Win32/Ceatrg [Threat Name] go to Threat

Win32/Ceatrg.A [Threat Variant Name]

Category trojan
Size 155136 B
Detection created Nov 07, 2012
Detection database version 10430
Aliases Trojan:Win32/Ceatrg.A (Microsoft)
Short description

Win32/Ceatrg.A is a trojan that installs Win32/Delf.OGV malware.

Installation

When executed the trojan copies itself in the following locations:

  • %appdata%\­tmp%variable1%.exe
  • %temp%\­%variable2%.exe

The trojan creates the following files:

  • %temp%\­tmp184
  • %temp%\­%variable3%\­%variable4%.tmp
  • %temp%\­%variable3%\­%variable5%.exe

A string with variable content is used instead of %variable1-5% .


The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "WinRaR Update" = "%appdata%\­tmp%variable1%.exe"
    • "WinRaR Update" = "%temp%\­%variable2%.exe"
Other information

The trojan contains the program code of the following malware:

  • Win32/Delf.OGV

The trojan creates and runs a new thread with its own program code within the following processes:

  • %system%\­Microsoft.NET\­Framework\­v2.0.50727\­vbc.exe

The trojan attempts to delete the following files:

  • %originalmalwarefile%:Zone.Identifier

The trojan terminates processes with any of the following strings in the name:

  • Svchost
  • AppLaunch
  • vbc

The trojan can detect presence of debuggers and other analytical tools.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.