For Home

Virus Profile: W32/Crimea.dr

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/5/2007
Date Added: 7/5/2007
Origin: N/A
Length: 47,144 bytes (UPX packed)
Type: Virus
Subtype: Win32
DAT Required: 5068
Removal Instructions
   
 
 
   

Description

W32/Crimea.dr is a virus that infects the Windows system DLL file imm32.dll modifying its import routine such that it loads another previously-dropped malicious component.

Indication of Infection

There are various system modifications that could be attributed to an infection of W32/Crimea.dr

  • Filesystem  - presence of the following files
    • %WinDir%\System32\msvcrtdm.dll
    • a modified %WinDir%\System32\imm32.dll
    • a self-delete batch file called a.bat. This is to self-delete the original dropper.
  • Registry
    • No registry modifications are made by this malware
  • Network
    • communication to the URL mentioned in the Characteristics section
  • Other, related infections
    • W32/Crimea.dldr
    • W32/Crimea

Methods of Infection

Some malware of this nature might be dropped by other malware, downloaded from websites (either knowingly or unknowingly) or sent via email.
   

Virus Characteristics

After W32/Crimea.dr is executed it drops a malicious DLL - msvcrtdm.dll - into the following folder:

  • %WINDIR%\System32       (typically c:\windows\system32)

The virus then continues to modify the Windows system DLL - imm32.dll, which is used by the Microsoft Windows Input Method Manager (IMM) - such that it loads the aforementioned msvcrtdm.dll.

The infection works by storing a copy of the original import table from imm32.dll into a new PE (portable executable) section created at the end of file. The PE header of imm32.dll is also modified such that the Windows PE loader will be instructed to refer to the offset address of the new, copied import table. This ensures the file will load almost completely like normal.

The only difference is the addition of another entry in the copied import table. This new addition instructs the Windows PE loader to load the malicious DLL msvcrtdm.dll and import a function called ExFunc.

Once an application is loaded that utilises this imm32.dll file the imports will be processed and the malicious dll will in turn be loaded. Such applications include, but are not limited to, Internet Explorer.

When the malicious msvcrtdm.dll file is loaded it attempts to connect over HTTP (TCP port 80) to the following URL:

  • realcrimea.info/[path removed]/startup.php

The connects appears to be uploading some configuration information about the victim machine by passing parameters to a .PHP server-side script.

   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.