1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Downloader.Ponik Activity 19

System Infected: Downloader.Ponik Activity 19

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic generated by Downloader.Ponik which may lead to further infection of the affected system.

Additional Information

The Trojan may arrive through spam email.

When the Trojan is executed, it may create the following files:
%TEMP%\[RANDOM CHARACTERS FILE NAME].bat
%UserProfile%\Local Settings\Application Data\pny\pnd.exe

The Trojan then creates the following registry entry so that it executes whenever Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft PnD" = "%UserProfile%\Local Settings\Application Data\pny\pnd.exe"

It also creates the following registry entries:
HKEY_CURRENT_USER\Software\WinRAR\"Client Hash" = "[RANDOM HEXADECIMAL CHARACTERS]"
HKEY_CURRENT_USER\Software\WinRAR\"HWID" = "[RANDOM HEXADECIMAL CHARACTERS]"

The Trojan may then connect to any of the following remote locations:
91.231.156.36
[http://]2.enzofavata.com/forum/viewto[REMOVED]
[http://]2.sardiniaexport.com/forum/viewto[REMOVED]
[http://]222119966122.su/clou[REMOVED]
[http://]4.pianetapollo.com/ponyb/gate[REMOVED]
[http://]4.professionalsoft.com/ponyb/gate[REMOVED]
[http://]6.grapaimport.com/ponyb/gate[REMOVED]
[http://]6.grapainterfood.com/ponyb/gate[REMOVED]
[http://]atdsupdate.in/all/old[REMOVED]
[http://]banderbon.cz.cc/file/local/tool[REMOVED]
[http://]bestinsighttours.com/bZ6[REMOVED]
[http://]fokanal.cz.cc/gate[REMOVED]
[http://]milion8dreams.ru/clou[REMOVED]
[http://]mjorart.com/jTc[REMOVED]
[http://]powergames.com.pt/KVG[REMOVED]
[http://]quranaqiq.com/1kH[REMOVED]
[http://]rdquark.com/cAB[REMOVED]
[http://]reymontstore.com/jJW5[REMOVED]
[http://]staugustineblues.com/n8cZZ[REMOVED]
[http://]www.rcrender.com/47NK[REMOVED]
[http://]www.westquimica.com/AuNP[REMOVED]
onylkp.in
weboffice.dyndns-office.com
willowcreekcompany.mobi

The Trojan may then perform the following actions:
Download additional malware
Steal passwords

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube