MSIL/Pontoeb [Threat Name] go to Threat

MSIL/Pontoeb.N [Threat Variant Name]

Category trojan,worm
Size 33280 B
Aliases Trojan.Win32.Fsysna.ipw (Kaspersky)
  Trojan:Win32/Comrerop (Microsoft)
Short description

MSIL/Pontoeb.N is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely.


The worm is usually a part of other malware.

When executed, the worm copies itself in some of the the following locations:

  • %commonapplicationdata%\­csrss.exe
  • %localapplicationdata%\­lsass.exe
  • %commonprogramfiles%\­csrss.exe
  • %applicationdata%\­lsass.exe
  • %temp%\­%variable1%\­%variable2%

A string with variable content is used instead of %variable1-2% .

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Audio Driver" = "%commonapplicationdata%\­csrss.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Audio Driver" = "%localapplicationdata%\­lsass.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run
    • "Audio Driver" = "%commonprogramfiles%\­csrss.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Audio Driver" = "%applicationdata%\­lsass.exe"

This causes the worm to be executed on every system start.

The worm executes the following command:

  • netsh.exe firewall add allowedprogram program="%malwarefilepath%" name="Audio Driver" mode=ENABLE scope=ALL profile=ALL

The performed command creates an exception in the Windows Firewall.

Information stealing

The worm collects the following information:

  • information about the operating system and system settings
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • USBDriver.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a URL address. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open ports
  • open a specific URL address
  • send gathered information

The worm connects to the following addresses:


The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{GUID}]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{GUID}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Audio Driver"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Audio Driver"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Audio Driver"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "Audio Driver"

Worm requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.