Home / malwarePDF  

Trojan:Win32/Cribit.A


First posted on 16 April 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Cribit.A.

Explanation :

Threat behavior

Installation

Trojan:Win32/Cribit.A drops itself into the %APPDATA% folder using a random file name of length 5 to 15 characters. For example, one file we looked at was named %APPDATA%\ylohf.exe.

It also creates the following registry entry so that it automatically runs every time Windows starts:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Bitcomint"
With data: "%APPDATA%\.exe"

For example:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Bitcomint"
With data: "%APPDATA%\ylohf.exe"

It also drops these files as part of its installation process:

  • bitcrypt.ccw - malware configuration file
  • del.bat - batch file that it uses to run itself; once it has done its malicious routine, it again uses this file to delete itself so that it leaves no trace in your PC


Payload

Prevents you from running Task Manager and Registry Editor

Trojan:Win32/Cribit.A continuously checks to see if either of these processes are running, and if so, terminates them:

  • taskmgr.exe (Task Manager)
  • regedit.exe (Registry Editor)


Prevents you from starting in Safe Mode

This threat deletes these registry keys. Without these registry keys and settings, you cannot restart your PC in Safe Mode:

  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal


It also runs these commands:

\cmd.exe" /K bcdedit /set {bootmgr} displaybootmenu no - this command prevents Windows from displaying the Windows Boot Manager
\cmd.exe" /K bcdedit /set {default} bootstatuspolicy ignoreallfailures - this command disables Windows System Recovery when you start up your PC

Encrypts files

Trojan:Win32/Cribit.A looks for files with these extensions in all disk drives:

  • *.abw
  • *.arj
  • *.asm
  • *.bpg
  • *.cdr
  • *.cdt
  • *.cer
  • *.css
  • *.dbt
  • *.dbx
  • *.dfm
  • *.djv
  • *.djvu
  • *.doc
  • *.docm
  • *.docx
  • *.dpk
  • *.dpr
  • *.frm
  • *.gz
  • *.jpeg
  • *.jpg
  • *.key
  • *.lzh
  • *.lzo
  • *.mdb
  • *.mde
  • *.odc
  • *.pab
  • *.pas
  • *.pdf
  • *.pgp
  • *.php
  • *.pps
  • *.ppt
  • *.pst
  • *.rtf
  • *.sql
  • *.text
  • *.txt
  • *.vbp
  • *.wri
  • *.xfm
  • *.xl
  • *.xlc
  • *.xlk
  • *.xls
  • *.xlsm
  • *.xlw
  • *.xsf
  • *.xsn
  • *.cdx
  • *.dbf
  • *.js
  • *.vsd
  • *.xlsx


For each file it finds, it encrypts the file with an AES key. The encrypted file has the extension .bitcrypt or .bitcrypt2.

Trojan:Win32/Cribit.A drops its ransom note as the file bitcrypt.txt into every folder that it encrypts files in.

Once it has encrypted all target files, it opens its ransom note and changes your desktop background to the following (note that the cut-off text is by design):





Analysis by Karthik Selvaraj

Symptoms

The following could indicate that you have this threat on your PC:

  • All of your documents have been replaced by files with the extension .bitcrypt or .bitcrypt2
  • You find the file bitcrypt.txt in some folders in your PC, the same folders that contain files with the extension .bitcrypt or .bitcrypt2
  • You can't boot up in Safe Mode
  • You can't run Task Manager or Registry Editor
  • Your wallpaper has been replaced with this:



Last update 16 April 2014

 

TOP

Malware :

Family: