MSIL/Gruf [Threat Name] go to Threat

MSIL/Gruf.A [Threat Variant Name]

Category trojan
Size 59392 B
Detection created Mar 11, 2015
Detection database version 11304
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­System32\­iscsitrg.exe
  • %appdata%\­Microsoft\­ctfmon.exe
  • %commonappdata%\­Microsoft\­ctfmon.exe
  • %temp%\­%variable%\­svchost.exe
  • %temp%\­%variable%\­conhost.exe
  • %temp%\­%variable%\­csrss.exe

A string with variable content is used instead of %variable% .


The trojan registers itself as a system service using the following name:

  • iscsitrg

This way the trojan ensures that the file is executed on every system start.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "CTFMON" = ""%commonappdata%\­Microsoft\­ctfmon.exe" u"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "CTFMON" = ""%appdata%\­Microsoft\­ctfmon.exe" u"

The trojan creates the following file:

  • %windir%\­System32\­pid.cur

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­iscsitrg]
    • "Description" = "Internet Small Computer System Interface"
Information stealing

The trojan collects the following information:

  • user name
  • user domain name
  • computer name
  • operating system version
  • CPU information
  • information about the operating system and system settings
  • list of files/folders on a specific drive
  • list of running processes

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


It may perform the following actions:

  • set up a proxy server
  • various file system operations
  • various Registry operations
  • upload files to a remote computer
  • download files from a remote computer and/or the Internet
  • run executable files
  • send gathered information
  • terminate running processes
  • execute shell commands

The trojan displays the following dialog box:

Please enable Javascript to ensure correct displaying of this content and refresh this page.