Home / malwarePDF  

Worm:Win32/Poswauto.A


First posted on 05 July 2016.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Poswauto.A.

Explanation :

Installation
This threat can create files on your PC, including:

  • \drivers\etc\hosts


It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "test"
With data: "c:\temp\test.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "test"
With data: "c:\temp\test.exe"


The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.

Payload

Connects to a remote host

We have seen this threat connect to a remote host: Malware can connect to a remote host to do any of the following:
  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate
Stops services


This threat tries to stop some services from running on your PC, including:
  • "symantec management client"


This malware description was published using automated analysis of file SHA1 c1d770e57bca873caaf851b4fbd88f9167b0be48.

Last update 05 July 2016

 

TOP