2013
