Content

W32/Crimea.dr

Type
Virus
SubType
Win32
Discovery Date
07/05/2007
Length
47,144 bytes (UPX packed)
Minimum DAT
5068 (07/05/2007)
Updated DAT
5069 (07/06/2007)
Minimum Engine
5.1.00
Description Added
07/05/2007
Description Modified
07/05/2007 5:45 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

After W32/Crimea.dr is executed it drops a malicious DLL - msvcrtdm.dll - into the following folder:

  • %WINDIR%\System32       (typically c:\windows\system32)

The virus then continues to modify the Windows system DLL - imm32.dll, which is used by the Microsoft Windows Input Method Manager (IMM) - such that it loads the aforementioned msvcrtdm.dll.

The infection works by storing a copy of the original import table from imm32.dll into a new PE (portable executable) section created at the end of file. The PE header of imm32.dll is also modified such that the Windows PE loader will be instructed to refer to the offset address of the new, copied import table. This ensures the file will load almost completely like normal.

The only difference is the addition of another entry in the copied import table. This new addition instructs the Windows PE loader to load the malicious DLL msvcrtdm.dll and import a function called ExFunc.

Once an application is loaded that utilises this imm32.dll file the imports will be processed and the malicious dll will in turn be loaded. Such applications include, but are not limited to, Internet Explorer.

When the malicious msvcrtdm.dll file is loaded it attempts to connect over HTTP (TCP port 80) to the following URL:

  • realcrimea.info/[path removed]/startup.php

The connects appears to be uploading some configuration information about the victim machine by passing parameters to a .PHP server-side script.

Symptoms

There are various system modifications that could be attributed to an infection of W32/Crimea.dr

  • Filesystem  - presence of the following files
    • %WinDir%\System32\msvcrtdm.dll
    • a modified %WinDir%\System32\imm32.dll
    • a self-delete batch file called a.bat. This is to self-delete the original dropper.
  • Registry
    • No registry modifications are made by this malware
  • Network
    • communication to the URL mentioned in the Characteristics section
  • Other, related infections
    • W32/Crimea.dldr
    • W32/Crimea

Method of Infection

Some malware of this nature might be dropped by other malware, downloaded from websites (either knowingly or unknowingly) or sent via email.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Crimea.dr is a virus that infects the Windows system DLL file imm32.dll modifying its import routine such that it loads another previously-dropped malicious component.

Characteristics

Characteristics -

After W32/Crimea.dr is executed it drops a malicious DLL - msvcrtdm.dll - into the following folder:

  • %WINDIR%\System32       (typically c:\windows\system32)

The virus then continues to modify the Windows system DLL - imm32.dll, which is used by the Microsoft Windows Input Method Manager (IMM) - such that it loads the aforementioned msvcrtdm.dll.

The infection works by storing a copy of the original import table from imm32.dll into a new PE (portable executable) section created at the end of file. The PE header of imm32.dll is also modified such that the Windows PE loader will be instructed to refer to the offset address of the new, copied import table. This ensures the file will load almost completely like normal.

The only difference is the addition of another entry in the copied import table. This new addition instructs the Windows PE loader to load the malicious DLL msvcrtdm.dll and import a function called ExFunc.

Once an application is loaded that utilises this imm32.dll file the imports will be processed and the malicious dll will in turn be loaded. Such applications include, but are not limited to, Internet Explorer.

When the malicious msvcrtdm.dll file is loaded it attempts to connect over HTTP (TCP port 80) to the following URL:

  • realcrimea.info/[path removed]/startup.php

The connects appears to be uploading some configuration information about the victim machine by passing parameters to a .PHP server-side script.

Symptoms

Symptoms -

There are various system modifications that could be attributed to an infection of W32/Crimea.dr

  • Filesystem  - presence of the following files
    • %WinDir%\System32\msvcrtdm.dll
    • a modified %WinDir%\System32\imm32.dll
    • a self-delete batch file called a.bat. This is to self-delete the original dropper.
  • Registry
    • No registry modifications are made by this malware
  • Network
    • communication to the URL mentioned in the Characteristics section
  • Other, related infections
    • W32/Crimea.dldr
    • W32/Crimea

Method of Infection

Method of Infection -

Some malware of this nature might be dropped by other malware, downloaded from websites (either knowingly or unknowingly) or sent via email.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A