Home / malwarePDF  

SoftwareBundler:Win32/Pokavampo


First posted on 18 March 2019.
Source: Microsoft

Aliases :

There are no other names known for SoftwareBundler:Win32/Pokavampo.

Explanation :

Installation This threat can create files in %APPDATA% and %ProgramFiles%. We have seen it use random file and folder names, for example:   %APPDATA% Local4C4C4544-1443639829-3910-8052-B8C04F393253pnsa44FD.exe %APPDATA% Local4C4C4544-1443639829-3910-8052-B8C04F393253
nsa44FB.exe %APPDATA% Local4C4C4544-1443639829-3910-8052-B8C04F393253Uninstall.exe %APPDATA% RoamingVOPackageUninstall.exe %APPDATA% RoamingVOPackageVOPackage.exe %ProgramFiles% 4C4C4544-1443664989-3910-8052-B8C04F393253knszB738.tmpfs %ProgramFiles% )4C4C4544-1443664989-3910-8052-B8C04F393253
nsiCBFB.exe %ProgramFiles% 4C4C4544-1443664989-3910-8052-B8C04F393253Uninstall.exe 

It can also make registry changes, for example:

In subkey: HKLMSYSTEMCurrentControlSetServices, for example  HKLMSYSTEMCurrentControlSetServicesdipubibu or HKLMSYSTEMCurrentControlSetServicesgyvixodu

Sets value: "DisplayName"
With data: "", for example "CD Feature"

Sets value: "Description"
With data: "", for example "Country Code CD-R"

Payload

Downloads unwanted software

This threat tries to download other unwanted software onto your PC. It does this by showing you offers for other products that pop-up on your desktop as you use your PC. Some of these offers cannot be closed using the pop-up interface. See the screenshots of some examples below:

You wouldn't see these offers if this program wasn't installed on your PC.

Analysis by Michael Johnson

Last update 18 March 2019

 

TOP