high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | February 2006 (4.02) |
| Protection available since | 19 January 2005 22:18:03 (GMT) |
| Last updated | 23 December 2005 10:22:04 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Change any data that may have become compromised.
Delete the file KEYS.TMP in the Windows temp folder if it exists.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunServices\
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunServicesOnce\
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\
and remove any reference to any file you deleted.
Delete the following keys. If necessary, reinstall your local network Windows update software on the affected computer or copy and import the keys from another computer.
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Installed
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Sended
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Password
HKCU\Software\Microsoft\Windows\WindowsUpdate\
CallBack
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Id
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Email
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Main Port
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Data Port
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Proxy Port"
Close the registry editor.
More Information
W32/Crowt-A is an email worm.
As well as providing keylogging and backdoor functionality, W32/Crowt-A attempts to send itself by email to addresses found on the infected computer as if from other addresses on the infected computer. The email's subject lines, message content and attachment name are generated from headlines gathered real-time from the CNN website. W32/Crowt-A is an email worm with backdoor Trojan functionality.
W32/Crowt-A copies itself to the file SERVICES.EXE in the Windows startup, templates and common program files folders, making the Windows startup folder a hidden folder at the same time. W32/Crowt-A attempts to set entries in the registry at the following locations so as to run the copies of itself on system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Services Logon
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Services Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Services Logon
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Services Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
Services Logon
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
Services Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Services Logon
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Services Startup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Services Logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Services Startup
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Services Logon
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Services Startup
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
Services Logon
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
Services Startup
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Services Logon
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Services Startup
W32/Crowt-A drops a file called SERVICES.DLL, also detected as W32/Crowt-A, to the Windows system folder which it injects into Explorer or the top-most window.
W32/Crowt-A may open the website http://www.cnn.com/WORLD/ in an internet browser while contacting a PHP hosted at http://cocorosa.ath.cx when first run.
W32/Crowt-A contains its main functionality in the file dropped as SERVICES.DLL. The DLL component of W32/Crowt-A deletes the registry entries set above which run the file SERIVES.EXE on system startup, resetting them again when the DLL terminates.
W32/Crowt-A attempts to delete files from the Windows cookies folder.
W32/Crowt-A may set some of the following entries in the registry to change the way it is configured:
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Installed
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Sended
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Password
HKCU\Software\Microsoft\Windows\WindowsUpdate\
CallBack
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Id
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Email
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Main Port
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Data Port
HKCU\Software\Microsoft\Windows\WindowsUpdate\
Proxy Port
W32/Crowt-A connects by default on port 80 to cocoazul.ath.cx and listens for for instructions from a remote user. These include changing the configuration-related registers above, sending information about the infected computer, sending the user's Windows address book, downloading files from remote locations and executing them, deleting files, rebooting the infected computer, setting up a command prompt that the remote user can control, acting as a proxy server, deleting files from the Windows cookies folder, popping up a messagebox, listing and terminating processes, sending emails from the infected computer, logging the user's keystrokes, or acting as an email virus. Some of these actions take place even without prompting from a remote user.
W32/Crowt-A attempts to log user keystrokes to the file KEYS.TMP in the Windows temp folder. W32/Crowt-A will attempt to send gathered data to the remote user directly and also via email to the address ramonvaldezar@yahoo.com.ar as if being sent from the address enrique@cocorosa.com.
W32/Crowt-A attempts to send itself by email using its own internal engine to addresses found in the Windows address book or found in the Windows internet cache folder, sending them as if they are from other found addresses. The email headers are set up to appear as if sent by Microsoft Outlook Express. The subject lines, message content and attachment name vary since they are constructed from headline information obtained at the time of sending from http://www.cnn.com. The subject line and attachment name are identical and are generated from a front-page headline, while the message text is generated from the main subject on the page linked to by the headline
|
