Cart
Trojan.Crypt.AB
SYMPTOMS: Computer shows frequent messages: "Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your system and Internet files. Run full scan now to pervent any unathorised access to your files! Click YES to download spyware remover ..." TECHNICAL DESCRIPTION: Trojan.Crypt.AB is a piece of malware designed to trick users in downloadinga rogue antivirus : WinAntivirus using an affiliate id, with the end purpose of making money for the creator. When executed: - it checks if there is another copy of itself is running, if so it exits, so that at any time only one copy is running on the infected system. - it copies itself in the %windir%\System32 directory with two different names:"WinAvXX.exe" and "printer.exe"; other two copies are made into the startup folder (they will be executed next time the computer restarts): "system.exe" and "autorun.exe". - sets all Internet Security Settings Zones to Low and modifies hosts file so that a number sites are all redirected to 192.168.200.3: www3.ca.com www.virustotal.com www.viruslist.ru www.viruslist.com www.trendmicro.com www.symantec.com www.symantec.com www.sophos.com www.pandasoftware.com www.networkassociates.com www.nai.com www.my-etrust.com www.microsoft.com www.mcafee.com www.kaspersky.ru www.kaspersky.com www.kaspersky-labs.com www.grisoft.com www.fastclick.net www.f-secure.com www.ca.com www.awaps.net www.avp.ru www.avp.com www.avp.ch windowsupdate.microsoft.com virustotal.com virusscan.jotti.org viruslist.ru viruslist.com vil.nai.com us.mcafee.com updates5.kaspersky-labs.com updates4.kaspersky-labs.com updates3.kaspersky-labs.com updates2.kaspersky-labs.com updates1.kaspersky-labs.com updates.symantec.com update.symantec.com trendmicro.com symantec.com support.microsoft.com spd.atdmt.com sophos.com service1.symantec.com securityresponse.symantec.com secure.nai.com rads.mcafee.com phx.corporate-ir.net pandasoftware.com office.microsoft.com norton.com networkassociates.com nai.com my-etrust.com msdn.microsoft.com microsoft.com media.fastclick.net mcafee.com mast.mcafee.com liveupdate.symantecliveupdate.com liveupdate.symantec.com kaspersky.com kaspersky-labs.com ids.kaspersky-labs.com go.microsoft.com ftp.sophos.com ftp.kasperskylab.ru ftp.f-secure.com ftp.downloads3.kaspersky-labs.com ftp.downloads2.kaspersky-labs.com ftp.downloads1.kaspersky-labs.com ftp.avp.ch fastclick.net f-secure.com engine.awaps.net downloads4.kaspersky-labs.com downloads3.kaspersky-labs.com downloads2.kaspersky-labs.com downloads1.kaspersky-labs.com downloads.microsoft.com downloads-us3.kaspersky-labs.com downloads-us2.kaspersky-labs.com downloads-us1.kaspersky-labs.com download.microsoft.com download.mcafee.com dispatch.mcafee.com customer.symantec.com clicks.atdmt.com click.atdmt.com ca.com banners.fastclick.net banner.fastclick.net awaps.net avp.ru avp.com avp.ch atdmt.com ar.atwola.com ads.fastclick.net ad.fastclick.net ad.doubleclick.net - creates a thread that will show every 5 minutes a warning that the computer "is making unauthorized copies of your system and\nInternet files" - adds "%windir%\\system32\\winav.exe" to the list of AuthorizedApplications that can go through the windows firewall - sets Internet Explorer to allow browser extensions - sets "www.google.com" as default startup page and searech page for Internet Explorer - sets "www.google.com/ie" as Default_Search_URL Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Daniel RADU, virus researcher |