Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:29/01/2010
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:No
File size:~16.000 Bytes
Engine version:

 General Method of propagation:
   • Infects files

   •  Kaspersky: Virus.Win32.Crunk.a

Similar detection:
   •  W32/Crunk.A

Platforms / OS:
   • Windows NT
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Infects files

Right after execution the following information is displayed:

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The last section of the file is modified to include the virus code.

Damaging - The files are improperly infected. Most of the time the infected files are broken and crash.

EPO (Entry Point Obscuring) - The infected file's EP (Entry Point) remains the same. The virus patches the program code to redirect execution to the viral code.

Self Modification:

Polymorphic - The entire virus code changes from one infection to another. The virus contains a polymorphic engine.


This direct-action infector actively searches for files.

Infection length:

Approximately 16.000 Bytes

The following files are infected:

By exact path:
   • *.exe
   • *.scr

Files in any of the following directories:
   • %current directory%

 Miscellaneous String:
Furthermore it contains the following string:
   • Crank by m1x

Anti debugging
It checks if one of the following files are present:
   • \\.\SICE
   • \\.\NTICE

If this was successful it deletes the following files:

   • %system drive root%\*.*
   • %current directory%\*.*

Description inserted by Daniel Constantin on Friday, March 5, 2010
Description updated by Daniel Constantin on Friday, March 5, 2010

Back . . . .