Home / malware Worm:Win32/Pochi.A
First posted on 30 November 2010.
Source: SecurityHomeAliases :
Worm:Win32/Pochi.A is also known as Trojan.Win32.Scar.ajze (Kaspersky), Trojan.Scar!dQ4lDa5J0us (VirusBuster), Trojan.Win32.Scar (Ikarus), Trj/Scar.N (Panda), TROJ_SCAR.AD (Trend Micro).
Explanation :
Worm:Win32/Pochi.A is a worm that spreads via logical drives. It also changes computer settings to hide known file extensions.
Top
Worm:Win32/Pochi.A is a worm that spreads via logical drives. It also changes computer settings to hide known file extensions. Installation Worm:Win32/Pochi.A drops the following copies of itself in the root folder (usually C:\):ntdetect.exe windows.exe It drops the legitimate DLL file "msvbvm60.dll" as "klampokchild.616" in the Windows system folder. Worm:Win32/Pochi.A modifies the following registry entries to ensure that its copy executes at each Windows start: In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "AVG" With data: "C:\windows.exe" Spreads via... Logical drives Worm:Win32/Pochi.A spreads to mapped drives by enumerating all drives from C: to Z:. If a drive is found, it copies itself to the root of the drive as "subst.exe". Payload Modifies computer settings Worm:Win32/Pochi.A hides known file extensions when files are viewed in Windows Explorer by setting the following registry entry: Sets value: "HideFileExt" With data: "1" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Analysis by Marianne MallenLast update 30 November 2010
