Win32/Crastic [Threat Name] go to Threat

Win32/Crastic.A [Threat Variant Name]

Category worm
Size 821248 B
Detection created Dec 27, 2015
Detection database version 12780
Aliases W32/YahLover.worm.gen.virus (McAfee)
  Luhe.Fiha.A (AVG)
Short description

Win32/Crastic.A is a worm that steals passwords and other sensitive information. The worm may be spread via removable media. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the following location:

  • %temp%\­Adobe_Flash_Player_20.%variable1%.%variable2%.exe

A string with variable content is used instead of %variable1-2% .


The worm creates the following file:

  • %windir%\­csrss.dll (669184 B, Win32/Crastic.A)

The worm registers file as a system service.


This causes the worm to be executed on every system start.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%lastknowngood%\­Services\­WindowsClientServerRunTimeSubsystem]
    • "Description" = "This service manages client to server coordination in the local system."
    • "DisplayName" = "Windows Client Server Runtime Subsystem"
    • "ImagePath" = "%systemroot%\­system32\­svchost.exe -k Wcsrss"
    • "ObjectName" = "LocalSystem"
    • "ErrorControl" = 0
    • "WOW64" = 1
    • "Start" = 2
    • "Type" = 16
    • "FailureActions" = %binvalue%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%lastknowngood%\­Services\­WindowsClientServerRunTimeSubsystem\­Parameters]
    • "ServiceDll" = "%systemroot%\­csrss.dll"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%current%\­Services\­WindowsClientServerRunTimeSubsystem\­Parameters]
    • "ServiceDll" = "%systemroot%\­csrss.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost]
    • "Wcsrss" = "WindowsClientServerRunTimeSubsystem"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%current%\­SafeBoot\­Minimal]
    • "WindowsClientServerRunTimeSubsystem" = ""Service""
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%current%\­SafeBoot\­Network]
    • "WindowsClientServerRunTimeSubsystem" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%lastknowngood%\­SafeBoot\­Minimal]
    • "WindowsClientServerRunTimeSubsystem" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%lastknowngood%\­SafeBoot\­Network]
    • "WindowsClientServerRunTimeSubsystem" = "Service"

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%current%\­Services\­Tcpip\­Parameters]
    • "EnableBpc" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet%lastknowngood%\­Services\­Tcpip\­Parameters]
    • "EnableBpc" = 1

Instead of %current% , the value(s) are taken from the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­Select\­Current]

Instead of %lastknowngood% , the value(s) are taken from the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­Select\­LastKnownGood]

The worm may delete the following files:

  • %windir%\­csrss.exe

The worm quits immediately if it is run within a debugger.


The worm terminates its execution if it detects that it's running in a specific virtual environment.


The worm quits immediately if any of the following applications is detected:

  • BufferZone
  • GeSWall
  • OllyDbg
  • Process Explorer
  • Process Monitor
  • SafeSpace
  • Sandboxie
  • WinDbg
  • WinPcap
Spreading on removable media

Win32/Crastic.A is a worm that can be spread via removable media.


The worm tries to download several files from the Internet.


These are stored in the following locations:

  • %removabledrive%\­autorun.exe
  • %removabledrive%\­pictures.exe
  • %removabledrive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

Win32/Crastic.A is a worm that steals passwords and other sensitive information.


The worm collects the following information:

  • screenshots
  • operating system version
  • information about the operating system and system settings
  • network adapter information
  • CPU information
  • user name
  • computer name
  • proxy server settings

The worm collects information used to access certain sites.


The worm is able to log keystrokes.


The virus searches for windows with the title containing any of the following strings:

  • bbva bancomer
  • bbvanet -
  • bbva -
  • https://www.bancomernetcash.com/
  • banamex
  • banorte por internet / corporativa
  • bienvenido a bancanet
  • bancanet
  • https://bancanet.banamex.com/
  • https://boveda.banamex.com.mx/
  • bancanet empresarial
  • https://www.bancanetempresarial.banamex.com.mx/
  • banorte por internet / personal
  • ixe portal
  • acceso a ixe net
  • https://nixe.ixe.com.mx/
  • acceso a casa de bolsa por internet
  • santander - supernet -
  • enlace por internet
  • https://enlace.santander-serfin.com/
  • https://vip.santander-serfin.com/
  • hsbc mexico - saldo de mis cuentas
  • hsbc mexico - cuentas
  • banco base
  • mi hsbcnet |
  • conexion empresarial internet
  • banca mifel
  • bienvenido a scotia en linea
  • https://www.scotiaweb.com.mx/
  • inicio -
  • sel - scotia en linea
  • https://see.sbi.com.mx
  • bajionet - bienvenido
  • bajionet gobierno - bienvenido
  • bajionet gobierno
  • parallels plesk 1
  • afirme : grupo financiero
  • afirmenet
  • banco azteca, te ofrece los mejores productos financieros. ahorra, invierte o solicita tu linea de credito
  • banca empresarial azteca
  • banamex.dialectpayments.com
  • banco inbursa - inbured
  • entrada
  • portal personal banco inbursa
  • connect to server
  • bansi en linea
  • bienvenido al sitio en linea de bansi, un banco entre personas
  • banregio - tu mundo mas facil
  • ebanregio / banca electronica
  • banregio grupo financiero
  • cinet
  • https://www.interacciones.com
  • multiva
  • multipagos bancomer
  • monex servicios en linea
  • monex grupo financiero - servicios y productos financieros
  • bienvenido cliente invex
  • https://abcnet.abccapital.com.mx/
  • .: abc capital :.
  • union progreso
  • bankaool
  • https://www.stpmex.com
  • sistema de comercio internacional
  • bancomext - portal financiero
  • verifique sus datos
  • whm login
  • inicio de sesion en whm
  • inicio de sesion whm
  • reservations
  • cpanel inicio de sesion
  • cpanel login
  • inicio de sesion de cpanel
  • tns payment technologies pty ltd.
  • putty
  • tectia
  • asistente de compra - primeraplus
  • pago - interjet
  • pago seguro - apple (mx)
  • despegar.com - checkout de compra
  • reservacion
  • reservacion - paso 2 de 3: forma de pago - pricetravel.com.mx
  • payment
  • pagina de pago
  • cineticket internet
  • ticketmaster billing
  • purchase verification
  • verified by visa
  • mastercard securecode
  • outlook web app
  • microsoft outlook web access
  • skype
  • sign in to office 365
  • sign in to your microsoft account
  • iniciar sesion en office 365
  • iniciar session
  • iniciar sesion
  • sign in
  • sign in - google accounts
  • inicio de sesion - cuentas de google
  • acceso: cuentas de google
  • gmail
  • yahoo - login
  • yahoo - ingreso
  • webmail login
  • aol mail: simple, free, fun
  • aol.com - welcome to aol
  • terra mail
  • correo -
  • inicio de sesion en webmail
  • inicio de sesion de correo web
  • accesso webmail
  • - login
  • - webmail
  • acceder a webmail
  • ibm lotus inotes login
  • alestra email login
  • e-mail and online storage
  • mail :: welcome to
  • correo :: bienvenidos a
  • roundcube webmail ::
  • webmail
  • uebimiau
  • worldclient
  • workspace login
  • zimbra web client
  • atmail open - login
  • acceso al correo del dominio
  • bitbucket
  • acceso web al servidor de correo de internet
  • amazon web services sign in
  • servicios de telefonía y conexión a internet para casa y empresa, telmex
  • log in to your paypal account
  • inicie sesion en su cuenta paypal
  • github
  • godaddy
  • register.com
  • network solutions account
  • namecheap.com
  • dropbox

The worm steals login credentials related to following applications:

  • Windows Messenger
  • Internet Explorer
  • Mozilla Firefox
  • FileZilla
  • FlashFXP
  • Windows Live Mail
  • Windows Mail
  • Mozilla Thunderbird
  • Microsoft Outlook
  • Google Chrome
Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (17) URLs. The HTTP/HTTPS protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • spread via removable drives
  • steal sensitive information
  • uninstall itself

The worm checks for Internet connectivity by trying to connect to the following addresses:

  • http://update.microsoft.com
  • http://facebook.com
  • http://dropbox.com
  • http://linkedin.com
  • http://twitter.com
  • http://wikipedia.org
  • http://mail.yahoo.com
  • http://www.paypal.com
  • http://www.netflix.com
  • http://login.microsoftonline.com
  • http://login.live.com

The worm keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­Setup\­Setup]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­Setup\­Number]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­Setup\­Reload]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­Setup\­Previous]

The worm keeps various information in the following files:

  • %windir%\­Installer\­%variable%\­TIco
  • %windir%\­Installer\­%variable%\­RIco
  • %windir%\­Installer\­%variable%\­PIco

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.