Home / malware W32.Pixipos
First posted on 02 April 2014.
Source: SymantecAliases :
There are no other names known for W32.Pixipos.
Explanation :
When the worm is executed, it creates the following file:
%UserProfile%\Application Data\win.sxs
The worm then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Taskbar" = "%UserProfile%\Application Data\win.sxs"
The worm then gathers data from point of sales (PoS) systems and uploads the data to the following remote location:
yo.u-know-who.com/ss/gate.php
The worm spreads through removable drives using the following files:
%DriveLetter%\win.sxs%DriveLetter%\autorun.infLast update 02 April 2014