PHP_CRYPWEB.A

This Trojan may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be hosted on a website and run when a user accesses the said website.

It requires its main component to successfully perform its intended routine.

Arrival Details

This Trojan may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be hosted on a website and run when a user accesses the said website.

Other Details

This Trojan requires the following additional components to properly run:

• factory.php
• functions_user.php
• ucp_activate,php
• ucp_profile.php

It requires its main component to successfully perform its intended routine.

NOTES:

It connects to the following URL to download the contents of the file that will be used to compute for its crypt key

• http://{BLOCKED}3.{BLOCKED}3.120.108/sfdoif89d7sf8d979dfgf/sdfds90f8d9s0f8d0f89.txt

It modifies the following file to allow encryption

• ../config.php

It retrieves all the entries for the following database table

• USERS_TABLE (phpbb framework constant)

It encrypts the following variables for every entry in the database search result

• user_password
• user_email

It drops copies of the following files (source) into the following destination paths (dest)

(source)

• factory.php
• functions_user.php
• ucp_activate.php
• ucp_profile.php

(dest)

• ../phpbb/db/driver/factory.php
• ../includes/functions_user.php
• ../includes/ucp/ucp_activate.php
• ../includes/ucp/ucp_profile.php