Home / malware SoftwareBundler:Win32/Pokavampo
First posted on 18 March 2019.
Source: MicrosoftAliases :
There are no other names known for SoftwareBundler:Win32/Pokavampo.
Explanation :
Installation This threat can create files in %APPDATA% and %ProgramFiles%. We have seen it use random file and folder names, for example: %APPDATA% Local4C4C4544-1443639829-3910-8052-B8C04F393253pnsa44FD.exe %APPDATA% Local4C4C4544-1443639829-3910-8052-B8C04F393253
nsa44FB.exe %APPDATA% Local4C4C4544-1443639829-3910-8052-B8C04F393253Uninstall.exe %APPDATA% RoamingVOPackageUninstall.exe %APPDATA% RoamingVOPackageVOPackage.exe %ProgramFiles% 4C4C4544-1443664989-3910-8052-B8C04F393253knszB738.tmpfs %ProgramFiles% )4C4C4544-1443664989-3910-8052-B8C04F393253
nsiCBFB.exe %ProgramFiles% 4C4C4544-1443664989-3910-8052-B8C04F393253Uninstall.exe
It can also make registry changes, for example:
In subkey: HKLMSYSTEMCurrentControlSetServices, for example HKLMSYSTEMCurrentControlSetServicesdipubibu or HKLMSYSTEMCurrentControlSetServicesgyvixodu
Sets value: "DisplayName"
With data: "", for example "CD Feature"
Sets value: "Description"
With data: "", for example "Country Code CD-R"
Payload
Downloads unwanted software
This threat tries to download other unwanted software onto your PC. It does this by showing you offers for other products that pop-up on your desktop as you use your PC. Some of these offers cannot be closed using the pop-up interface. See the screenshots of some examples below:
You wouldn't see these offers if this program wasn't installed on your PC.
Analysis by Michael JohnsonLast update 18 March 2019