Home / malware Trojan:Win32/Crastic.gen!A
First posted on 21 June 2013.
Source: MicrosoftAliases :
Trojan:Win32/Crastic.gen!A is also known as Trojan.Win32.Agent.wzin (Kaspersky), winpe/Suspicious_Gen4.AHTWK (Norman), Agent3.BQJZ (AVG), BDS/Backdoor.Gen6 (Avira), Trojan.Generic.7859231 (BitDefender), Trojan.Siggen5.13983 (Dr.Web), W32/Agent.UGV!tr (other), Win32/Agent.UGV (ESET), Worm.Autorun!496E (Rising AV).
Explanation :
Installation
This trojan is installed and run by another threat that we detect as Trojan:Win32/Crastic.gen!B. Trojan:Win32/Crastic.gen!B is copied to removable drives, such as USB flash drives. When run, Trojan:Win32/Crastic.gen!B creates the file %windir%/csrss.dll.
Trojan:Win32/Crastic.gen!B installs Trojan:Win32/Crastic.gen!A as a service.
Trojan:Win32/Crastic.gen!A modifies the following registry entries to create the service:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Wcsrss\Parameters
Sets value: "ServiceDll"
With data: "%SystemRoot%\csrss.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Wcsrss
Sets value: "ImagePath"
With data: "%SystemRoot%\system32\svchost.exe -k Wcsrss"
Trojan:Win32/Crastic.gen!A uses the following techniques to make analysis more difficult:
- Only running from a removable drive
- Detecting reverse engineering software such as OllyDBG, WinDbg, Process Explorer and WireShark
- Detecting emulation environments, such as Virtualbox, Hyper-v, VMware
The trojan will stop running if it finds any of these reverse engineering or emulation environments on your computer.
Payload
Steals sensitive information
Trojan:Win32/Crastic.gen!A may log your keystrokes to steal your sensitive information, such as your user names, passwords, and information about your computer. It sends this information to the remote host nightgood.info.
Deletes System Restore points
This trojan deletes restore points created by System Restore. This makes it difficult to return your computer back to a pre-infected state.
Analysis by Zhitao Zhou
Last update 21 June 2013
