About “Trojan:Win32/Phonzy.A!ml” infection

The Trojan:Win32/Phonzy.A!ml is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Trojan:Win32/Phonzy.A!ml virus can do?

• Behavioural detection: Executable code extraction – unpacking
• A file was accessed within the Public folder.
• Sample contains Overlay data
• Reads data out of its own binary image
• Installs a browser addon or extension
• CAPE extracted potentially suspicious content
• Drops a binary and executes it
• The binary contains an unknown PE section name indicative of packing
• Authenticode signature is invalid
• Uses Windows utilities to create a scheduled task
• Behavioural detection: Transacted Hollowing
• Detects Bochs through the presence of a registry key
• Checks the version of Bios, possibly for anti-virtualization
• Attempted to write directly to a physical drive
• Deletes executed files from disk
• Collects information to fingerprint the system
• Yara rule detections observed from a process memory dump/dropped files/CAPE

How to determine Trojan:Win32/Phonzy.A!ml?

File Info:
name: 79E5F032E7D2B6956C26.mlw
path: /opt/CAPEv2/storage/binaries/7c9f68f990313dba94a49d4a6fd5f1d3198dd29ac35ff83257b68d96ace4ca11
crc32: 5CCE58C1
md5: 79e5f032e7d2b6956c262ada9c5fd89f
sha1: 8e5ae1d3223ead03752f86377963674899277065
sha256: 7c9f68f990313dba94a49d4a6fd5f1d3198dd29ac35ff83257b68d96ace4ca11
sha512: d7a685f133a2abf48e3a2598bca3b22a675ccbad6bb8e7c623bd29b49b0db807b54576f44ac9ecf6d324cac21523cf4288b357e2a723c88d86fca1a174e4e9d6
ssdeep: 12288:uaHc64b888888888888W88888888888EoscV7/9GqeMo3SM5oxLTE33rD+zG/oBj:F86ljW7/9oSTlTKezG/aYFkJR30F6rpt
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T153F40213B3C30032F5665A35CC768044AD2779B909F0605A2EF9EB4E4EB96C69D7BF21
sha3_384: 5c71d6356a44a12b0c8a99db15426e7a8ac7959fa713ac9a15056739b640401691ac946340d5f08b745f005bacdaf2d5
ep_bytes: 558bec83c4a453565733c08945c48945
timestamp: 2018-06-14 13:27:46

Version Info:
Comments: This installation was built with Inno Setup.
CompanyName:                                                             
FileDescription:                                                             
FileVersion: 162.242             
LegalCopyright:                                                                                                     
ProductName:                                                             
ProductVersion: 162.242                                           
Translation: 0x0000 0x04b0

Trojan:Win32/Phonzy.A!ml also known as:

How to remove Trojan:Win32/Phonzy.A!ml?

• Download and install GridinSoft Anti-Malware.
• Open GridinSoft Anti-Malware and perform a “Standard scan“.
• “Move to quarantine” all items.
• Open “Tools” tab – Press “Reset Browser Settings“.
• Select proper browser and options – Click “Reset”.
• Restart your computer.