Home / malware Win32/Joanap
First posted on 12 October 2015.
Source: MicrosoftAliases :
There are no other names known for Win32/Joanap.
Explanation :
Threat behavior
Installation
This threat can create the following files on your PC:
- %SystemRoot% \system32\scardprv.dll
- %SystemRoot% \system32\Wmmvsvc.dll
After the malware runs it deletes these files using a batch file, for example d.bat.
The malware adds a service so that it runs each time your PC starts. We have seen it use the following service names:
- SmartCard Protector
- Windows Media Management Driver Extensions
Payload
Gives a malicious hacker access to your PC
This threat connects to a malicious hacker and waits for commands. The malware can be instructed to perform a number of actions, including:
- Downloading and uploading files, including threats from the Win32/Brambul and Win32/Escad families
- Running files
- Stopping processes
- Renaming or moving files
- Creating and deleting directories
Analysis by Francis Tan Seng
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
- %SystemRoot%\system32\scardprv.dll
- %SystemRoot%\system32\Wmmvsvc.dll
Last update 12 October 2015
