Win32/CsNowDown [Threat Name] go to Threat

Win32/CsNowDown.D [Threat Variant Name]

Category trojan
Size 98304 B
Detection created Jun 05, 2012
Detection database version 7198
Short description

Win32/CsNowDown.D is a trojan which tries to download other malware from the Internet. The trojan is usually a part of other malware. It uses techniques common for rootkits.

Installation

When executed, the trojan creates the following files:

  • %windir%\­System32\­drivers\­usbinckey.sys
  • %windir%\­System32\­cardctrl.exe
  • %windir%\­System32\­usbinckey.dll

If IZEX ComBack IR Pro is installed on the infected system the trojan replaces the following files with a copy of itself:

  • %windir%\­System32\­userinit.exe
  • %windir%\­System32\­drivers\­beep.sys
  • %windir%\­drivers\­FileMgr.sys

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­cardctrl]
    • "Type" = 16
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%windir%\­System32\­cardctrl.exe"
    • "DisplayName" = "Windows Cards Manager"
    • "ObjectName" = "LocalSystem"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­usbinckey]
    • "Type" = 1
    • "Start" = 1
    • "ErrorControl" = 1
    • "ImagePath" = "%windir%\­System32\­usbinckey.dll"
    • "DisplayName" = "usbinckey"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­FileMgr]
    • "Type" = 1
    • "Start" = 3
    • "ErrorControl" = 1
    • "ImagePath" = "%windir%\­drivers\­FileMgr.sys"
    • "DisplayName"="FileMgr"

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • computer IP address
  • Internet Explorer version
  • operating system version
  • computer name
  • installed software

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan contains an URL address.


It tries to download a file from the address.


The file is then executed. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.