Home / malwarePDF  

Win32/Crowti


First posted on 10 June 2014.
Source: Microsoft

Aliases :

There are no other names known for Win32/Crowti.

Explanation :

Threat behavior

Installation

This threat can be downloaded by other malware, such as TrojanDownloader:Win32/Onkods or TrojanDownloader:Win32/Upatre. It can also be downloaded when you click on a link in a spam email with a file name similar to Fax-.zip or incoming_wire_report.zip.

Win32/Crowti installs a randomly named copy of itself in any of these paths:

  • c:\\.exe
  • %APPDATA% \.exe
  • \programs\startup\.exe


It modifies one of the following registry entries so that it runs each time you start your PC:

In subkey: HKU\Registry\User\\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: "c:\\.exe"

In subkey: HKU\Registry\User\\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: "c:\\.exe"

In subkey: HKU\Registry\User\\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "*"
With data: "c:\\.exe"

Examples of could be:

  • 3d0bbc8
  • 7716b6d


Payload

This malware can encrypt the files on your PC using a public key. The files can be decrypted with a private key stored in a remote server.

It then displays a lock screen similar those shown below to tell you that you can recover the files using a personal link that directs you to a Tor webpage asking for payment using BitCoin as currency.







Crowti also deletes shadow files to stop you from restoring your files from a local backup.



Analysis by Marianne Mallen

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    c:\\.exe
    APPDATA%\.exe
    \programs\startup\.exe
  • You see these entries or keys in your registry:


In subkey: HKU\Registry\User\\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: "c:\\.exe"

In subkey: HKU\Registry\User\\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: "c:\\.exe"

In subkey: HKU\Registry\User\\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: ""
With data: "c:\\.exe"

  • You see one of these lock screens:











Last update 10 June 2014

 

TOP

Malware :