Win32/Poxters [Threat Name] go to Threat

Win32/Poxters.A [Threat Variant Name]

Category trojan
Size 154624 B
Detection created Dec 14, 2012
Detection database version 7800
Aliases Trojan.Win32.Agent.venh (Kaspersky)
  VirTool:Win32/VBInject.gen!JD (Microsoft)
  ScreenLocker.AU.trojan (AVG)
Short description

Win32/Poxters.A is a trojan that blocks access to the Windows operating system. The file is run-time compressed using PECompact .

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­Shockwave Player\­flashplugin.exe

The trojan creates the following file:

  • %appdata%\­Shockwave Player\­flashplugin.exe.manifest (423 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "{%variable%}" = "%appdata%\­Shockwave Player\­flashplugin.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "{%variable%}" = "%appdata%\­Shockwave Player\­flashplugin.exe"
  • [HKEY_USERS\­.DEFAULT\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "{%variable%}" = "%appdata%\­Shockwave Player\­flashplugin.exe"

A string with variable content is used instead of %variable% .


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Desktop Software]
    • "Digit" = "%variable%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Associations]
    • "LowRiskFileTypes" = ".exe;.bat;.reg;.vbs;"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1806" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­0]
    • "1806" = 0

The trojan launches the following processes:

  • %malwarefilepath%
  • %programfiles%\­Internet Explorer\­iexplore.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan creates and runs a new thread with its own program code within the following processes:

  • winlogon.exe

The following programs are terminated:

  • taskmgr.exe
Payload information

Win32/Poxters.A is a trojan that blocks access to the Windows operating system.


To regain access to the operating system the user is asked to send information/certain amount of money via the MoneyPak payment service.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • lock/unlock access to the operating system
  • capture webcam video/voice

The trojan hooks the following Windows APIs:

  • SwitchDesktop (user32.dll)

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network]

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Desktop Software]

Please enable Javascript to ensure correct displaying of this content and refresh this page.