TROJ_PONMOCOP

By Domesticus in Trojans | 4 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...
 More... More

TROJ_PONMOCOP Description

TROJ_PONMOCOP is a Trojan that induces the unwanted printing routine on the corrupted PC and displays disturbing pop-up ads. TROJ_PONMOCOP code encompasses an encrypted portion, which is loaded and decrypted into memory. When decrypted, it becomes a new binary file that is UPX-packed, and will corrupt the routines from then on. This new binary also encompasses an encrypted code, which needs decryption keys from parameters found in the corrupted PC, for instance, ftCreationTime & ftLastAccessTime of %Windows%\system32 and System Volume Information folder, and the serial number of the hard drive in order to decrypt itself. If the decrypted code is a legitimate binary file, it again sends the control to this newly-created binary. If not, then the routine of TROJ_PONMOCOP will not continue which means that the binary may be unique for each of the targeted computer. All these actions are performed in memory, which means there are no downloaded files. Then, the certain registry keys are being checked by TROJ_PONMOCOP to decrypt additional binaries in memory. These registry keys are based on the infected computer’s processor/OS.

Type: Trojans

How Can You Detect TROJ_PONMOCOP?

Download SpyHunter’s Detection Scanner
to Detect TROJ_PONMOCOP.

Can’t install SpyHunter? Click here to view possible causes of installation issues.

TROJ_PONMOCOP Removal Details

TROJ_PONMOCOP has typically the following processes in memory:

  • %System%\{RANDOM FILE NAME}.dll
  • %Users\{USER NAME}\Appdata\Roaming\{RANDOM FILE NAME}.dll
  • %Documents and Settings\{USER NAME}\Application Data\{RANDOM FILE NAME}.dll
  • %Program Files\{RANDOM FOLDER}\{RANDOM FILE NAME}.dll
  • %Windows%\SysWOW64\{RANDOM FILE NAME}.dll

TROJ_PONMOCOP creates the following registry entries:

  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\{RANDOM CHARACTERS}
  • HKEY_CURRENT_USER\Software\{RANDOM CHARACTERS}
  • HKEY_LOCAL_MACHINE\software\Microsoft\Multimedia
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run “msse”
  • HKEY_LOCAL_MACHINE\Software\{RANDOM CHARACTERS}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Stats\{RANDOM CHARACTERS}\{RANDOM CHARACTERS}
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run “Windows Defender”
  • HKEY_CURRENT_USER\Software\Wow6432Node\{RANDOM CHARACTERS}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Stats\{RANDOM CHARACTERS}
  • HKEY_CURRENT_USER\software\Microsoft\Multimedia
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Important Article Disclaimer

ESG Support Center

This entry was last updated on 08/17/12 and posted on 08/17/12. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
« Trojan.Zeroaccess.C
JS/Drop.Delf.NK.24.D »

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Popular Malware

Popular Trojans

Recent Malware

Home | SpyHunter Risk Assessment Model | Privacy Policy | End User License Agreement | Additional Terms and Conditions
Copyright 2003-2012. Enigma Software Group USA, LLC. All Rights Reserved.