Troj/Crypter-C is a downloader Trojan which runs continuously in the background and periodically tries to download files from a remote location.
When first run the Trojan copies itself to the Windows System folder using a randomly selected filename. Filenames used by the Trojan include: audiodrv.exe, audioinf.exe, bluecol.exe, cmdcon.exe, diskinf.exe, dllreg.exe, enhance32.exe, infdisk.exe, kbddrv32.exe, kbdrvinf.exe, main16.exe, main32.exe, mousedrv.exe, mswavedll.exe, msurl32.exe, netdll32.exe, netdllex.exe, p4mx4.exe, m32info.exe, pwr32ctr.exe, pwr32crtl.exe, sd32info.exe, vid32cntl.exe and vidcntl.exe.
The Trojan adds its pathname to a new sub-key of the following registry entry to run itself on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
The name of the new sub-key matches the filename of the Trojan executable, excluding the extension.
The Trojan also runs itself on startup by adding its pathname to a new run= line in the [Windows] section of <WINDOWS>\WIN.INI.
The following registry entry is also created:
HKCU\Software\Microsoft\Windows\CurrentVersion\uninstall\
<filename>\UninstallString = %SYSTEM%\<filename>.exe <key>
Temporary files may be created in the Windows TEMP folder with filenames matching that of the Trojan executable, but without an extension.