Weekly Malware Review: Pandora
Moreover, the Trojan will be difficult to spot as it disables the “Show hidden files" option in Windows Explorer.
It creates two copies of itself with two different file extensions: an “.exe” one and a “.scr” one, while keeping a previously generated name. Plus it makes copies of itself under random names in the "%Documents and settings%" folder. In order to execute itself repeatedly, Chinky generates a registry key in HKCUSoftwareMicrosoft WindowsCurrentVersion Run%RandomName% with the value %Documents and settings% %UserName% %RandomName%.exe.
Just as most other recent malware, Trojan.VB.Chinky.U also has a worm component which allows it to spread using flash drives and other media, such as USB external hard disks and even mapped drives across the network.
The “autorun.inf” component assures the automatic execution of the “.exe” file and it also changes the icon of the infected removable drive into a Windows standard folder icon. Six more shortcut files pointing to the “.scr” file are created and displayed on the removable drive with different names and icons: New Folder, Passwords, Documents, Music, Documents, and Pictures.
This is not the end of it. The downloader component of Trojan.VB.Chinky.U would subsequently drop and install other e-threats on the infected system, such as backdoors, password stealers, Rogue AV and other offers that are too hot to handle.