McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection.  Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc

Characteristics

Upon execution, the trojan drops the following file:

• %WinDir%\system32\__c00[5 random mixed letters or digits ].dat

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It adds the following registry keys(assume that the file name of the dropped file is __c00700D4.dat):

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00700D4\Asynchronous: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00700D4\DllName: "%WinDir%\System32\__c00700D4.dat"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00700D4\Impersonate: 0x00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00700D4\Startup: "B"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00700D4\Logon: "B"

Whenever the compromised system restarts, the .dat file is injected into all the processes.

It attempts to connect with the following server:

• nx1.crwfiags.com

 

 

 

 

Symptoms

• existence of the described .dat file
• existence the described registry keys
• remote connection to the described server

Method of Infection

Removal

-

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection.  Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc

Characteristics

Characteristics -

Upon execution, the trojan drops the following file:

• %WinDir%\system32\__c00[5 random mixed letters or digits ].dat

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It adds the following registry keys(assume that the file name of the dropped file is __c00700D4.dat):

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00700D4\Asynchronous: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00700D4\DllName: "%WinDir%\System32\__c00700D4.dat"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00700D4\Impersonate: 0x00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00700D4\Startup: "B"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00700D4\Logon: "B"

Whenever the compromised system restarts, the .dat file is injected into all the processes.

It attempts to connect with the following server:

• nx1.crwfiags.com

 

 

 

 

Symptoms

Symptoms -

• existence of the described .dat file
• existence the described registry keys
• remote connection to the described server

Method of Infection

Method of Infection -

Removal -

Removal -

-

Variants

Variants -

N/A