Win32/Pmabot [Threat Name] go to Threat

Win32/Pmabot.A [Threat Variant Name]

Category trojan
Size 25088 B
Detection created Jan 24, 2014
Detection database version 9334
Aliases Win32:Dropper-gen (Avast)
  Win32.IRC-Backdoor.buW@ayydznc (BitDefender)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan copies itself into the following location:

  • %appdata%\­uniconvert.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Unicode toolkit" = "%appdata%\­uniconvert.exe"
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTP, IRC protocol is used.

The trojan generates various URL addresses.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • stop itself for a certain time period

Please enable Javascript to ensure correct displaying of this content and refresh this page.