SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Pontoeb.N_7
Pontoeb.N_7 is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious ways. Trojans do not replicate or spread to other computers.

File Related Changes
It drops the following file(s) on the system:
  • "C:\\Documents and Settings\\All Users\\Application Data\\csrss.exe"

Process Related Changes
It creates the following mutex(es):
  • .net clr networking"
  • c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
  • ZonesLockedCacheCounterMutex"
  • c:!documents and settings!admin!local settings!history!history.ie5!"
  • WininetConnectionMutex"
  • CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • ZoneAttributeCacheCounterMutex"
  • ZonesCacheCounterMutex"
  • {19b6b013-fda7-11e1-b2f6-806d6172696f}"
  • CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • SHIMLIB_LOG_MUTEX"
  • CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • ZonesCounterMutex"
  • RasPbFile"
  • CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
  • c:!documents and settings!admin!cookies!"

It creates the following process(es):
  • C:\\WINDOWS\\system32\\netsh.exe [ \\netsh.exe firewall add allowedprogram program=C:\\Documents and Settings\\All Users\\Application Data\\csrss.exe name=\\Audio Driver mode=ENABLE scope=ALL profile=ALL ]
  • C:\\Program Files\\Common Files\\lsass.exe
  • C:\\Documents and Settings\\All Users\\Application Data\\csrss.exe
  • C:\\WINDOWS\\Temp\\8938332dee9c0ba7cda48b6966e258a0.exe [ \\c:\\windows\\temp\\8938332dee9c0ba7cda48b6966e258a0.exe ]

Network Activity
We observed the following DNS query/queries:
  • iprovn.net

Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot:
  • HKLM\\system\\CurrentControlSet\\Services\\tcpip\\parameters\\tcpmaxhalfopen = ￿ÿ


Relevant Information


© SonicWall 2020 | Privacy Policy | Conditions for use Version: 10.0