Home / malwarePDF  

Trojan.Crypt.DE


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Crypt.DE is also known as Virtool:Win32/Obfuscator.AP, Trojan.MulDrop.15722, PWS-OnlineGames.av, Win32/TrojanDropper.Agent.NJR.

Explanation :

This malware is a dropper which creates a file named tt.exe, 1.exe or 2.exe in %WINDIR% folder. The dropped file is detected as Packer.Malware.NSAnti.AO. After executing this file, the dropper deletes itself.

The dropped file will create a registry key in order to make sure it will be executed after every reboot and will drop two files, tavo.exe and tavo0.dll in %WINDIR%/system32 folder. After this, it will hijack explorer.exe and will inject one of it's component, tavo0.dll, in each running process.

The purpose of these components is to steal online games accounts used to acces http://tw.gamania.com/.

Last update 21 November 2011

 

TOP