This Trojan program is a Windows PE EXE file approximately 69KB in size.
Once launched, it causes the browser on the victim machine to open the following
page:
http://crackspider.net/ie/first.php
It also creates a file called “crcspider.ico” in the Windows root
directory. This file is 766 bytes in size:
%Windir%\crcspider.ico
The Trojan will then create the following entries in the system registry:
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Search Bar" = "http://crackspider.net/ie/sbar.php"
[HKCU\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant" = "http://crackspider.net/ie/assist.php"
[HKCU\Software\Microsoft\Internet Explorer\Extensions\
(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"ButtonText" = "Search cracks at CrackSpider.NET"
[HKCU\Software\Microsoft\Internet Explorer\Extensions\
(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"ClSid" = (1FBA04EE-3024-11d2-8F1F-0000F87ABD16)
[HKCU\Software\Microsoft\Internet Explorer\Extensions\
(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"Default Visible" = "Yes"
[HKCU\Software\Microsoft\Internet Explorer\Extensions\
(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"Exec" = "http://crackspider.net/ie/btn.php"
[HKCU\Software\Microsoft\Internet Explorer\Extensions\
(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"HotIcon" = "%windows%\crcspider.ico"
[HKCU\Software\Microsoft\Internet Explorer\Extensions\
(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"Icon" = "%windows%\crcspider.ico"
[HKCU\Software\Microsoft\Internet Explorer\Extensions\
(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"MenuStatusBar" = "Search cracks at CrackSpider.NET"
[HKCU\Software\Microsoft\Internet Explorer\Extensions\
(10954C80-4F0F-11d3-B17C-00C0DFE39736)]
"MenuText" = "Search cracks at CrackSpider.NET"
The Trojan will also create a new folder called “cracks” in Favourites.
This file contains the following linkes and descriptions:
! CrackSpider.NET - Cracks search engine.url
!! TheBUGS.ws - Security Related Portal.url
!!! CrackPortal.com - Cracks, serial numbers.....url
anyCracks.com - Keygens, patches, crackz....url
Astalavista - Cracks search engine.url
CrackSpider.DE - Cracks search engine.url
CrackSpider.US - Cracks search engine.url
CrackWay - Since 2001 cracks arhive.url
iCracks.net - Keygens, patches, crackz....url
KeyGen.US - Keygens, patches, crackz....url
mscrack.com - Cracks, serial numbers.....url
It alters the "%System%\drivers\etc\hosts" file by writing the text shown
below to the file:
213.239.0.226 andr.net
213.239.0.226 astalavista.box.sk
213.239.0.226 crackspider.com
213.239.0.226 crackz.ws
213.239.0.226 www.andr.net
213.239.0.226 www.crackz.ws
213.239.0.226 www.crackspider.com
When the browser is used to view the sites listed above, it will automatically
be redirected to 213.239.0.226
The Trojan will add its own icon to the Internet Explorer toolbar. This icon
acts as a link to http://crackspider.net/ie/btn.php and also links to the Favorites
menu.
Check out if we have free removal tool for this virus