How to Prevent and Remove the Trojan.SuspectCRC

Bookmark and Share

 

1. What is the Trojan.SuspectCRC

Trojan.SuspectCRC  is a sneaky computer threat that hides itself in the registry files of a compromised computer. Trojan.SuspectCRC modifies computer settings, making it vulnerable to attackers and giving them access to sensitive information. Trojan.SuspectCRC can also connect to a remote SMTP server and produces outbound traffic by sending out emails via the Internet. To prevent possible identity theft, remove Trojan.SuspectCRC immediately.


Alias: Dropper/Malware.61519

 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 %Temp%\7.tmp 16,384 bytes
2 %Temp%\evldbon.exe 0 bytes
3 %Temp%\mblctra.exe 196,096 bytes
4 %Temp%\nsq2.tmp\ExecPri.dll 4,096 bytes
5 %Temp%\nsq2.tmp\inetc.dll 20,480 bytes
6 %Temp%\tsdiscona.exe 0 bytes
7 [file and pathname of the sample #1] 61,519 bytes
8 %Windir%\Temp\6.tmp 0 bytes
  • Notes:
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
  • The following directory was created:
    • %Temp%\nsq2.tmp

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 249,856 bytes

c.  Registry Modifications

    • The following Registry Keys were created:

      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_B9873E0
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_B9873E0\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_THTXMW
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_THTXMW\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\thtxmw
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_B9873E0
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_B9873E0\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_THTXMW
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_THTXMW\0000
      • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\thtxmw
      • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
      • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
      • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international

    • The newly created Registry Values are:

      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_B9873E0\0000]
        • Service = "b9873e0"
        • Legacy = 0x00000001
        • ConfigFlags = 0x00000000
        • Class = "LegacyDriver"
        • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
        • DeviceDesc = "b9873e0"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_B9873E0]
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_THTXMW\0000]
        • Service = "thtxmw"
        • Legacy = 0x00000001
        • ConfigFlags = 0x00000000
        • Class = "LegacyDriver"
        • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
        • DeviceDesc = "thtxmw"
        • Capabilities = 0x00000000
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_THTXMW]
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\thtxmw]
        • qymkhs = 0x07BA5BBF
        • Type = 0x00000001
        • Start = 0x00000000
        • ErrorControl = 0x00000000
        • Group = "Boot Bus Extender"
        • gvvNc = 92 97 B8 09 37 FF 36 B3
        • q5ib0qE3 = 25 FE F0 36 82 DC 69 57 79 C1 52 22 85 F5 07 6E 8F 49 E2 8D 8A 66 3A BD 9D 07 35 85 C4 9B A9 ED 5F E8 CF A4 C1 05 2A E9 D8 40 1D 0E 96 61 05 48 17 83 0A 92 12 23 82 88 C4 25 C4 AD A2 5D 6F 02 51 FF 57 81 4C 63 4C 8B DD 6D 96 31 FD E2 A4 61 99 69 F7 B
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_B9873E0\0000]
        • Service = "b9873e0"
        • Legacy = 0x00000001
        • ConfigFlags = 0x00000000
        • Class = "LegacyDriver"
        • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
        • DeviceDesc = "b9873e0"
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_B9873E0]
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_THTXMW\0000]
        • Service = "thtxmw"
        • Legacy = 0x00000001
        • ConfigFlags = 0x00000000
        • Class = "LegacyDriver"
        • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
        • DeviceDesc = "thtxmw"
        • Capabilities = 0x00000000
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_THTXMW]
        • NextInstance = 0x00000001
      • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\thtxmw]
        • qymkhs = 0x07BA5BBF
        • Type = 0x00000001
        • Start = 0x00000000
        • ErrorControl = 0x00000000
        • Group = "Boot Bus Extender"
        • gvvNc = 92 97 B8 09 37 FF 36 B3
        • q5ib0qE3 = 25 FE F0 36 82 DC 69 57 79 C1 52 22 85 F5 07 6E 8F 49 E2 8D 8A 66 3A BD 9D 07 35 85 C4 9B A9 ED 5F E8 CF A4 C1 05 2A E9 D8 40 1D 0E 96 61 05 48 17 83 0A 92 12 23 82 88 C4 25 C4 AD A2 5D 6F 02 51 FF 57 81 4C 63 4C 8B DD 6D 96 31 FD E2 A4 61 99 69 F7 B
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
        • svchost.exe = 0x000022B8
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international]
        • acceptlanguage = "en-us"
      • [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
        • maxhttpredirects = 0x000022B8
        • enablehttp1_1 = 0x00000001
        • ProxyEnable = 0x00000000

    d. Other details

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    178.86.5.207 80
    84.200.51.3 80

    • The data identified by the following URLs was then requested from the remote web server:

      • http://ontrack319.info/htm_logs/telnet.exe
      • http://pdsoft.info/fid01/icvrm.exe

     

    3. How-to's

    a. How to prevent the  Trojan.SuspectCRC ?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan.SuspectCRC Manually?

    Step 1 : Use Windows Task Manager to Remove Trojan.SuspectCRC Processes

    [filename of the sample #1]

    Step 2 : Use Registry Editor to Remove Trojan.SuspectCRC Registry Values

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_B9873E0
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_B9873E0\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_THTXMW
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_THTXMW\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\thtxmw
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_B9873E0
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_B9873E0\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_THTXMW
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_THTXMW\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\thtxmw
    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_B9873E0\0000]
    Service = "b9873e0"
    Legacy = 0x00000001
    ConfigFlags = 0x00000000
    Class = "LegacyDriver"
    ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    DeviceDesc = "b9873e0"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_B9873E0]
    NextInstance = 0x00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_THTXMW\0000]
    Service = "thtxmw"
    Legacy = 0x00000001
    ConfigFlags = 0x00000000
    Class = "LegacyDriver"
    ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    DeviceDesc = "thtxmw"
    Capabilities = 0x00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_THTXMW]
    NextInstance = 0x00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\thtxmw]
    qymkhs = 0x07BA5BBF
    Type = 0x00000001
    Start = 0x00000000
    ErrorControl = 0x00000000
    Group = "Boot Bus Extender"
    gvvNc = 92 97 B8 09 37 FF 36 B3
    q5ib0qE3 = 25 FE F0 36 82 DC 69 57 79 C1 52 22 85 F5 07 6E 8F 49 E2 8D 8A 66 3A BD 9D 07 35 85 C4 9B A9 ED 5F E8 CF A4 C1 05 2A E9 D8 40 1D 0E 96 61 05 48 17 83 0A 92 12 23 82 88 C4 25 C4 AD A2 5D 6F 02 51 FF 57 81 4C 63 4C 8B DD 6D 96 31 FD E2 A4 61 99 69 F7 B
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_B9873E0\0000]
    Service = "b9873e0"
    Legacy = 0x00000001
    ConfigFlags = 0x00000000
    Class = "LegacyDriver"
    ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    DeviceDesc = "b9873e0"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_B9873E0]
    NextInstance = 0x00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_THTXMW\0000]
    Service = "thtxmw"
    Legacy = 0x00000001
    ConfigFlags = 0x00000000
    Class = "LegacyDriver"
    ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    DeviceDesc = "thtxmw"
    Capabilities = 0x00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_THTXMW]
    NextInstance = 0x00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\thtxmw]
    qymkhs = 0x07BA5BBF
    Type = 0x00000001
    Start = 0x00000000
    ErrorControl = 0x00000000
    Group = "Boot Bus Extender"
    gvvNc = 92 97 B8 09 37 FF 36 B3
    q5ib0qE3 = 25 FE F0 36 82 DC 69 57 79 C1 52 22 85 F5 07 6E 8F 49 E2 8D 8A 66 3A BD 9D 07 35 85 C4 9B A9 ED 5F E8 CF A4 C1 05 2A E9 D8 40 1D 0E 96 61 05 48 17 83 0A 92 12 23 82 88 C4 25 C4 AD A2 5D 6F 02 51 FF 57 81 4C 63 4C 8B DD 6D 96 31 FD E2 A4 61 99 69 F7 B
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
    svchost.exe = 0x000022B8
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international]
    acceptlanguage = "en-us"
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    maxhttpredirects = 0x000022B8
    enablehttp1_1 = 0x00000001
    ProxyEnable = 0x00000000

    Step3: Detect and Delete Other Trojan.SuspectCRC Files

    %Temp%\7.tmp
    %Temp%\evldbon.exe
    %Temp%\mblctra.exe
    %Temp%\nsq2.tmp\ExecPri.dll
    %Temp%\nsq2.tmp\inetc.dll
    %Temp%\tsdiscona.exe
    [file and pathname of the sample #1]
    %Windir%\Temp\6.tmp

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•