It is very easy to know when Pahooka.A has infected a computer. Once run, it replaces the computer’s desktop wallpaper with a multicolored star on a blue background and copies itself to all mapped drives. Finally, it changes the caption of all the windows opened by the user, showing the text “^_^Anti AntiVirus^_^”.
The worm drops a file that contains code to eliminate the content of folders belonging to certain antivirus programs.
Also, Pahooka.A changes the registry so that it hides the Search and Run options in the start menu, the Folder options, the Control Panel options, and the Network Connections and Printers and Faxes options. It also prevents users from enabling, disabling or modifying the system restore settings. Plus, it disables the registry editor and the task manager.
Pahooka.A connects periodically to certain web pages to download more malware onto the infected computer and runs every time the computer is started up or a program with an .exe extension is run.
HiddenXLS.A is the second malicious code in this report. This virus targets Excel files on the infected computer. HiddenXLS.A looks for all files with an .xls extension on the infected computer and mapped drives, and adds an executable file at the beginning of these files, changing their extension to .exe, so that every time the user tries to open the document, the malicious code runs first.
Finally, Sinowal.FY is a ransomware Trojan. Sinowal.FY encrypts users’ files so that they cannot access them, and demands a ransom for giving them a tool to decrypt the files as well as the decryption key.
On reaching a computer, Sinowal.FY creates a text file containing its demands: if the targeted user doesn’t give $300 to the malware writer, they will not be able to retrieve the kidnapped documents.