This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This signature detects Infostealer.Cromwi activity on the infected system.
When the Trojan is executed, it creates the following files:
%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\MMC\mmc.exe
The Trojan creates the following registry entry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"mmcupdate"=%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\MMC\mmc.exe
The Trojan deletes the following file:
%SystemDrive%\Documents and Settings\All Users\Application Data\csrss.exe
The Trojan may collect the following information and then encrypt it:
Current running processes
All files on all available drives
Screnshot of the current window
The Trojan sends this encrypted information to the following location:
220.127.116.11 TCP port 9090
The Trojan connects to the following URL:
The Trojan sends the following information to the previously mentioned URL:
The Trojan receives an encrypted executable file from the previously mentioned URL.
The Trojan decrypts the file, saves it as the following, and then executes it:
The Trojan creates the following mutex to ensure that only one instance of the Trojan is running:
- Various Windows platforms