1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Infostealer Cromwi Activity

System Infected: Infostealer Cromwi Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Infostealer.Cromwi activity on the infected system.

Additional Information

When the Trojan is executed, it creates the following files:
%Temp%\~f[RANDOM NUMBER].tmp
%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\MMC\mmc.exe

The Trojan creates the following registry entry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"mmcupdate"=%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\MMC\mmc.exe

The Trojan deletes the following file:
%SystemDrive%\Documents and Settings\All Users\Application Data\csrss.exe

The Trojan may collect the following information and then encrypt it:
Current running processes
All files on all available drives
Screnshot of the current window

The Trojan sends this encrypted information to the following location:
200.124.194.233 TCP port 9090

The Trojan connects to the following URL:
[http://]www.godstv.co.uk/kr/conference/conference[REMOVED]

The Trojan sends the following information to the previously mentioned URL:
MAC address
IP address
Host name

The Trojan receives an encrypted executable file from the previously mentioned URL.

The Trojan decrypts the file, saves it as the following, and then executes it:
%Temp%\al[RANDOM NUMBER].tmp

The Trojan creates the following mutex to ensure that only one instance of the Trojan is running:
"{0121000-101121-325638-4842}"

Affected

  • Various Windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube