Follow:

You have been re-routed to the TrojanDownloader:Win32/Ponmocup.A write up because TrojanDownloader%253aWin32%252fPonmocup.A has been renamed to TrojanDownloader:Win32/Ponmocup.A
 

TrojanDownloader:Win32/Ponmocup.A


TrojanDownloader:Win32/Ponmocup.A is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected machine.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Additional remediation instructions
This threat may make lasting changes to an affected system's configuration that will NOT be restored by detecting and removing this threat. For more information on returning an affected system to its pre-infected state, please see the following information:
To recreate a clean HOSTS file:

Threat behavior

TrojanDownloader:Win32/Ponmocup.A is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected machine.
Installation
TrojanDownloader:Win32/Ponmocup.A creates the following file(s) on an affected machine:
  • %windir%\temp\scse.tmp
  • %windir%\temp\scsf.tmp
  • <system folder>\drivers\etc\hosts
  • c:\documents and settings\administratorxplore.exe

Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Payload
Modifies Hosts file
TrojanDownloader:Win32/Ponmocup.A modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's Hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).

Contacts remote host
The malware may contact a remote host at imagehut4.cn using port 80. Commonly, malware may contact a remote host for the following purposes:
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer

This malware description was produced and published using our automated analysis system's examination of file SHA1 171b98c4d872d441875b6c3d6ce12c8617df44c7. If you would like to comment on this analysis, please send your feedback to mmpc-amd@microsoft.com.

Symptoms

System changes
The following system changes may indicate the presence of this malware:
Presence of the following file/s:
%windir%\temp\scse.tmp
%windir%\temp\scsf.tmp
c:\documents and settings\administratorxplore.exe

Prevention


Alert level: Severe
First detected by definition: 1.71.721.0
Latest detected by definition: 1.175.409.0 and higher
First detected on: Nov 22, 2009
This entry was first published on: Jun 04, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Swisyn.s (McAfee)
  • Trojan.Win32.Swisyn.jyb (Kaspersky)
  • W32.Changeup!gen (Symantec)