Win32/Crytes [Threat Name] go to Threat

Win32/Crytes.AA [Threat Variant Name]

Category worm
Size 1578496 B
Detection created Mar 09, 2016
Detection database version 13153
Aliases Trojan.Win32.Miner.ays (Kaspersky)
  Trojan:Win32/CoinMiner.BB!bit (Microsoft)
  Win32:BitCoinMiner-IW.[Trj] (Avast)
Short description

Win32/Crytes.AA is a worm that uses the hardware resources of the infected computer for mining the digital currency.

Installation

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion]
    • "Run" = %malwarefilepath%

The worm copies itself into the root folders of all drives using the following name:

  • %originalmalwarefilename%
Spreading

Win32/Crytes.AA is a worm that repeatedly tries to connect to various IP addresses.


The FTP protocol is used.


The following usernames are used:

  • admin
  • Admin
  • anonymous
  • ftp
  • www-data

The following passwords are used:

  • 000000
  • 111111
  • 123
  • 123123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 123qwe
  • abc123
  • admin
  • Admin
  • admin123
  • administrator
  • anonymous
  • derok010101
  • devry
  • email@email.com
  • ftp
  • pass
  • pass1234
  • password
  • qwerty
  • test
  • windows
  • www-data

If it succeeds, a copy of the worm is retrieved from the attacking machine.


The following filename is used:

  • Photo.scr

The worm also copies itself into existing subfolders.


The worm infects files with the following extensions:

  • .asp
  • .bml
  • .dhtm
  • .DHTM
  • .htm
  • .HTM
  • .htx
  • .mht
  • .php
  • .PHP
  • .phtm
  • .shtm
  • .xht
  • .xml
  • .XML

The worm inserts the following text marker into the infected files:

  • iframe src=Photo.scr width=1 height=1 frameborder=0
  • /iframe
Information stealing

The following information is collected:

  • login name
  • login password
  • list of files/folders on a specific drive
  • CPU information

The worm attempts to send gathered information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (13) URLs. The HTTP, FTP protocol is used in the communication.


The worm uses the hardware resources of the infected computer for mining the digital currency.


The following file is dropped into the %temp% folder:

  • NsCpuMiner32.exe (1433600 B, Win32/BitCoinMiner.BX)

The file is then executed.


The worm creates the following files:

  • %temp%\­pools.txt

Please enable Javascript to ensure correct displaying of this content and refresh this page.