Home / malware O97M.Crigent
First posted on 04 April 2014.
Source: SymantecAliases :
There are no other names known for O97M.Crigent.
Explanation :
The infected Microsoft Word and Microsoft Excel files contain macro code that executes a Microsoft PowerShell script.
It then connects to the following remote locations in order to download additional files:
gg.ibiz.cc i.vankin.de
The downloaded files are saved to the following locations:
%UserProfile%\Application Data\[GUID]\tor.exe %UserProfile%\Application Data\[GUID]\polipo.exe
Next, tor.exe is used to connect to the following location and download additional Microsoft PowerShell script:
http://powerwormjqj42hu.onion/get.php?s=setup&mom=[GUID ONE]&uid=[GUID TWO]
It then uses polipo.exe to open a Web proxy using port 8123. This proxy is used by tor.exe to connect to the Tor network.Last update 04 April 2014
