Home / malware Trojan:Win32/Crastic.gen!B
First posted on 24 June 2013.
Source: MicrosoftAliases :
Trojan:Win32/Crastic.gen!B is also known as Trojan.Popuper.42468 (Dr.Web), W32/YahLover.worm.gen (McAfee), Worm.Win32.VobfusEx.e (Rising AV), W32.Imaut (Symantec).
Explanation :
Installation
Trojan:Win32/Crastic.gen!B might have the file name %TEMP%\Adobe_Flash_Player_11.37.2743.exe. This file name indicates that it might pose as an Adobe Flash Player installer. It might also be named autorun.exe if it is found in removable drives.
It uses the default Windows folder icon. If you double-click on it, it opens the root folder of the drive in which it is located. It does this to try to mislead you into thinking that it's a folder.
Payload
Deletes restore points
This trojan deletes system restore points created by the Windows System Restore tool. This means you might not be able to restore your computer to a previous state.
Drops other malware
Trojan:Win32/Crastic.gen!B drops a file named %windir%\csrss.dll. This file is detected as Trojan:Win32/Crastic.gen!A.
Trojan:Win32/Crastic.gen!B also creates the following registry entries to make sure that its dropped malware automatically runs every time the legitimate Windows process svchost.exe runs:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Wcsrss\Parameters
Sets value: "ServiceDll"
With data: "%windir%\csrss.dll"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Wcsrss
Sets value: "ImagePath"
With data: "%SystemRoot%\system32\svchost.exe -k Wcsrss"
Analysis by Zhitao Zhou
Last update 24 June 2013
