English
Deutsch
Home
Virus Info
TR/Krotten.W.1
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TR/Krotten.W.1 - Trojan
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
TR/Krotten.W.1
Date discovered:
02/02/2006
Type:
Trojan
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Low
Damage Potential:
Low
Static file:
Yes
File size:
54.565 Bytes
MD5 checksum:
fb5c2265f8aec5ef7282ffd1e26bb1b3
VDF version:
6.33.00.187
- Thu, 02 Feb 2006 14:13 (GMT+1)
Engine version:
54.565
General
Method of propagation:
• No own spreading routine
Aliases:
• Kaspersky: Trojan.Win32.Krotten.ao
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Registry modification
Right after execution the following information is displayed:
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• AVPCC =
%WINDIR%
\Cursors\avp.exe
• svchost =
%WINDIR%
\Web\rundll32.exe
The following registry keys including all values and subkeys are removed:
• [HKCR\regfile\shell\open\command]
• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\{59031a47-3f72-44a7-89c5-5595fe6b30ee}]
The following registry keys are changed:
Various Explorer settings:
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• NoViewOnDrive = dword:00000001
• NoActiveDesktop = dword:00000001
• NoDesktop = dword:00000001
• NoSMMyDocs = dword:00000001
• NoStartMenuMyMusic = dword:00000001
• NoSMMyPictures = dword:00000001
• NoCommonGroups = dword:00000001
• NoStartMenuSubFolders = dword:00000001
• NoStartMenuMFUprogramsList = dword:00000001
• NoStartMenuPinnedList = dword:00000001
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer]
New value:
• NoViewContextMenu = dword:00000001
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• Start_ShowRun = dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• Start_ShowRun = dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• NoManageMyComputerVerb = dword:00000001
• NoNetHood = dword:00000001
• NoPrinters = dword:00000001
• NoPrinterTabs = dword:00000001
• NoSMHelp = dword:00000001
• NoThemesTab = dword:00000001
• NoToolbarCustomize = dword:00000001
• NoUserNameInStartMenu = dword:00000001
• NoSaveSettings = dword:00000001
• NoClose = dword:00000001
• NoLogOff = dword:00000001
• NoRecentDocsMenu = dword:00000001
• NoFavoritesMenu = dword:00000001
• NoFind = dword:00000001
• NoRun = dword:00000001
• NoDrives = dword:00000014
• NoControlPanel = dword:00000001
• NoViewOnDrive = dword:00000001
• NoActiveDesktop = dword:00000001
• NoDesktop = dword:00000001
• NoSMMyDocs = dword:00000001
• NoStartMenuMyMusic = dword:00000001
• NoSMMyPictures = dword:00000001
• NoCommonGroups = dword:00000001
• NoStartMenuSubFolders = dword:00000001
• NoStartMenuMFUprogramsList = dword:00000001
• NoStartMenuPinnedList = dword:00000001
– [HKCU\Control Panel\Desktop]
New value:
• MenuShowDelay = 9999
• WallpaperOriginY = 187
• WallpaperOriginX = 210
Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
• DisableRegistryTools = dword:00000001
• NoDispCPL = dword:00000001
• DisableTaskMgr = dword:00000001
– [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
• DisableRegistryTools = dword:00000001
• NoDispCPL = dword:00000001
• DisableTaskMgr = dword:00000001
Internet Explorer's start page:
– [HKCU\Software\Microsoft\Internet Explorer\Main]
Old value:
• Start Page =
%user defined settings%
New value:
• Start Page = http://poetry.rot**********
– [HKEY_LOCAL_NACHINE\Software\Microsoft\Internet Explorer\Main]
Old value:
• Start Page =
%user defined settings%
New value:
• Start Page = http://poetry.rot**********
– [HKCU\Software\Microsoft\Internet Explorer\Main]
New value:
• NoManageMyComputerVerb = dword:00000001
• NoNetHood = dword:00000001
• NoPrinters = dword:00000001
• NoPrinterTabs = dword:00000001
• NoSMHelp = dword:00000001
• NoThemesTab = dword:00000001
• NoToolbarCustomize = dword:00000001
• NoUserNameInStartMenu = dword:00000001
• NoSaveSettings = dword:00000001
• NoClose = dword:00000001
• NoLogOff = dword:00000001
• NoRecentDocsMenu = dword:00000001
• NoFavoritesMenu = dword:00000001
• NoFind = dword:00000001
• NoRun = dword:00000001
• NoDrives = dword:00000014
• NoControlPanel = dword:00000001
• Window title = :::::::::::::::::: ß ÏÅÒÓØÈÍÍÀß ÁËßÄÜ Ñ ÃÍÈËÎÉ ÆÎÏÎÉ ::::::::::::::::::
– [HKLM\Software\Microsoft\Internet Explorer\Main]
New value:
• NoManageMyComputerVerb = dword:00000001
• NoNetHood = dword:00000001
• NoPrinters = dword:00000001
• NoPrinterTabs = dword:00000001
• NoSMHelp = dword:00000001
• NoThemesTab = dword:00000001
• NoToolbarCustomize = dword:00000001
• NoUserNameInStartMenu = dword:00000001
• NoSaveSettings = dword:00000001
• NoClose = dword:00000001
• NoLogOff = dword:00000001
• NoRecentDocsMenu = dword:00000001
• NoFavoritesMenu = dword:00000001
• NoFind = dword:00000001
• NoRun = dword:00000001
• NoDrives = dword:00000014
• NoControlPanel = dword:00000001
• Window title = :::::::::::::::::: ß ÏÅÒÓØÈÍÍÀß ÁËßÄÜ Ñ ÃÍÈËÎÉ ÆÎÏÎÉ ::::::::::::::::::
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
New value:
• {20D04FE0-3AEA-1069-A2D8-08002B30309D} = dword:00000001
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall]
New value:
• NoAddRemovePrograms = dword:00000001
File details
Programming language:
The malware program was written in MS Visual C++.
See a brief description
here
.
Description inserted by Andrei Gherman on Wed, 08 Mar 2006 11:11 (GMT+1)
Description updated by Andrei Gherman on Wed, 08 Mar 2006 11:31 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Netsky.HB
TR/Crypt.CFI.Gen
Worm/Netsky.D.Dam
W32/Elkern.C
Worm/Mytob.HA
Halifax 26
TR/Vundo.GJ
TR/Agent.Abt.3
Halifax 25
TR/Dldr.PurityScan.FK
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info TR/Krotten.W.1
Print this page
.gif)
