Home / malware VBS.Crigent
First posted on 16 April 2014.
Source: SymantecAliases :
There are no other names known for VBS.Crigent.
Explanation :
The Trojan may be downloaded or dropped by other malware.
Once executed, the Trojan creates the following hidden folder:
%UserProfile%\Application Data\[UUID]
The Trojan also creates the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\[UUID]1
It then downloads an archive file from one of the following remote locations:
i.vankin.de gg.ibiz.cc
The Trojan then saves the archive file to the following location:
%UserProfile%\Application Data\[UUID]\roaming.zip
Next, the Trojan extracts the following files from the archive file before deleting it:
%UserProfile%\Application Data\[UUID]\tor.exe %UserProfile%\Application Data\[UUID]\polipo.exe
It then uses the extracted files to connect to the Tor network.
The Trojan then opens a back door on the compromised computer and retrieves commands from the following remote location:
[http://]powerwormjqj42hu.onion/get[REMOVED]?s=autorun&uid=[UUID]
The Trojan may also execute commands stored in the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\[UUID]1Last update 16 April 2014
