Home / malware SoftwareBundler:Win32/Pokavampo
First posted on 09 October 2015.
Source: MicrosoftAliases :
There are no other names known for SoftwareBundler:Win32/Pokavampo.
Explanation :
Threat behavior
Installation
This threat can create files in %APPDATA% and %ProgramFiles%. We have seen it use random file and folder names, for example:
- %APPDATA% \Local\4C4C4544-1443639829-3910-8052-B8C04F393253\pnsa44FD.exe
- %APPDATA% \Local\4C4C4544-1443639829-3910-8052-B8C04F393253\rnsa44FB.exe
- %APPDATA% \Local\4C4C4544-1443639829-3910-8052-B8C04F393253\Uninstall.exe
- %APPDATA% \Roaming\VOPackage\Uninstall.exe
- %APPDATA% \Roaming\VOPackage\VOPackage.exe
- %ProgramFiles% \4C4C4544-1443664989-3910-8052-B8C04F393253\knszB738.tmpfs
- %ProgramFiles% )\4C4C4544-1443664989-3910-8052-B8C04F393253\rnsiCBFB.exe
- %ProgramFiles% \4C4C4544-1443664989-3910-8052-B8C04F393253\Uninstall.exe
It can also make registry changes, for example:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\, for example HKLM\SYSTEM\CurrentControlSet\Services\dipubibu or HKLM\SYSTEM\CurrentControlSet\Services\gyvixodu
Sets value: "DisplayName"
With data: "", for example "CD Feature"
Sets value: "Description"
With data: "", for example "Country Code CD-R"
Payload
Downloads unwanted software
This threat tries to download other unwanted software onto your PC. It does this by showing you offers for other products that pop-up on your desktop as you use your PC. Some of these offers cannot be closed using the pop-up interface. Below are some examples:
You wouldn't see these offers if this program wasn't installed on your PC.
Analysis by Michael Johnson
Symptoms
The following can indicate that you have this threat on your PC:
- You see advertisements similar to these:
Last update 09 October 2015
