Home / malwarePDF  

Trojan:Win32/Pigax.gen!A


First posted on 11 May 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Pigax.gen!A is also known as Also Known As:Trojan-Downloader.Win32.Small.akli (Kaspersky).

Explanation :

Trojan:Win32/Pigax.gen!A is a generic detection for a downloader trojan. It may download other files, which may be detected as other malware, into the system.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>driverssvchost.exe

    Note that a legitimate system file with a similar file name is installed by default as <system folder>svchost.exe. Ensure that the location of the svchost.exe that you suspect as this malware is in a subfolder named drivers.
  • The presence of the following registry modifications:
    Added value: "SVCHOST.EXE"
    With data: "<system folder>driverssvchost.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun


    • Trojan:Win32/Pigax.gen!A is a generic detection for a downloader trojan. It may download other files, which may be detected as other malware, into the system.

    Installation
    Trojan:Win32/Pigax.gen!A may drop a copy of itself in the following location:
    <system folder>driverssvchost.exe Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. Note that the file name svchost.exe is also used by a legitimate system file and is located by default in the Windows system folder. It then modifies the system registry so that it runs every time Windows starts: Adds value: "SVCHOST.EXE"
    With data: "<system folder>driverssvchost.exe"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun It also creates the following registry entry as part of its installation routine: Adds value: "tmp"
    With data: "<malware file>"
    To subkey: HKLMsoftwaremicrosoftdirect3d where <malware file> is the name of the currently-running malware process.

    Payload
    Downloads Other FilesTrojan:Win32/Pigax.gen!A may download other files, which may be detected as other malware. Some of the Web sites it is known to download other files from are the following:
  • fgorknazgaz.com
  • adpool-3.com


    • Analysis by Francis Allan Tan Seng

    Last update 11 May 2009

     

    TOP

    Malware :

    Family: