Troj/Craften-A is a Trojan for the Windows platform.
When Troj/Craften-A is run the following files are created:
<Windows system folder>\cidft.dll
<Windows system folder>\cidpoq32.dll
<Windows system folder>\gupd.dll
<Windows system folder>\hst32.dll
<Windows system folder>\icnfe.dll
<Windows system folder>\icqrt.dll
<Windows system folder>\icvbr.dll
<Windows system folder>\sdfup.dll
<Windows system folder>\wcnl32.dll
<Windows system folder>\wecxg32.dll
<Windows system folder>\wirl.dll
<Windows system folder>\xcwer32.dll
<Windows system folder>\zxmsn.dll
<Favorites>\Forbidden Conversations.url
<Favorites>\Forced Sex.url
<Favorites>\Search the web.url
<Favorites>\Young Preteen Models.url
wirl.dll is a Trojan DLL and is also detected as Troj/Craften-A. The other DLLs are data files. The Trojan will set the following registry entry:
HKCR\CLSID\{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}\InProcServer32
(default)
<Windows system folder>\wirl.dll
In order to run the DLL automatically, the Trojan will create one of the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObject\
{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}
Troj/Craften-A changes settings for Microsoft Internet Explorer, including Start Page and search settings. The following registry entries are altered:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\home
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\mosaic
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Search
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
Troj/Craften-A may attempt to download a file to "C:\Program Files\asd.hta" and then run it.
Troj/Craften-A will modify the HOSTS file in order to prevent access to the MSN search website.