Win32/CrisisHT [Threat Name] go to Threat
Win32/CrisisHT.B [Threat Variant Name]
| Category | trojan |
| Size | 1064448 B |
| Aliases | BackDoor.DaVinci.29 (Dr.Web) |
Short description
Win32/CrisisHT.B is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine. It uses techniques common for rootkits.
Installation
When executed, the trojan creates the following files:
- %localappdata%\Microsoft\oKaZW8vm\Jw-Sb_oy.q2v (674304 B, Win32/Boychi.Q)
- %localappdata%\Microsoft\oKaZW8vm\A96qDGdz.NZy (100864 B)
- %localappdata%\Microsoft\oKaZW8vm\HmJY-hDq.0MS (208896 B)
- %localappdata%\Microsoft\oKaZW8vm\qjy97Jk_.hKQ (2976 B)
- %localappdata%\Microsoft\oKaZW8vm\Intel(R) Wifi 0.36.xuqb
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Classes\xuqb_auto_file\shell\open\command]
- "(Default)" = "%systemroot%\system32\rundll32.exe" "%localappdata%\Microsoft\oKaZW8vm\Jw-Sb_oy.q2v", u7432eddfP"
- [HKEY_CURRENT_USER\Software\Classes\.xuqb]
- "(Default)" = "xuqb_auto_file"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Intel(R) Wifi 0.36" = "%localappdata%\Microsoft\oKaZW8vm\Intel(R) Wifi 0.36.xuqb"
This causes the trojan to be executed on every system start.
The trojan quits immediately if it detects certain security applications running.
The trojan quits immediately if it is run within a debugger.
The trojan creates and runs a new thread with its own program code in all running processes except the following:
- avgarkt.exe
- avgscanx.exe
- avk.exe
- avscan.exe
- bgscan.exe
- chrome.exe
- FlashPlayerPlugin_*.exe
- fsbl.exe
- fsm32.exe
- hackmon.exe
- hiddenfinder.exe
- IceSword.exe
- ielowutil.exe
- iexplore.exe
- outlook.exe
- pavark.exe
- pcts*.exe
- rku*.exe
- rootkitbuster*.exe
- RootkitRevealer.exe
- sargui.exe
- TaskMan.exe
- taskmgr.exe
- Unhackme.exe
The trojan executes the following command:
- %system%\rundll32.exe "%localappdata%\Microsoft\oKaZW8vm\A96qDGdz.NZy",u7432eddfR
Information stealing
The trojan collects various sensitive information.
The following information is collected:
- screenshots
- a list of recently visited URLs
- data from the clipboard
- e-mail addresses
- Windows Protected Storage passwords and credentials
- information about the operating system and system settings
- list of running processes
- login user names for certain applications/services
- login passwords for certain applications/services
- CPU information
- memory status
- the list of installed software
- available wireless networks
- webcam video/voice
- sent IM messages
- list of disk devices and their type
- list of files/folders on a specific drive
- Bitcoin wallet contents
The trojan searches local drives for files with the following file extensions:
- .bmp
- .doc
- .docx
- .gif
- .jpeg
- .jpg
- .odp
- .ods
- .odt
- .png
- .pps
- .ppsx
- .ppt
- .pptx
- .rtf
- .txt
- .xls
- .xlsx
The trojan attempts to send the found files to a remote machine.
Win32/CrisisHT.B tries to obtain information from the contact list of the affected user.
Also the e-mail addresses are searched for in the following program(s):
- Microsoft Outlook
- Skype
- Google Mail (mail.google.com)
- Yahoo Mail (yahoo.com)
- Windows Live (live.com)
- Facebook (facebook.com)
- Twitter (twitter.com)
E-mail addresses are searched for in files with one of the following extensions:
- .eml
The trojan is able to log keystrokes.
The trojan collects information related to the following applications:
- Google Chrome
- Google Talk
- Internet Explorer
- Microsoft Outlook
- Mozilla Firefox
- Mozilla Thunderbird
- Opera Browser
- Paltalk
- Trillian
- Windows Live
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan hides its presence in the system. It uses techniques common for rootkits.
The trojan acquires data and commands from a remote computer or the Internet.
It can execute the following operations:
- "follow" users/posts on social networks
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- uninstall itself
- make operating system unbootable
- send gathered information
- record calls
The trojan hooks the following Windows APIs:
- CreateProcessA (kernel32.dll)
- CreateProcessW (kernel32.dll)
- CreateProcessAsUserW (kernel32.dll)
- CreateProcessAsUserA (advapi32.dll)
- CreateProcessAsUserW (advapi32.dll)
- NtQueryDirectoryFile (ntdll.dll)
- ReadDirectoryChangesW (kernel32.dll)
- NtQuerySystemInformation (ntdll.dll)
- NtDeviceIoControlFile (ntdll.dll)
- NtEnumerateValueKey (ntdll.dll)
- NtQueryKey (ntdll.dll)
- SendMessageW (user32.dll)
- SetWindowTextW (user32.dll)
- CreateWindowExA (user32.dll)
- CreateWindowExW (user32.dll)
- waveOutWrite (WINMM.dll)
- waveInAddBuffer (WINMM.dll)
- SendMessageTimeoutA (user32.dll)
- SendMessageTimeoutW (user32.dll)
- recv (ws2_32.dll)
- send (ws2_32.dll)
- WSARecv (ws2_32.dll)
- IDirectSoundBuffer::GetCurrentPosition (dsound.dll)
- IDirectSoundCaptureBuffer::GetCurrentPosition (dsound.dll)
- IAudioRenderClient
- IAudioCaptureClient
- CreateFileW (kernel32.dll)
- DeleteFileW (kernel32.dll)
- MoveFileW (kernel32.dll)
- GetMessageA (user32.dll)
- GetMessageW (user32.dll)
- PeekMessageA (user32.dll)
- PeekMessageW (user32.dll)
- ImmGetCompositionStringW (imm32.dll)
- ReadConsoleInputA (kernel32.dll)
- ReadConsoleInputW (kernel32.dll)
- ReadConsoleA (kernel32.dll)
- ReadConsoleW (kernel32.dll)
- ReadConsoleInputExA (kernel32.dll)
- ReadConsoleInputExW (kernel32.dll)
- InternetGetCookieExW (wininet.dll)
The trojan contains both 32-bit and 64-bit program components.