TrendMicro: WORM_CROWT.D

WORM_CROWT.D is a non-destructive, memory-resident worm that spreads via email using its own Simple Mail Transfer Protocol (SMTP) engine to send email to those addresses found in the Windows Address Book. This worm has backdoor capabilities that could allow a remote user to perform malicious activities. It also modifies the Windows HOSTS File to prevent affected users from accessing specific Websites, including Trend Micro, McAfee, Kaspersky, F-Secure, Symantec, and Sophos. This worm is currently spreading in-the-wild, and infecting systems running Windows 95, 98, ME, NT, 2000, and XP.

Upon execution, the worm opens the URL http://news.google.com, and drops the files SERVICES.EXE and SERVICES.DLL. The file SERVICES.EXE is a copy of the worm, which is executed at every system startup. The worm's DLL component, SERVICES.DLL, contains a routine that attempts to send copies of itself via email using its own Simple Mail Transfer Protocol (SMTP) engine to email addresses found in the Windows Address Book (WAB). The email message body may contain information gathered from the Google Web page.

This worm also has backdoor capabilities, which may allow a remote user to execute the following malicious commands:

* Copy files
* Check operating system version
* Execute processes
* Delete cookies
* Download files
* Log & send keystrokes to remote user
* Capture screenshots
* Terminate processes
* Shutdown/restart system

The worm also performs a HOSTS file modification routine that results in a user being blocked from accessing specific Web sites, and instead being redirected to a specific IP address. The following sites are inaccessible to affected users due to this modification routine:

* uk.trendmicro-europe.com
* www.pandasoftware.com
* sandbox.norman.no
* grisoft.com
* trendmicro.com
* rads.mcafee.com
* customer.symantec.com
* liveupdate.symantec.com
* us.mcafee.com
* updates.symantec.com
* update.symantec.com
* nai.com
* secure.nai.com
* dispatch.mcafee.com
* download.mcafee.com
* my-etrust.com
* mast.mcafee.com
* ca.com
* networkassociates.com
* avp.com
* kaspersky-labs.com
* kaspersky.com
* f-secure.com
* viruslist.com
* liveupdate.symantecliveupdate.com
* mcafee.com
* sophos.com
* symantec.com
* securityresponse.symantec.com
* www.grisoft.com
* www.trendmicro.com
* www.nai.com
* www.my-etrust.com
* www.ca.com
* www.networkassociates.com
* www.kaspersky.com
* www.avp.com
* www.f-secure.com
* www.viruslist.com
* www.mcafee.com
* www.sophos.com
* www.symantec.com

If you would like to scan your computer for WORM_KRYNOS.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_CROWT.D is detected and cleaned by Trend Micro pattern file #2.543.03 and above.