After W32/Crimea.dr is executed it drops a malicious DLL - msvcrtdm.dll - into the following folder:
- %WINDIR%\System32 (typically c:\windows\system32)
The virus then continues to modify the Windows system DLL - imm32.dll, which is used by the Microsoft Windows Input Method Manager (IMM) - such that it loads the aforementioned msvcrtdm.dll.
The infection works by storing a copy of the original import table from imm32.dll into a new PE (portable executable) section created at the end of file. The PE header of imm32.dll is also modified such that the Windows PE loader will be instructed to refer to the offset address of the new, copied import table. This ensures the file will load almost completely like normal.
The only difference is the addition of another entry in the copied import table. This new addition instructs the Windows PE loader to load the malicious DLL msvcrtdm.dll and import a function called ExFunc.
Once an application is loaded that utilises this imm32.dll file the imports will be processed and the malicious dll will in turn be loaded. Such applications include, but are not limited to, Internet Explorer.
When the malicious msvcrtdm.dll file is loaded it attempts to connect over HTTP (TCP port 80) to the following URL:
- realcrimea.info/[path removed]/startup.php
The connects appears to be uploading some configuration information about the victim machine by passing parameters to a .PHP server-side script.