Win32/Crytes [Threat Name] go to Threat
Win32/Crytes.AA [Threat Variant Name]
Category | worm |
Size | 1578496 B |
Aliases | Trojan.Win32.Miner.ays (Kaspersky) |
Trojan:Win32/CoinMiner.BB!bit (Microsoft) | |
Win32:BitCoinMiner-IW.[Trj] (Avast) |
Short description
Win32/Crytes.AA is a worm that uses the hardware resources of the infected computer for mining the digital currency.
Installation
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion]
- "Run" = %malwarefilepath%
The worm copies itself into the root folders of all drives using the following name:
- %originalmalwarefilename%
Spreading
Win32/Crytes.AA is a worm that repeatedly tries to connect to various IP addresses.
The FTP protocol is used.
The following usernames are used:
- admin
- Admin
- anonymous
- ftp
- www-data
The following passwords are used:
- 000000
- 111111
- 123
- 123123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234567890
- 123qwe
- abc123
- admin
- Admin
- admin123
- administrator
- anonymous
- derok010101
- devry
- email@email.com
- ftp
- pass
- pass1234
- password
- qwerty
- test
- windows
- www-data
If it succeeds, a copy of the worm is retrieved from the attacking machine.
The following filename is used:
- Photo.scr
The worm also copies itself into existing subfolders.
The worm infects files with the following extensions:
- .asp
- .bml
- .dhtm
- .DHTM
- .htm
- .HTM
- .htx
- .mht
- .php
- .PHP
- .phtm
- .shtm
- .xht
- .xml
- .XML
The worm inserts the following text marker into the infected files:
- iframe src=Photo.scr width=1 height=1 frameborder=0
- /iframe
Information stealing
The following information is collected:
- login name
- login password
- list of files/folders on a specific drive
- CPU information
The worm attempts to send gathered information to a remote machine.
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of (13) URLs. The HTTP, FTP protocol is used in the communication.
The worm uses the hardware resources of the infected computer for mining the digital currency.
The following file is dropped into the %temp% folder:
- NsCpuMiner32.exe (1433600 B, Win32/BitCoinMiner.BX)
The file is then executed.
The worm creates the following files:
- %temp%\pools.txt