Win32/Citirevo [Threat Name] go to Threat
Win32/Citirevo.AE [Threat Variant Name]
| Category | trojan |
| Size | 154624 B |
| Aliases | TR/Dropper.Gen (Avira) |
Short description
Win32/Citirevo.AE is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan creates one of the following files:
- %profile%\Iterra\%variable%.dll (39936 B, Win32/Citirevo.AC)
- %profile%\Iterra\0105.tmp (39936 B, Win32/Citirevo.AC)
- %system%\%variable%.dll (39936 B, Win32/Citirevo.AC)
- %profile%\AddIterra\%variable%.dll (39936 B, Win32/Citirevo.AC)
A string with variable content is used instead of %variable% .
The trojan creates the following files:
- %profile%\Iterra\T03emp03.reg
- %profile%\Iterra\T04emp04.reg
The files are then executed.
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
- "AppInit_DLLs" = "%malwarefilepath%"
- "LoadAppInit_DLLs" = 1
This way the trojan ensures that the libraries with the following names will be injected into all running processes:
- %malwarefilepath%
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
Information stealing
The trojan collects the following information:
- disk serial number (without spaces)
- network adapter information
The trojan attempts to send gathered information to a remote machine.
Other information
Win32/Citirevo.AE is a trojan which tries to download other malware from the Internet.
The trojan contains a list of (23) URLs.
It tries to download several files from the addresses.
The files are saved into the following folder:
- %cookies%\cf
The files are then executed. The HTTP protocol is used.
The trojan may delete files stored in the following folders:
- %cookies%\
- %internetcache%\
The trojan acquires data and commands from a remote computer or the Internet.
It can execute the following operations:
- monitor network traffic
- modify network traffic
The trojan alters the behavior of the following processes:
- iexplore.exe
- opera.exe
- firefox.exe
- chrome.exe
The trojan hooks the following Windows APIs:
- closesocket (ws2_32.dll)
- connect (ws2_32.dll)
- ioctlsocket (ws2_32.dll)
- recv (ws2_32.dll)
- select (ws2_32.dll)
- send (ws2_32.dll)
- WSAAsyncSelect (ws2_32.dll)
- WSAConnect (ws2_32.dll)
- WSAEnumNetworkEvents (ws2_32.dll)
- WSAEventSelect (ws2_32.dll)
- WSAGetOverlappedResult (ws2_32.dll)
- WSASend (ws2_32.dll)
- WSASocket (ws2_32.dll)