WORM_CROWT.D - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_CROWT.D

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Backdoor.Win32.Cocoazul.j (Kaspersky), W32/Crowt.worm.gen (McAfee), W32.Cocoazul@mm (Symantec), Worm/Crowt.B.2 (Avira), W32/Crowt-D (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: Yes

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

Upon execution, this worm opens the following site:

http://news.google.com

This worm then drops several files in different locations. One of the said files is a copy of itself, which is run at every system startup.

Its DLL component, SERVICE.DLL, contains a routine that attempts to send copies of itself via email using its own Simple Mail Transfer Protocol (SMTP) to email addresses found in the Windows Address Book (WAB).

The email message body may contain information gathered in the opened http://news.google.com Web page.

This worm has backdoor capabilities. It can execute the following commands from a remote malicious user:

Copy files
Check operating system version
Execute processes
Delete cookies
Download files
Log keystrokes
Capture screenshots
Terminate processes
Shutdown/restart system

This worm then sends gathered information to a remote malicious user.

It is also capable of preventing access to a list of antivirus and security-related sites as part of its stealth mechanism.

For additional information about this threat, see:
Solution
Technical Details

Description created: Apr. 6, 2005 12:58:54 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.