Troj/Crabton-C is a downloader Trojan.
Troj/Crabton-C copies itself to the file SOFTWARE.EXE in the SOFTWARE subfolder of the Windows system folder, setting the following registry entry so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Software
\Software\software.exe
Troj/Crabton-C downloads configuration files from a remote location and will act according to the information they contain, loading visible or hidden instances of EXPLORER.EXE or IEXPLORE.EXE with input commands and addresses, downloading and executing further files or setting further registry entries.
Troj/Crabton-C adds the following domains to the trusted sites zone in Internet Explorer and enables silent code downloads, execution of scripts and of ActiveX controls:
awmdabest.com
megapornix.com
overpro.com
ysbweb.com
xxxtoolbar.com
c4tdownload.com
windupdates.com
slotch.com
mt-download.com
clickspring.net.
sp2fucked.biz
vse-moe.biz
pizdato.biz
newiframe.biz
iframe.biz
www.conyc.com
conyc.com
Troj/Crabton-C may modify or set the following additional entries in the registry:
HKCU\Software\Microsoft\Internet Explorer\Security
\Safety Warning Level
HKCU\Software\Microsoft\Windows\CurrentVersion
\Internet Settings\Trust Warning Level
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FlagInstall
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Last Command
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FlagStop
Troj/Crabton-C may also set entries at the following location according to the files it has downloaded with values "LAST MODIFIED" and "LAST PATH":
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Cache
Troj/Crabton-C attempts to terminate the following processes:
ir.exe
intron.exe
intronet.exe
twink64.exe
usb.exe
teur.exe
host32.exe
alchem.exe
bdl74125.exe
Installer2.exe
ttgkirnl.exe
fnnmqi.exe
exdl.exe
printer.exe
printer32.exe
ykyrtws.exe
loadclean.exe
telnet.exe
lpt.exe
dktibs.exe
systime.exe
toolbar.exe
mstasks1.exe
mstasks2.exe
mstasks3.exe
loadadv.exe
Troj/Crabton-C also attempts to delete registry entries relating to these processes from the following locations so as to prevent them from running on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Troj/Crabton-C periodically attempts to modify the HOSTS file in the drivers\etc subfolder of the Windows system folder. Lines containing the following websites are removed from the HOSTS file:
iframe.biz
newiframe.biz
pizdato.biz
vse-moe.biz
sp2fucked.biz
sp2admin.biz
www.iframe.biz
www.newiframe.biz
www.pizdato.biz
www.vse-moe.biz
www.sp2fucked.biz
www.sp2admin.biz
Lines containing the following websites are also removed from the HOSTS file and at the end of the file each of the following websites are associated with the loopback address, 127.0.0.1, in order to prevent access to them:
conyc.com
www.trendmicro.com
kaspersky.com
updates.symantec.com
download.mcafee.com
www.my-etrust.com
mcafee.com
www.mcafee.com
liveupdate.symantecliveupdate.com
trendmicro.com
rads.mcafee.com
customer.symantec.com
liveupdate.symantec.com
www.nai.com
nai.com
update.symantec.com
dispatch.mcafee.com
www.f-secure.com
www.kaspersky.com
my-etrust.com
mast.mcafee.com
symantec.com
securityresponse.symantec.com
ca.com
www.ca.com
sophos.com
www.sophos.com
avp.com
f-secure.com
us.mcafee.com
www.networkassociates.com
kaspersky-labs.com
downloads-eu1.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
secure.nai.com
networkassociates.com
www.symantec.com
viruslist.com
www.viruslist.com
www.avp.com
5sec.biz
www.5sec.biz
virgin-tgp.net
www.virgin-tgp.net
aaasexypics.com
www.aaasexypics.com
vesbiz.biz
www.vesbiz.biz
allforadult.com
www.allforadult.com
iframedollars.biz
www.iframedollars.biz