Home / malwarePDF  

Trojan:Win32/Shapouf.C


First posted on 01 July 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Shapouf.C.

Explanation :

Threat behavior

Installation

Trojan:Win32/Shapouf.C copies itself to the following locations:

  • \rundll32.exe
  • c:\documents and settings\administrator\application data\csrss.exe
Note: refers to a variable location that the malware determines by querying your operating system. The default installation location for the system folder in Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. The malware changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Client Server Runtime Process"
With data: "c:\documents and settings\administrator\application data\csrss.exe"

Payload

Stops processes

Trojan:Win32/Shapouf.C can stop the following processes:

  • svchost.exe
Changes system security settings

The malware adds itself to the list of applications that can access the Internet without being stopped by your firewall. It does this by making the following registry modification:

Adds value: "Client Server Runtime Process"
With data: "c:\documents and settings\administrator\application data\csrss.exe:*:enabled:client server runtime process"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Contacts remote host
The malware might contact a remote host at 46.165.240.141 using port 9026. Commonly, malware does this to:
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 d75b44988c0df668dc04eadb5b8e0174db8df7ce.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    \rundll32.exe
    c:\documents and settings\administrator\application data\csrss.exe
  • You see these entries or keys in your registry:

    Sets value: "Client Server Runtime Process"
    With data: "c:\documents and settings\administrator\application data\csrss.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Sets value: "Client Server Runtime Process"
    With data: "c:\documents and settings\administrator\application data\csrss.exe:*:enabled:client server runtime process"
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Last update 01 July 2014

 

TOP

Malware :

Family: