Win32/CsNowDown [Threat Name] go to Threat
Win32/CsNowDown.D [Threat Variant Name]
| Category | trojan |
| Size | 98304 B |
Short description
Win32/CsNowDown.D is a trojan which tries to download other malware from the Internet. The trojan is usually a part of other malware. It uses techniques common for rootkits.
Installation
When executed, the trojan creates the following files:
- %windir%\System32\drivers\usbinckey.sys
- %windir%\System32\cardctrl.exe
- %windir%\System32\usbinckey.dll
If IZEX ComBack IR Pro is installed on the infected system the trojan replaces the following files with a copy of itself:
- %windir%\System32\userinit.exe
- %windir%\System32\drivers\beep.sys
- %windir%\drivers\FileMgr.sys
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cardctrl]
- "Type" = 16
- "Start" = 2
- "ErrorControl" = 1
- "ImagePath" = "%windir%\System32\cardctrl.exe"
- "DisplayName" = "Windows Cards Manager"
- "ObjectName" = "LocalSystem"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbinckey]
- "Type" = 1
- "Start" = 1
- "ErrorControl" = 1
- "ImagePath" = "%windir%\System32\usbinckey.dll"
- "DisplayName" = "usbinckey"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FileMgr]
- "Type" = 1
- "Start" = 3
- "ErrorControl" = 1
- "ImagePath" = "%windir%\drivers\FileMgr.sys"
- "DisplayName"="FileMgr"
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan collects the following information:
- computer IP address
- Internet Explorer version
- operating system version
- computer name
- installed software
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan contains an URL address.
It tries to download a file from the address.
The file is then executed. The HTTP protocol is used.