Win32/Ceatrg [Threat Name] go to Threat
Win32/Ceatrg.A [Threat Variant Name]
| Category | trojan |
| Size | 155136 B |
| Aliases | Trojan:Win32/Ceatrg.A (Microsoft) |
Short description
Win32/Ceatrg.A is a trojan that installs Win32/Delf.OGV malware.
Installation
When executed the trojan copies itself in the following locations:
- %appdata%\tmp%variable1%.exe
- %temp%\%variable2%.exe
The trojan creates the following files:
- %temp%\tmp184
- %temp%\%variable3%\%variable4%.tmp
- %temp%\%variable3%\%variable5%.exe
A string with variable content is used instead of %variable1-5% .
The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "WinRaR Update" = "%appdata%\tmp%variable1%.exe"
- "WinRaR Update" = "%temp%\%variable2%.exe"
Other information
The trojan contains the program code of the following malware:
- Win32/Delf.OGV
The trojan creates and runs a new thread with its own program code within the following processes:
- %system%\Microsoft.NET\Framework\v2.0.50727\vbc.exe
The trojan attempts to delete the following files:
- %originalmalwarefile%:Zone.Identifier
The trojan terminates processes with any of the following strings in the name:
- Svchost
- AppLaunch
- vbc
The trojan can detect presence of debuggers and other analytical tools.
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
Trojan requires the Microsoft .NET Framework to run.