Malware name Trojan.Crypt.XDR.Gen
Type Trojan
Affected platform Win32
Media-Type application/executable
MD5 checksum 4E0F29C062AF92C9E1AF19D4635BDB34
Static file yes
Filesize 158,720 Bytes
Alias names
(also known as) Sophos Troj/Agent-BUC
McAfee Generic.di
CA ETrust Win32/Pipown!generic

Protection Webwasher Anti Malware 6036.49.x

Side effects Drops a file
Drops malicious files
Registry modification
Propagation No own spreading routine




Description:

Files

копирует себя в слудещие папки
• %SYSDIR%\ISASS.exe
• %WINDIR%\Resources\Empty.bat
• %WINDIR%\Media\msconfig.bat
• %WINDIR%\security\kernel32.bat
• %WINDIR%\system32.exe
• %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Temp.pif
• %SYSDIR%\LNETINFO.exe
• %home%\My Documents\Data %computer name%.exe
• %SYSDIR%\Kiamat.exe
• %home%\My Documents\%all subdirectories%\%current directory%.exe



создаёт файлы

– %WINDIR%\security\ms.inf
Registry

добавляет себя в реестр-

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• "msconfig"="%WINDIR%\Media\msconfig.bat"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• "Kiamat Sudah Dekat_16_04"="%SYSDIR%\ISASS.exe"



The following registry key is added:

– HKCU\Software\Policies\Microsoft\CurrentVersion\Po licies\Explorer
• "NoFind"=dword:00000001



следущие ключи реестра после изменения

Disable Regedit and Task Manager:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System
New value:
• "DisableRegistryTools"=dword:00000001
• "DisableTaskMgr"=dword:00000001

– HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced
Old value:
• "Hidden"=%user defined settings%
• "HideFileExt"=%user defined settings%
New value:
• "Hidden"=dword:00000002
• "HideFileExt"=dword:00000001

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Old value:
• "Shell"="Explorer.exe"
New value:
• "Shell"="Explorer.exe "%WINDIR%\Resources\Empty.bat""

– HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System
New value:
• "DisableCMD"=dword:00000001