csrss.exe

.netshrink

PELock Software

The executable csrss.exe, “.netshrink exe compressor loader” has been detected as malware by 59 anti-virus scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘3ce3978f78e2110ed9959c4be04814bd’. The file has been seen being downloaded from k007.kiwi6.com and multiple other hosts.
Publisher:
PELock Software

Product:
.netshrink

Description:
.netshrink exe compressor loader

Version:
1.0.0.0

MD5:
ef825b9af1b3416ab16604ca1bcb900b

SHA-1:
0ac5995a5cba932674dcf64e7ddd8e84059cd25a

Scanner detections:
59 / 68

Status:
Malware

Analysis date:
12/29/2024 8:36:23 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Barys.19302
1027

Agnitum Outpost
Trojan.Zapchast
7.1.1

AhnLab V3 Security
Trojan/Win32.Disfa
14.04.14

Avira AntiVirus
TR/Dropper.MSIL.Gen
7.11.143.18

avast!
MSIL:Agent-AFM [Cryp]
2014.9-140414

AVG
Packed_c
2015.0.3505

Baidu Antivirus
Trojan.MSIL.Zapchast
4.0.3.14414

Bitdefender
Gen:Variant.Barys.19302
1.0.20.520

Clam AntiVirus
Win.Trojan.Njrat-1
0.98/18355

Comodo Security
TrojWare.MSIL.NetShrink.BB
18095

Emsisoft Anti-Malware
Gen:Variant.Barys.19302
8.14.04.14.06

ESET NOD32
MSIL/Packed.NetShrink (variant)
8.9670

Fortinet FortiGate
MSIL/BDoor.FAXU!tr
4/14/2014

F-Secure
Gen:Variant.Barys.19302
11.2014-14-04_2

G Data
Gen:Variant.Barys.19302
14.4.24

IKARUS anti.virus
Win32.SuspectCrc
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.176.11737

Kaspersky
Trojan.MSIL.Zapchast
14.0.0.4019

Malwarebytes
Trojan.MSIL
v2014.04.14.06

McAfee
BackDoor-FAXU!EF825B9AF1B3
5600.7161

Microsoft Security Essentials
Backdoor:MSIL/Bladabindi
1.10401

MicroWorld eScan
Gen:Variant.Barys.19302
15.0.0.312

Norman
NetShrink.I
11.20140414

Panda Antivirus
Trj/CI.A
14.04.14.06

Qihoo 360 Security
HEUR/Malware.QVM03.Gen
1.0.0.1015

Quick Heal
Backdoor.Bladabindi.r3
4.14.12.00

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_SPNR.06D614
7.2.104

Trend Micro
TROJ_SPNR.06D614
10.465.14

VIPRE Antivirus
Trojan.Win32.Generic
28208

ViRobot
Trojan.Win32.S.Disfa.67072.P
2011.4.7.4223

File size:
65.5 KB (67,072 bytes)

Product version:
1.0.0.0

Copyright:
Copyright Bartosz Wójcik © 2010 www.pelock.com

Original file name:
stub_2.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\csrss.exe

File PE Metadata
Compilation timestamp:
3/26/2014 5:11:04 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
768:f0dDQf4v9gaaNjtBbCKMxIG4BmOnfOiV5vHzIANODtNRoQZZcYplktFc+W8vFhIC:0vf+zbCVIGI/tONRbcY3qcxWPf2qt

Entry address:
0x118DE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
62.5 KB (64,000 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
3ce3978f78e2110ed9959c4be04814bd

Command:
"C:\Documents and Settings\{user}\Local settings\temp\csrss.exe"..


The file csrss.exe has been seen being distributed by the following 2 URLs.

q=http://k007.kiwi6.com/.../s8doudgdl3&redir_token=84SGdCFe4j3bFBeROtnpOP5DdXd8MTM5NzQ0MDk5OUAxMzk3MzU0NTk5

Remove csrss.exe - Powered by Reason Core Security