Symptoms

Removal instructions:

Analyzed By

Technical Description:

Trojan.Crypt.AB is a piece of malware designed to trick users in downloading
a rogue antivirus : WinAntivirus using an affiliate id, with the end purpose of
making money for the creator.
    When executed:
 - it checks if there is another copy of itself is running, if so it exits, so that at any time only one copy is running on the infected system.
 - it copies itself in the %windir%\System32 directory with two different names:"WinAvXX.exe"
and "printer.exe"; other two copies are made into the startup folder (they will be executed next time the computer restarts): "system.exe" and "autorun.exe".
 - sets all Internet Security Settings Zones to Low and modifies hosts file so that a number sites are all redirected to 192.168.200.3:

www3.ca.com
www.virustotal.com
www.viruslist.ru
www.viruslist.com
www.trendmicro.com
www.symantec.com
www.symantec.com
www.sophos.com
www.pandasoftware.com
www.networkassociates.com
www.nai.com
www.my-etrust.com
www.microsoft.com
www.mcafee.com
www.kaspersky.ru
www.kaspersky.com
www.kaspersky-labs.com
www.grisoft.com
www.fastclick.net
www.f-secure.com
www.ca.com
www.awaps.net
www.avp.ru
www.avp.com
www.avp.ch
windowsupdate.microsoft.com
virustotal.com
virusscan.jotti.org
viruslist.ru
viruslist.com
vil.nai.com
us.mcafee.com
updates5.kaspersky-labs.com
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates.symantec.com
update.symantec.com
trendmicro.com
symantec.com
support.microsoft.com
spd.atdmt.com
sophos.com
service1.symantec.com
securityresponse.symantec.com
secure.nai.com
rads.mcafee.com
phx.corporate-ir.net
pandasoftware.com
office.microsoft.com
norton.com
networkassociates.com
nai.com
my-etrust.com
msdn.microsoft.com
microsoft.com
media.fastclick.net
mcafee.com
mast.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
kaspersky.com
kaspersky-labs.com
ids.kaspersky-labs.com
go.microsoft.com
ftp.sophos.com
ftp.kasperskylab.ru
ftp.f-secure.com
ftp.downloads3.kaspersky-labs.com
ftp.downloads2.kaspersky-labs.com
ftp.downloads1.kaspersky-labs.com
ftp.avp.ch
fastclick.net
f-secure.com
engine.awaps.net
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads.microsoft.com
downloads-us3.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
download.microsoft.com
download.mcafee.com
dispatch.mcafee.com
customer.symantec.com
clicks.atdmt.com
click.atdmt.com
ca.com
banners.fastclick.net
banner.fastclick.net
awaps.net
avp.ru
avp.com
avp.ch
atdmt.com
ar.atwola.com
ads.fastclick.net
ad.fastclick.net
ad.doubleclick.net

- creates a thread that will show every 5 minutes a warning that the computer "is making unauthorized copies of your system and\nInternet files"

- adds "%windir%\\system32\\winav.exe" to the list of AuthorizedApplications that can go through the windows firewall

- sets Internet Explorer to allow browser extensions

- sets "www.google.com" as default startup page and searech page for Internet Explorer

- sets "www.google.com/ie" as Default_Search_URL