Win32/CrisisHT [Threat Name] go to Threat

Win32/CrisisHT.B [Threat Variant Name]

Category trojan
Size 1064448 B
Detection created Aug 03, 2015
Detection database version 12037
Aliases BackDoor.DaVinci.29 (Dr.Web)
Short description

Win32/CrisisHT.B is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %localappdata%\­Microsoft\­oKaZW8vm\­Jw-Sb_oy.q2v (674304 B, Win32/Boychi.Q)
  • %localappdata%\­Microsoft\­oKaZW8vm\­A96qDGdz.NZy (100864 B)
  • %localappdata%\­Microsoft\­oKaZW8vm\­HmJY-hDq.0MS (208896 B)
  • %localappdata%\­Microsoft\­oKaZW8vm\­qjy97Jk_.hKQ (2976 B)
  • %localappdata%\­Microsoft\­oKaZW8vm\­Intel(R) Wifi 0.36.xuqb

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Classes\­xuqb_auto_file\­shell\­open\­command]
    • "(Default)" = "%systemroot%\­system32\­rundll32.exe" "%localappdata%\­Microsoft\­oKaZW8vm\­Jw-Sb_oy.q2v", u7432eddfP"
  • [HKEY_CURRENT_USER\­Software\­Classes\­.xuqb]
    • "(Default)" = "xuqb_auto_file"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Intel(R) Wifi 0.36" = "%localappdata%\­Microsoft\­oKaZW8vm\­Intel(R) Wifi 0.36.xuqb"

This causes the trojan to be executed on every system start.


The trojan quits immediately if it detects certain security applications running.


The trojan quits immediately if it is run within a debugger.


The trojan creates and runs a new thread with its own program code in all running processes except the following:

  • avgarkt.exe
  • avgscanx.exe
  • avk.exe
  • avscan.exe
  • bgscan.exe
  • chrome.exe
  • FlashPlayerPlugin_*.exe
  • fsbl.exe
  • fsm32.exe
  • hackmon.exe
  • hiddenfinder.exe
  • IceSword.exe
  • ielowutil.exe
  • iexplore.exe
  • outlook.exe
  • pavark.exe
  • pcts*.exe
  • rku*.exe
  • rootkitbuster*.exe
  • RootkitRevealer.exe
  • sargui.exe
  • TaskMan.exe
  • taskmgr.exe
  • Unhackme.exe

The trojan executes the following command:

  • %system%\­rundll32.exe "%localappdata%\­Microsoft\­oKaZW8vm\­A96qDGdz.NZy",u7432eddfR
Information stealing

The trojan collects various sensitive information.


The following information is collected:

  • screenshots
  • a list of recently visited URLs
  • data from the clipboard
  • e-mail addresses
  • Windows Protected Storage passwords and credentials
  • information about the operating system and system settings
  • list of running processes
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • CPU information
  • memory status
  • the list of installed software
  • available wireless networks
  • webcam video/voice
  • sent IM messages
  • list of disk devices and their type
  • list of files/folders on a specific drive
  • Bitcoin wallet contents

The trojan searches local drives for files with the following file extensions:

  • .bmp
  • .doc
  • .docx
  • .gif
  • .jpeg
  • .jpg
  • .odp
  • .ods
  • .odt
  • .pdf
  • .png
  • .pps
  • .ppsx
  • .ppt
  • .pptx
  • .rtf
  • .txt
  • .xls
  • .xlsx

The trojan attempts to send the found files to a remote machine.


Win32/CrisisHT.B tries to obtain information from the contact list of the affected user.


Also the e-mail addresses are searched for in the following program(s):

  • Microsoft Outlook
  • Skype
  • Google Mail (mail.google.com)
  • Yahoo Mail (yahoo.com)
  • Windows Live (live.com)
  • Facebook (facebook.com)
  • Twitter (twitter.com)

E-mail addresses are searched for in files with one of the following extensions:

  • .eml

The trojan is able to log keystrokes.


The trojan collects information related to the following applications:

  • Google Chrome
  • Google Talk
  • Internet Explorer
  • Microsoft Outlook
  • Mozilla Firefox
  • Mozilla Thunderbird
  • Opera Browser
  • Paltalk
  • Trillian
  • Windows Live

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan hides its presence in the system. It uses techniques common for rootkits.


The trojan acquires data and commands from a remote computer or the Internet.


It can execute the following operations:

  • "follow" users/posts on social networks
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • make operating system unbootable
  • send gathered information
  • record calls

The trojan hooks the following Windows APIs:

  • CreateProcessA (kernel32.dll)
  • CreateProcessW (kernel32.dll)
  • CreateProcessAsUserW (kernel32.dll)
  • CreateProcessAsUserA (advapi32.dll)
  • CreateProcessAsUserW (advapi32.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • ReadDirectoryChangesW (kernel32.dll)
  • NtQuerySystemInformation (ntdll.dll)
  • NtDeviceIoControlFile (ntdll.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • NtQueryKey (ntdll.dll)
  • SendMessageW (user32.dll)
  • SetWindowTextW (user32.dll)
  • CreateWindowExA (user32.dll)
  • CreateWindowExW (user32.dll)
  • waveOutWrite (WINMM.dll)
  • waveInAddBuffer (WINMM.dll)
  • SendMessageTimeoutA (user32.dll)
  • SendMessageTimeoutW (user32.dll)
  • recv (ws2_32.dll)
  • send (ws2_32.dll)
  • WSARecv (ws2_32.dll)
  • IDirectSoundBuffer::GetCurrentPosition (dsound.dll)
  • IDirectSoundCaptureBuffer::GetCurrentPosition (dsound.dll)
  • IAudioRenderClient
  • IAudioCaptureClient
  • CreateFileW (kernel32.dll)
  • DeleteFileW (kernel32.dll)
  • MoveFileW (kernel32.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • PeekMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • ImmGetCompositionStringW (imm32.dll)
  • ReadConsoleInputA (kernel32.dll)
  • ReadConsoleInputW (kernel32.dll)
  • ReadConsoleA (kernel32.dll)
  • ReadConsoleW (kernel32.dll)
  • ReadConsoleInputExA (kernel32.dll)
  • ReadConsoleInputExW (kernel32.dll)
  • InternetGetCookieExW (wininet.dll)

The trojan contains both 32-bit and 64-bit program components.

Please enable Javascript to ensure correct displaying of this content and refresh this page.