Trojan.Crypt.DE
MEDIUM
MEDIUM
120-130 kbytes
(Virtool:Win32/Obfuscator.AP, Trojan.MulDrop.15722, PWS-OnlineGames.av trojan, Win32/TrojanDropper.Agent.NJR)
Symptoms
-the presence of the files tavo.exe and tavo0.dll in %WINDIR%/system32 folder;
-the presence of a file named tt.exe, 1.exe or 2.exe in %WINDIR% folder;
-the presence of a startup registry key:
HKCU/Software/Microsoft/Windows/CurrentVersion/Run
tava="%WINDIR%/system32/tavo.exe
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Marius Botis, virus researcher
Technical Description:
This malware is a dropper which creates a file named tt.exe, 1.exe or 2.exe in %WINDIR% folder. The dropped file is detected as Packer.Malware.NSAnti.AO. After executing this file, the dropper deletes itself.
The dropped file will create a registry key in order to make sure it will be executed after every reboot and will drop two files, tavo.exe and tavo0.dll in %WINDIR%/system32 folder. After this, it will hijack explorer.exe and will inject one of it's component, tavo0.dll, in each running process.
The purpose of these components is to steal online games accounts used to acces http://tw.gamania.com/.
SHARE
THIS ON