Home / malware

PDF

Trojan:Win32/Cryptrun.B

First posted on 10 February 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Cryptrun.B is also known as Muster.e (McAfee), BKDR_AGENT.AABY (Trend Micro).

Explanation :

Trojan:Win32/Cryptrun.B is a trojan that connects to a remote server in order to retrieve and execute commands on the affected computer.
Top

Trojan:Win32/Cryptrun.B is a trojan that connects to a remote server in order to retrieve and execute commands on the affected computer.

Installation
Trojan:Win32/Cryptrun.B may be dropped to %systemroot%\system32\UpgradeUI.exe and installed to run at system start by Trojan:Win32/Cryptrun.B!sys.

Payload
Allows unauthorized access and control Upon running, Trojan:Win32/Cryptrun.B renames its own file to "~Nby<random number>" and deletes the following registry entries which were used to load itself at system start: Removes value: "AutoPatch" From subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Trojan:Win32/Cryptrun.B connects to a remote server in order to report the infection and to retrieve commands. In the wild we observed one sample attempting to contact IP address 202.215.53.178 for this purpose. However, this server was no longer available at the time of publishing. Trojan:Win32/Cryptrun.B can perform the following operations, depending on which commands are retrieved:

Download and upload files

Load a command line (cmd.exe) shell

Execute specific files

List files, directories, processes and modules

List network shares

Delete files

Terminate processes

Retrieve infected computer's host name and IP address.

Analysis by Shawn Wang

Last update 10 February 2010

 

TOP