Home / malware Worm:Win32/Pochi.A
First posted on 10 March 2019.
Source: MicrosoftAliases :
Worm:Win32/Pochi.A is also known as Trojan.Win32.Scar.ajze, Trojan.Scar!dQ4lDa5J0us, Trojan.Win32.Scar, Trj/Scar.N, TROJ_SCAR.AD.
Explanation :
Worm:Win32/Pochi.A is a worm that spreads via logical drives. It also changes computer settings to hide known file extensions. Installation Worm:Win32/Pochi.A drops the following copies of itself in the root folder (usually C:): ntdetect.exe windows.exe It drops the legitimate DLL file "msvbvm60.dll" as "klampokchild.616" in the Windows system folder. Worm:Win32/Pochi.A modifies the following registry entries to ensure that its copy executes at each Windows start: In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Sets value: "AVG" With data: "C:windows.exe" Spreads via... Logical drives Worm:Win32/Pochi.A spreads to mapped drives by enumerating all drives from C: to Z:. If a drive is found, it copies itself to the root of the drive as "subst.exe". Payload Modifies computer settings Worm:Win32/Pochi.A hides known file extensions when files are viewed in Windows Explorer by setting the following registry entry: In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Sets value: "HideFileExt" With data: "1" Analysis by Marianne Mallen
Last update 10 March 2019
